docs/release_notes/v1.13.3.md
This update includes bug fixes:
The caller sidecar is appending the local app API token to the egress request, thereby leaking the API token protecting the local app to the foreign sidecar.
Receiving app can have access to the calling app's API token and make unauthorized calls directly to the originating app - in case it is listening on 0.0.0.0 or an accessible IP address.
A pull request accidentally added this change.
Fixed the issue and added integration tests to verify and avoid future regressions.
Go version 1.21.8 or older are impacted by CVE-2023-45288.
See https://nvd.nist.gov/vuln/detail/CVE-2023-45288
See https://nvd.nist.gov/vuln/detail/CVE-2023-45288
Update Go version used to build Dapr.
In case of an error during dissemination of placement table to a sidecar instance, the dissemination to the remaining instances do not complete. See https://github.com/dapr/dapr/issues/7031
Sidecars can run with an old copy of the dissemination table and cannot invoke the correct Dapr sidecar for a given actor instance.
During shutdown, all publish calls to the application where being cancelled.
Check the return value of performTableDissemination for errors.
dapr_http_server_response_count HTTP metricAn existing metrics was removed without deprecation notice, affecting users that relied on it. See https://github.com/dapr/dapr/issues/7642
Users did not have this specific metric available anymore, potentially impacting their alerts and monitoring.
Metric removed without deprecation notice.
Added the metric back.