stage v1.21.2 (#22418)

sujay-hashicorp · web-flow · commit 136b9cb8f4a4 · 2025-06-18T13:46:39.000+05:30
* supress container CVEs

* add changelog for v1.21.2

* fix changelog
diff --git a/.changelog/22409.txt b/.changelog/22409.txt
@@ -1,5 +1,5 @@
 ```release-note:security
-Upgrade UBI base image version to address CVE
+security: Upgrade UBI base image version to address CVE
 [CVE-2025-4802](https://access.redhat.com/security/cve/cve-2025-4802)
 [CVE-2024-40896](https://access.redhat.com/security/cve/cve-2024-40896)
 [CVE-2024-12243](https://nvd.nist.gov/vuln/detail/CVE-2024-12243)
diff --git a/.release/security-scan.hcl b/.release/security-scan.hcl
@@ -49,7 +49,11 @@ container {
 				"CVE-2022-49043", # libxml2@0:2.9.13-6.el9_5.2
 				"CVE-2025-46394",
 				"CVE-2024-58251",
-				"CVE-2025-47268"
+				"CVE-2025-47268",
+				"CVE-2025-31115", # xz-libs@0:5.2.5-8.el9_0,
+				"CVE-2024-40896", # libxml2@0:2.9.13-9.el9_6
+				"CVE-2025-3277", # sqlite-libs@0:3.34.1-7.el9_3
+				"CVE-2024-57970" # libarchive@0:3.5.3-4.el9
 			]
 			paths = [
 				"internal/tools/proto-gen-rpc-glue/e2e/consul/*",
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,31 @@
+## 1.21.2 (June 17, 2025)
+
+SECURITY:
+
+* security: Upgrade UBI base image version to address CVE
+[CVE-2025-4802](https://access.redhat.com/security/cve/cve-2025-4802)
+[CVE-2024-40896](https://access.redhat.com/security/cve/cve-2024-40896)
+[CVE-2024-12243](https://nvd.nist.gov/vuln/detail/CVE-2024-12243)
+[CVE-2025-24528](https://access.redhat.com/security/cve/cve-2025-24528)
+[CVE-2025-3277](https://access.redhat.com/security/cve/cve-2025-3277)
+[CVE-2024-12133](https://access.redhat.com/security/cve/cve-2024-12133)
+[CVE-2024-57970](https://access.redhat.com/security/cve/cve-2024-57970)
+[CVE-2025-31115](https://access.redhat.com/security/cve/cve-2025-31115) [[GH-22409](https://github.com/hashicorp/consul/issues/22409)]
+* cli: update tls ca and cert create to reduce excessive file perms for generated public files [[GH-22286](https://github.com/hashicorp/consul/issues/22286)]
+* connect: Added non default namespace and partition checks to ConnectCA CSR requests. [[GH-22376](https://github.com/hashicorp/consul/issues/22376)]
+* security: Upgrade Go to 1.23.10. [[GH-22412](https://github.com/hashicorp/consul/issues/22412)]
+
+IMPROVEMENTS:
+
+* config: Warn about invalid characters in `datacenter` resulting in non-generation of X.509 certificates when using external CA for agent TLS communication. [[GH-22382](https://github.com/hashicorp/consul/issues/22382)]
+* connect: Use net.JoinHostPort for host:port formatting to handle IPv6. [[GH-22359](https://github.com/hashicorp/consul/issues/22359)]
+
+BUG FIXES:
+
+* http: return a clear error when both Service.Service and Service.ID are missing during catalog registration [[GH-22381](https://github.com/hashicorp/consul/issues/22381)]
+* license: (Enterprise only) Fixed issue where usage metrics are not written to the snapshot to export the license data. [[GH-10668](https://github.com/hashicorp/consul/issues/10668)]
+* wan-federation: Fixed an issue where advertised IPv6 addresses were causing WAN federation to fail. [[GH-22226](https://github.com/hashicorp/consul/issues/22226)]
+
 ## 1.21.1 (May 21, 2025)
 
 FEATURES:
diff --git a/version/VERSION b/version/VERSION
@@ -1 +1 @@
-1.21.2-dev
+1.21.2
