Backport of xds: return errors from public listener finalization into release/2.0.x#23689
Open
hc-github-team-consul-core wants to merge 2 commits into
Conversation
|
Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement Learn more about why HashiCorp requires a CLA and what the CLA includes 1 out of 2 committers have signed the CLA.
temp seems not to be a GitHub user. Have you signed the CLA already but the status is still pending? Recheck it. |
* xds: return errors from public listener finalization Return the errors from injectConnectFilters and injectConnectTLSForPublicListener in finalizePublicListenerFromConfig instead of returning nil, so an inbound public listener is never served without L4 intention enforcement or mTLS. The callers already drop the listener when an error is returned. Adds a regression test that fails if either error is swallowed again. Ref: SECVULN-41454 * changelog: add security note for SECVULN-41454 (#23686) * deps: bump go.mongodb.org/mongo-driver from 1.17.4 to 1.17.7 Fixes GHSA-cp6g-7hqx-qxhp (CVE-2026-2303), a heap out-of-bounds read in mongo-go-driver GSSAPI error handling, flagged by the binary/container security scans. Mirrors dependabot PR #23680. * xds: drop internal tracker id from regression test comment
Manishakumari-hc
approved these changes
Jun 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport
This PR is auto-generated from #23686 to be assessed for backporting due to the inclusion of the label backport/2.0.
🚨
The person who merged in the original PR is:
@Surabhi-1605
This person should resolve the merge-conflict(s) by either:
The below text is copied from the body of the original PR.
finalizePublicListenerFromConfigpreviously returnednilwhen injecting theL4 intention (RBAC) filter or the mTLS transport socket failed, so the caller's
error handling never triggered. This returns the error from both paths so an inbound
public listener is dropped rather than served without intention enforcement or mTLS.
Adds
TestFinalizePublicListenerFromConfig_PropagatesInjectionErrors, which failsif either error is swallowed again.
Overview of commits