Hello Kong Nation!
Completing our series of security releases this past week, we just released Kong 1.0.4. This version is a security patch release for the 1.0 series, including patches to the NGINX core (1.13.6) fixing vulnerabilities in the HTTP/2 module (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516). Everyone using Kong with HTTP/2 is advised to upgrade immediately.
We always advise users to use the latest stable version (at the time of this writing, Kong 1.2.2), but we are providing security patch releases to all Kong 1.x versions so that users can perform security upgrades immediately without migrations.
There are no migrations, new features nor breaking changes over Kong 1.0.3, so it should be a very easy upgrade.
If you are still running Kong 0.x, now it’s a really good time to upgrade to 1.x. These old versions are no longer supported and no security patch releases for those will be made.
Here’s a link to the 1.0.4 Changelog.
The updated Docker image is live on Docker Hub.
With this release, the whole 1.x series was updated this week including these vulnerability fixes: 1.0.4, 1.1.3, 1.2.2, and 1.3.0rc2. Of course, the upcoming Kong 1.3.0 will include the patches as well.