Update module github.com/nats-io/nats-server/v2 to v2.9.23 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/nats-io/nats-server/v2	v2.9.17 -> v2.9.23

GitHub Vulnerability Alerts

CVE-2023-47090

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

NATS users exist within accounts, and once using accounts, the old authorization block is not applicable.

Problem Description

Without any authorization rules in the nats-server, users can connect without authentication.

Before nats-server 2.2.0, all authentication and authorization rules for a nats-server lived in an "authorization" block, defining users. With nats-server 2.2.0 all users live inside accounts. When using the authorization block, whose syntax predates this, those users will be placed into the implicit global account, "$G". Users inside accounts go into the newer "accounts" block.

If an "accounts" block is defined, in simple deployment scenarios this is often used only to enable client access to the system account. When the only account added is the system account "$SYS", the nats-server would create an implicit user in "$G" and set it as the no_auth_user account, enabling the same "without authentication" logic as without any rules.

This preserved the ability to connect simply, and then add one authenticated login for system access.

But with an "authorization" block, this is wrong. Users exist in the global account, with login rules. And in simple testing, they might still connect fine without administrators seeing that authentication has been disabled.

The blind-spot on our part came from encouraging and documenting a switch to using only "accounts", instead of "authorization".

In the fixed versions, using an "authorization" block will inhibit the implicit creation of a "$G" user and setting it as the no_auth_user target. In unfixed versions, just creating a second account, with no users, will also inhibit this behavior.

Affected versions

NATS Server:

• 2.2.0 up to and including 2.9.22 and 2.10.1
• Fixed with nats-io/nats-server: 2.10.2 and backported to 2.9.23

Workarounds

In the "accounts" block, define a second non-system account, leave it empty.

accounts {
    SYS: {
        users: [
            { user: sysuser, password: makemeasandwich }
        ]
    }
    DUMMY: {}  # for security, before 2.10.2
}
system_account: SYS

Solution

Any one of these:

1. Upgrade the NATS server to at least 2.10.2 (or 2.9.23)
2. Or define a dummy account
3. Or complete the migration of authorization entries to be inside a named account in the "accounts" block

Credits

Problem reported by Alex Herrington.
Addressed publicly in a GitHub Discussion prior to this advisory.

---

Release Notes

nats-io/nats-server (github.com/nats-io/nats-server/v2)

v2.9.23

Compare Source

Changelog

Go Version

• 1.20.10

Fixed

Accounts

• Prevent bypassing authorization block when enabling system account access in accounts block (#​4605). Backport from v2.10.2

Leafnodes

• Prevent a leafnode cluster from receiving a message multiple times in a queue subscription (#​4578). Backport from v2.10.2

JetStream

• Hold lock when calculating the first message for subject in a message block (#​4531). Backport from v2.10.0
• Add self-healing mechanism to detect and delete orphaned Raft groups (#​4647). Backport from v2.10.0
• Prevent forward proposals in consumers after scaling down a stream (#​4647). Backport from v2.10.0
• Fix race condition during leader failover scenarios resulting in potential duplicate messages being sourced (#​4592). Backport from v2.10.2

Complete Changes

v2.9.22

Compare Source

Changelog

Go Version

• 1.20.8 (updated out-of-cycle since Go 1.19 is now EOL)

Dependencies

• github.com/nats-io/jwt/v2 v2.5.0
• golang.org/x/crypto v0.12.0
• golang.org/x/sys v0.11.0

Improved

Monitoring

• CORS Allow-Origin passthrough for monitoring server (#​4423) Thanks to @​mdawar for the contribution!

JetStream

• Improve consumer scaling reliability with filters and cluster restart (#​4404)
• Send event on lame duck mode (LDM) to avoid placing assets on shutting down nodes (#​4405)
• Skip filestore tombstones if downgrade from 2.10 occurs (#​4452)
• Adjust delivered and waiting count when consumer message delivery fails (#​4472)

Fixed

Config

• Allow empty configs and fix JSON compatibility (#​4394, #​4418)
• Remove TLS OCSP debug log on reload (#​4453)

Monitoring

• Fix Content-Type header when /healthz is not 200 OK (#​4437) Thanks to @​mdawar for the contribution!
• Fix server /connz idle time sorting (#​4463) Thanks to @​mdawar for the contribution!
• Interface conversion bug which could cause a panic when calling /ipqueuesz endpoint (#​4477)

Leafnode

• Fix race condition which could affect propagating interest over leafnode connections (#​4464)

JetStream

• Fix possible deadlock in checking for drift in the usage reporting when storing a message (#​4411)
• Durable pull consumers could get cleaned up incorrectly on leader change (#​4412)
• Moving an R1 stream could sometimes lose all messages (#​4413)
• Prevent peer-remove of an R1 stream which could result in the stream becoming orphaned (#​4420)
• Ensure consumer ack pending is less than max ack pending on state restore (#​4427)
• Ensure to reset election timer when catching up (#​4428) Thanks to @​yuzhou-nj for the report!
• Auto step-down Raft leader if an entry is missing on a catchup request (#​4432)
• Fix PurgeEx with keep having deletes in blocks (#​4431)
• Update global subject index when message blocks expire (#​4439)
• Ensure max messages per subject is respected after update (#​4446) Thanks to @​anthonyjacques20 for the report!
• Ignore and remove empty message blocks on rebuild (#​4447)
• Fix possible accounting discrepancy on message write (#​4455)
• Fix potential message duplication from stream sources when downgrading from 2.10 (#​4454)
• Check for checksum violations for all records before sequence processing (#​4465)
• Fix message block accounting (#​4473)

Complete Changes

v2.9.21

Compare Source

Changelog

Go Version

• 1.19.12

Dependencies

• github.com/klauspost/compress v1.16.7
• github.com/nats-io/nats.go v1.28.0
• go.uber.org/automaxprocs v1.5.3
• golang.org/x/crypto v0.11.0
• golang.org/x/sys v0.10.0

Added

OCSP

• Add fetch, cache, and verification of client CA's OCSP Response for NATS, WebSocket, and MQTT client mTLS connections (#​4362, backported from 2.10)
• Add bi-directional fetch, cache, and verification of CA OCSP Response for LEAF connections (#​4362, backported from 2.10)

See ADR-38 OCSP Peer Verification

General

• Add UTC log timestamp option (#​4331, backported from 2.10)

Improved

JetStream

• Don't error to server logs if message was deleted for consumer (#​4328)
• Improve publish performance for zero-interest subjects (#​4359) Thanks to @​antlad for reporting the issue!
• Sync and reset message rejected count to ensure replicas don’t incorrectly discard messages (#​4365, #​4366)

Fixed

General

• Leaking memory on usage of getHash() (#​4329) Thanks to @​VuongUranus for reporting the issue!
• Server reload with highly active accounts and service imports could cause panic or dataloss (#​4327)
• Fix detection of an unusable configuration file (#​4358)
  • NOTE: as a side effect of this fix, the server will no longer startup with an empty config file
• Fix a few system service imports going missing after configuration reload (#​4360)

OCSP

• Fix local-determination of issuer CA at startup (#​4362)
• Remove constraint that all (super)cluster node peers must be issued by the same CA (#​4362)

Embedded

• Don't require TLS for in-process client connection (#​4323)

JetStream

• Fix serializability guarantee for concurrent publish when using expected-last-subject-sequence (#​4319)
• Report correct consumer count in paged list response (#​4339)
• Fix not validating single token filtered consumer (#​4338)
• Fix stream recovery of message block with sequence gaps (#​4344)
• Fix panic when re-calculating first sequence of SimpleState info (#​4346)
• Fix stream store accounting drift (#​4357)

Complete Changes

v2.9.20

Compare Source

Changelog

Go Version

• 1.19.11

Added

Windows

• Backport 2.10 support for native Windows certificate store (#​4268)

Improved

Accounts

• Allow advisories to be exported/imported across accounts (#​4302)

JetStream

• Optimize consumer create time on streams with a large number of blocks (#​4269)

Fixed

Gateways

• Protect possible data race when reloading accounts (#​4274)

Leafnodes

• Prevent zombie subscriptions which could lead to silent data loss when using queue subscriptions (#​4299)

WebSocket

• Prevent reporting tls_required when tls_available is not set (#​4264)

JetStream

• Prevent corrupting streams actively being restored during health check (#​4277) Thank you @​vitush93 for the report!
• Prevent encrypted data attempting to be decrypted with an empty key (#​4301)

MQTT

• Ensure republished messages from streams are received by MQTT subscriptions (#​4303)

Complete Changes

v2.9.19

Compare Source

Changelog

Go Version

• 1.19.10

Improved

JetStream

• Improve resource utilization when creating mirrors on very high-sequence streams (#​4249)

Fixed

WebSocket

• Ensure INFO properties are populated based on the WebSocket listener when enabled (#​4255) Thanks to @​Envek for reporting the issue!

Complete Changes

v2.9.18

Compare Source

Changelog

Go Version

• 1.19.10

Dependency Updates

• golang.org/x/crypto v0.9.0 (#​4236)
• golang.org/x/sys v0.8.0 (#​4236)
• github.com/nats-io/nats.go v1.27.0 (#​4239)

Improved

Monitoring

• Optimize /statsz locking and sending in standalone mode (#​4235)

JetStream

• Apply ack floor check only for interest-based streams (#​4206)
• Improved efficiency and reduced CPU usage of the consumer ack floor check, particularly when the stream first sequence is a large number (#​4226)
• Improve clean-up phase of R1 consumers on server restart for name reuse (#​4216)
• Optimize “last message lookups” by subject (KV get operations) for small messages (#​4232) Thanks to @​jjthiessen for reporting the issue!
• Only enable JetStream account updates in clustered mode (#​4233) Thanks to @​tpihl for reporting the issue!

Fixed

General

• Fix a variety of potential panic scenarios (#​4214) Thanks to @​Zamony and @​artemseleznev for the contribution!

Leadnode

• Daisy chained leafnodes could have unreliable interest propagation (#​4207)
• Properly distribute requests to queue groups across leafnodes (#​4231)

JetStream

• Killed server on restart could render encrypted stream unrecoverable (#​4210) Thanks to @​BhatheyBalaji for the report!
• Fix a few data races detected internal testing (#​4211)
• Process extended purge operations correctly when being replayed (#​4212, #​4213) Thanks to @​MauriceVanVeen for the report and contribution!

Complete Changes

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 5 additional dependencies were updated

Details:

Package	Change
github.com/nats-io/nats.go	v1.27.0 -> v1.28.0
github.com/klauspost/compress	v1.16.6 -> v1.16.7
github.com/nats-io/jwt/v2	v2.4.1 -> v2.5.0
golang.org/x/crypto	v0.10.0 -> v0.12.0
golang.org/x/sys	v0.9.0 -> v0.11.0