Nacos 1.4.1 has been released . The main new features of this version are to support IPv6 service registration and provide UDP push support for Csharp clients.
What's more noteworthy is that version 1.4.1 solves the previously exposed security vulnerability of bypassing authentication ( #4593 ). The release note wrote that server identity authentication was added to replace the UA whitelist mode.
Developer @threedr3am submitted an issue to nacos half a month ago and reported a security vulnerability that can bypass authentication (for security reasons, the submitter has deleted the content of this issue, and the specific vulnerability description is no longer available).
The reply from the issue shows that nacos has added authentication functions starting from 1.2.0 , so it is recommended that users who use 1.2.0 and above version upgrade to the latest 1.4.1.
After nacos 1.4.1 was released, the developer @threedr3am discovered a mechanism that can bypass authentication ( #4701 ). After the nacos maintainer confirmed it, a hotfix based on 1.4.1 solved this problem.
It is recommended that users directly download the latest version 1.4.1 for deployment and upgrade.
Download link: https://github.com/alibaba/nacos/releases/tag/1.4.1