0.298.0

Changes

• 🔒 Resolves CVE-2024-22279, which affected routing-releases 0.273.0 through 0.297.0.
• 🐛 Improve support for requests using the Expect: 100-continue header.
• 🐛 The missing_content_length_header metric introduced in 0.297.0 has been renamed to empty_content_length_header for more accuracy. Thanks @peanball!
• 🐛 The empty_content_length_header was fixed to more accurately capture events when the content-length header of a request was empty. Previously extra request types were being included erroneously.

Bosh Job Spec changes:

diff --git a/jobs/gorouter/spec b/jobs/gorouter/spec
index 712a761f..8269440b 100644
--- a/jobs/gorouter/spec
+++ b/jobs/gorouter/spec
@@ -306,6 +306,9 @@ properties:
   router.keep_alive_probe_interval:
     default: 1s
     description: Interval between TCP keep alive probes. Value is a string (e.g. "10s")
+  router.keep_alive_100_continue_requests:
+    description: "If set gorouter reuses backend connection for requests expecting 100-Continue"
+    default: false
   router.force_forwarded_proto_https:
     description: "Enables setting X-Forwarded-Proto header if SSL termination happened upstream and incorrectly set the header value. When this property is set to true gorouter sets the header X-Forwarded-Proto to https. When this value set to false, gorouter set the header X-Forwarded-Proto to the protocol of the incoming request"
     default: false

✨ Built with go 1.22.3

Full Changelog: v0.297.0...v0.298.0

Resources

• Download release 0.298.0 from bosh.io.