OpenTofu

opentofu/opentofu last check 34 releases today
Notes

OpenTofu lets you declaratively manage your cloud infrastructure.

Release notes
v1.11.9 · recent
view on github

1.11.9

SECURITY ADVISORIES:

  • Previous releases in the v1.11 series could be affected by several vulnerabilities:

    • ssh usage through OpenTofu generate hangs or panics.
    • Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @revoked.

    This is fixed now by (#4145)

  • If for state encryption, OpenBao key provider is used with wrapping algorithms, it could generate panics or hangs on compromised systems where the JWE is specifically crafted. (#4177)

  • Previous releases in the v1.11 series could be affected by several vulnerabilities:

    • When using SSH connections through OpenTofu, the errors that were returned from attempting a connection could include unescaped input bytes.
    • If using an attacker-controlled server to run tofu against, it might end up in high CPU consumption.

    These are now fixed by (#4248)

BUG FIXES:

  • Fix race condition while handling closing signals during tofu login, both when the signal is sent by the user and when the browser fails to successfully connect. (4016)
  • Prevent panic when using ephemeral resources during tofu test`. (#4254)

Full Changelog: https://github.com/opentofu/opentofu/compare/v1.11.8...v1.11.9