enterprise-2.15.5

The 2.15.5 stable point release includes a variety of bug fixes and proxy configuration features, including a fix for CVE-2024-40632.

Previous release: enterprise-2.15.4.

Who should upgrade?

Users who are experiencing panics in the destination controller, or who want to run the CLI without setting the BUOYANT_LICENSE envvar, should upgrade.
Users who want to further secure their Linkerd installation by disabling the /shutdown endpoint or by removing HTTP header content from debug logging, should upgrade.

All other users may upgrade at their convenience or skip this release.

Please see the instructions in Upgrading BEL.

To upgrade with BEL’s lifecycle automation operator, you will need Buoyant Extension version v0.30.0 or later.

Remove requirement that CLI users must always set the BUOYANT_LICENSE environment variable. Note that a license must still be provided to commands that require it (e.g. install), either via the environment variable or the --set license=... flag.
Improve error handling and timeout behavior in the linkerd license command

Fix panic in the destination controller when reading endpoint hostname (backported from linkerd2#12689)

Add config to disable proxy /shutdown admin endpoint (backported from linkerd2#12705). When enabled, this remediates CVE-2024-40632.
Add config to disable outputting HTTP headers by default in proxy debug logs (backported from linkerd2#12665)

Update extension-init, policy-controller, and proxy base images to remediate CVE-2023-5678 (first fixed in hotpatch enterprise-2.15.4-1)
Update extension-init, policy-controller, and proxy base images to remediate CVE-2023-6129 (first fixed in hotpatch enterprise-2.15.4-1)
Update extension-init, policy-controller, and proxy base images to remediate CVE-2024-0727 (first fixed in hotpatch enterprise-2.15.4-1)
Update Go from 1.22.4 to 1.22.5