opentofu

v1.12.1 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 7d Infrastructure as Code

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Affected surfaces

auth

ReleasePort's take

Moderate signal

editorial:auto 7d

OpenTofu v1.12.1 resolves CA signature verification revocation checks that previously caused SSH hangs/panics and reduces excessive memory usage by providers introduced in v1.12.0.

Why it matters: The security fix (severity 90) prevents critical SSH failures; the bugfix (severity 40) mitigates performance degradation for deployments using provider runtime. Operators running v1.12.0 should upgrade immediately to avoid hangs and memory leaks.

Summary

AI summary

Updates SECURITY ADVISORIES, BUG FIXES, and https://github.com/opentofu/opentofu/pull/4133 across a mixed release.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Checks both 'key' and 'key.SignatureKey' for revocation, fixing SSH hangs/panics. Checks both 'key' and 'key.SignatureKey' for revocation, fixing SSH hangs/panics. Source: llm_adapter@2026-05-27 Confidence: high	—
Feature	Low	Azure key provider now accepts tenant_id, subscription_id, environment, and metadata_host as variables. Azure key provider now accepts tenant_id, subscription_id, environment, and metadata_host as variables. Source: llm_adapter@2026-05-27 Confidence: high	—
Bugfix	Medium	Corrects validation of `replace_triggered_by` which was previously incorrect. Corrects validation of `replace_triggered_by` which was previously incorrect. Source: llm_adapter@2026-05-27 Confidence: high	—
Bugfix	Medium	Fixes excessive memory usage by providers introduced in v1.12.0. Fixes excessive memory usage by providers introduced in v1.12.0. Source: llm_adapter@2026-05-27 Confidence: low	—

Full changelog

SECURITY ADVISORIES:

Previous releases in the v1.12 series could be affected by several vulnerabilities:
- ssh usage through OpenTofu generate hangs or panics.
- Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @revoked.
This is fixed now by (#4145)

BUG FIXES:

Address a bug introduced in v1.12.0 causing excessive memory usage by providers. (#4126)
Address a bug introduced in v1.12.0 where replace_triggered_by was validated incorrectly. (#4133
The Azure key provider will now accept the tenant_id, subscription_id, environment, and metadata_host variables; a bug previously only allowed these to be set through environment variables. (#4091)

Full Changelog: https://github.com/opentofu/opentofu/blob/v1.12/CHANGELOG.md

Security Fixes

Fix: SSH usage in OpenTofu no longer causes hangs or panics.
Fix: Revocation check now verifies both 'key' and 'key.SignatureKey' for '@revoked'.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track opentofu

Get notified when new releases ship.

About opentofu

OpenTofu lets you declaratively manage your cloud infrastructure.

All releases →

Related context

Related tools

Earlier breaking changes

v1.12.0 Removal of OPENTOFU_USER_AGENT environment variable affects custom User-Agent header behavior.