Releases: hashicorp/vault
Releases · hashicorp/vault
v1.5.9
1.5.9
May 20th, 2021
SECURITY:
- Non-Expiring Leases: Vault and Vault Enterprise renewed nearly-expiring token
leases and dynamic secret leases with a zero-second TTL, causing them to be
treated as non-expiring, and never revoked. This issue affects Vault and Vault
Enterprise versions 0.10.0 through 1.7.1, and is fixed in 1.5.9, 1.6.5, and
1.7.2 (CVE-2021-32923).
CHANGES:
- agent: Update to use IAM Service Account Credentials endpoint for signing JWTs
when using GCP Auto-Auth method [GH-11473] - auth/gcp: Update to v0.7.2 to use IAM Service Account Credentials API for
signing JWTs [GH-11499]
BUG FIXES:
- core: correct logic for renewal of leases nearing their expiration time. [GH-11650]
v1.7.1
v1.6.4
Release vault v1.6.4
v1.5.8
Release vault v1.5.8
v1.7.0
1.7.0
24 March 2021
CHANGES:
- go: Update go version to 1.15.8 [GH-11060]
FEATURES:
- Aerospike Storage Backend: Add support for using Aerospike as a storage backend [GH-10131]
- agent: Support for persisting the agent cache to disk [GH-10938]
- auth/jwt: Adds
max_age
role parameter andauth_time
claim validation. [GH-10919] - kmip (enterprise): Use entropy augmentation to generate kmip certificates
- sdk: Private key generation in the certutil package now allows custom io.Readers to be used. [GH-10653]
- secrets/aws: add IAM tagging support for iam_user roles [GH-10953]
- secrets/database/cassandra: Add ability to customize dynamic usernames [GH-10906]
- secrets/database/couchbase: Add ability to customize dynamic usernames [GH-10995]
- secrets/database/mongodb: Add ability to customize dynamic usernames [GH-10858]
- secrets/database/mssql: Add ability to customize dynamic usernames [GH-10767]
- secrets/database/mysql: Add ability to customize dynamic usernames [GH-10834]
- secrets/database/postgresql: Add ability to customize dynamic usernames [GH-10766]
- secrets/openldap: Added dynamic roles to OpenLDAP similar to the combined database engine [GH-10996]
- secrets/terraform: New secret engine for managing Terraform Cloud API tokens [GH-10931]
- ui: Adds check for feature flag on application, and updates namespace toolbar on login if present [GH-10588]
- ui: Adds the wizard to the Database Secret Engine [GH-10982]
- ui: Database secrets engine, supporting MongoDB only [GH-10655]
IMPROVEMENTS:
- agent: Add template-retry stanza to agent config. [GH-10644]
- agent: Agent can now run as a Windows service. [GH-10231]
- agent: Better concurrent request handling on identical requests proxied through Agent. [GH-10705]
- agent: Route templating server through cache when persistent cache is enabled. [GH-10927]
- agent: change auto-auth to preload an existing token on start [GH-10850]
- auth/ldap: Improve consistency in error messages [GH-10537]
- auth/okta: Adds support for Okta Verify TOTP MFA. [GH-10942]
- changelog: Add dependencies listed in dependencies/2-25-21 [GH-11015]
- command/debug: Now collects logs (at level
trace
) as a periodic output. [GH-10609] - core (enterprise): "vault status" command works when a namespace is set. [GH-10725]
- core (enterprise): Update Trial Enterprise license from 30 minutes to 6 hours
- core/metrics: Added "vault operator usage" command. [GH-10365]
- core/metrics: New telemetry metrics reporting lease expirations by time interval and namespace [GH-10375]
- core: Added active since timestamp to the status output of active nodes. [GH-10489]
- core: Check audit device with a test message before adding it. [GH-10520]
- core: Track barrier encryption count and automatically rotate after a large number of operations or on a schedule [GH-10744]
- core: add metrics for active entity count [GH-10514]
- core: add partial month client count api [GH-11022]
- core: dev mode listener allows unauthenticated sys/metrics requests [GH-10992]
- core: reduce memory used by leases [GH-10726]
- secrets/gcp: Truncate ServiceAccount display names longer than 100 characters. [GH-10558]
- storage/raft (enterprise): Listing of peers is now allowed on DR secondary
cluster nodes, as an update operation that takes in DR operation token for
authenticating the request. - ui: Clarify language on usage metrics page empty state [GH-10951]
- ui: Customize MongoDB input fields on Database Secrets Engine [GH-10949]
- ui: Upgrade Ember-cli from 3.8 to 3.22. [GH-9972]
- ui: Upgrade Storybook from 5.3.19 to 6.1.17. [GH-10904]
- ui: Upgrade date-fns from 1.3.0 to 2.16.1. [GH-10848]
- ui: Upgrade dependencies to resolve potential JS vulnerabilities [GH-10677]
- ui: better errors on Database secrets engine role create [GH-10980]
BUG FIXES:
- agent: Only set the namespace if the VAULT_NAMESPACE env var isn't present [GH-10556]
- agent: Set TokenParent correctly in the Index to be cached. [GH-10833]
- agent: Set namespace for template server in agent. [GH-10757]
- api/sys/config/ui: Fixes issue where multiple UI custom header values are ignored and only the first given value is used [GH-10490]
- api: Fixes CORS API methods that were outdated and invalid [GH-10444]
- auth/jwt: Fixes
bound_claims
validation for provider-specific group and user info fetching. [GH-10546] - auth/jwt: Fixes an issue where JWT verification keys weren't updated after a
jwks_url
change. [GH-10919] - auth/jwt: Fixes an issue where
jwt_supported_algs
were not being validated for JWT auth using
jwks_url
andjwt_validation_pubkeys
. [GH-10919] - auth/oci: Fixes alias name to use the role name, and not the literal string
name
[GH-10] [GH-10952] - consul-template: Update consul-template vendor version and associated dependencies to master,
pulling in hashicorp/consul-template#1447 [GH-10756] - core (enterprise): Limit entropy augmentation during token generation to root tokens. [GH-10487]
- core (enterprise): Vault EGP policies attached to path * were not correctly scoped to the namespace.
- core/identity: Fix deadlock in entity merge endpoint. [GH-10877]
- core: Avoid deadlocks by ensuring that if grabLockOrStop returns stopped=true, the lock will not be held. [GH-10456]
- core: Avoid disclosing IP addresses in the errors of unauthenticated requests [GH-10579]
- core: Fix client.Clone() to include the address [GH-10077]
- core: Fix duplicate quotas on performance standby nodes. [GH-10855]
- core: Fix rate limit resource quota migration from 1.5.x to 1.6.x by ensuring
purgeInterval
and
staleAge
are set appropriately. [GH-10536] - core: Make all APIs that report init status consistent, and make them report
initialized=true when a Raft join is in progress. [GH-10498] - core: Make the response to an unauthenticated request to sys/internal endpoints consistent regardless of mount existence. [GH-10650]
- core: Turn off case sensitivity for allowed entity alias check during token create operation. [GH-10743]
- http: change max_request_size to be unlimited when the config value is less than 0 [GH-10072]
- license: Fix license caching issue that prevents new licenses to get picked up by the license manager [GH-10424]
- metrics: Protect emitMetrics from panicking during post-seal [GH-10708]
- quotas/rate-limit: Fix quotas enforcing old rate limit quota paths [GH-10689]
- replication (enterprise): Fix bug with not starting merkle sync while requests are in progress
- secrets/data...
v1.7.0-rc2
Release vault v1.7.0-rc2
v1.7.0-rc1
CHANGES:
- go: Update go version to 1.15.8 [GH-11060]
FEATURES:
- Aerospike Storage Backend: Add support for using Aerospike as a storage backend [GH-10131]
- agent: Support for persisting the agent cache to disk [GH-10938]
- auth/jwt: Adds
max_age
role parameter andauth_time
claim validation. [GH-10919] - kmip (enterprise): Use entropy augmentation to generate kmip certificates
- sdk: Private key generation in the certutil package now allows custom io.Readers to be used. [GH-10653]
- secrets/aws: add IAM tagging support for iam_user roles [GH-10953]
- secrets/database/cassandra: Add ability to customize dynamic usernames [GH-10906]
- secrets/database/couchbase: Add ability to customize dynamic usernames [GH-10995]
- secrets/database/mongodb: Add ability to customize dynamic usernames [GH-10858]
- secrets/database/mssql: Add ability to customize dynamic usernames [GH-10767]
- secrets/database/mysql: Add ability to customize dynamic usernames [GH-10834]
- secrets/database/postgresql: Add ability to customize dynamic usernames [GH-10766]
- secrets/openldap: Added dynamic roles to OpenLDAP similar to the combined database engine [GH-10996]
- secrets/terraform: New secret engine for managing Terraform Cloud API tokens [GH-10931]
- ui: Adds check for feature flag on application, and updates namespace toolbar on login if present [GH-10588]
- ui: Adds the wizard to the Database Secret Engine [GH-10982]
- ui: Database secrets engine, supporting MongoDB only [GH-10655]
IMPROVEMENTS:
- agent: Add template-retry stanza to agent config. [GH-10644]
- agent: Agent can now run as a Windows service. [GH-10231]
- agent: Better concurrent request handling on identical requests proxied through Agent. [GH-10705]
- agent: Route templating server through cache when persistent cache is enabled. [GH-10927]
- agent: change auto-auth to preload an existing token on start [GH-10850]
- auth/ldap: Improve consistency in error messages [GH-10537]
- auth/okta: Adds support for Okta Verify TOTP MFA. [GH-10942]
- changelog: Add dependencies listed in dependencies/2-25-21 [GH-11015]
- command/debug: Now collects logs (at level
trace
) as a periodic output. [GH-10609] - core (enterprise): "vault status" command works when a namespace is set. [GH-10725]
- core (enterprise): Update Trial Enterprise license from 30 minutes to 6 hours
- core/metrics: Added "vault operator usage" command. [GH-10365]
- core/metrics: New telemetry metrics reporting lease expirations by time interval and namespace [GH-10375]
- core: Added active since timestamp to the status output of active nodes. [GH-10489]
- core: Check audit device with a test message before adding it. [GH-10520]
- core: Track barrier encryption count and automatically rotate after a large number of operations or on a schedule [GH-10744]
- core: add metrics for active entity count [GH-10514]
- core: add partial month client count api [GH-11022]
- core: dev mode listener allows unauthenticated sys/metrics requests [GH-10992]
- core: reduce memory used by leases [GH-10726]
- secrets/gcp: Truncate ServiceAccount display names longer than 100 characters. [GH-10558]
- storage/raft (enterprise): Listing of peers is now allowed on DR secondary
cluster nodes, as an update operation that takes in DR operation token for
authenticating the request. - ui: Clarify language on usage metrics page empty state [GH-10951]
- ui: Customize MongoDB input fields on Database Secrets Engine [GH-10949]
- ui: Upgrade Ember-cli from 3.8 to 3.22. [GH-9972]
- ui: Upgrade Storybook from 5.3.19 to 6.1.17. [GH-10904]
- ui: Upgrade date-fns from 1.3.0 to 2.16.1. [GH-10848]
- ui: Upgrade dependencies to resolve potential JS vulnerabilities [GH-10677]
- ui: better errors on Database secrets engine role create [GH-10980]
BUG FIXES:
- agent: Only set the namespace if the VAULT_NAMESPACE env var isn't present [GH-10556]
- agent: Set TokenParent correctly in the Index to be cached. [GH-10833]
- agent: Set namespace for template server in agent. [GH-10757]
- api/sys/config/ui: Fixes issue where multiple UI custom header values are ignored and only the first given value is used [GH-10490]
- api: Fixes CORS API methods that were outdated and invalid [GH-10444]
- auth/jwt: Fixes
bound_claims
validation for provider-specific group and user info fetching. [GH-10546] - auth/jwt: Fixes an issue where JWT verification keys weren't updated after a
jwks_url
change. [GH-10919] - auth/jwt: Fixes an issue where
jwt_supported_algs
were not being validated for JWT auth using
jwks_url
andjwt_validation_pubkeys
. [GH-10919] - auth/oci: Fixes alias name to use the role name, and not the literal string
name
[GH-10] [GH-10952] - consul-template: Update consul-template vendor version and associated dependencies to master,
pulling in hashicorp/consul-template#1447 [GH-10756] - core (enterprise): Limit entropy augmentation during token generation to root tokens. [GH-10487]
- core (enterprise): Vault EGP policies attached to path * were not correctly scoped to the namespace.
- core/identity: Fix deadlock in entity merge endpoint. [GH-10877]
- core: Avoid deadlocks by ensuring that if grabLockOrStop returns stopped=true, the lock will not be held. [GH-10456]
- core: Avoid disclosing IP addresses in the errors of unauthenticated requests [GH-10579]
- core: Fix client.Clone() to include the address [GH-10077]
- core: Fix duplicate quotas on performance standby nodes. [GH-10855]
- core: Fix rate limit resource quota migration from 1.5.x to 1.6.x by ensuring
purgeInterval
and
staleAge
are set appropriately. [GH-10536] - core: Make all APIs that report init status consistent, and make them report
initialized=true when a Raft join is in progress. [GH-10498] - core: Make the response to an unauthenticated request to sys/internal endpoints consistent regardless of mount existence. [GH-10650]
- core: Turn off case sensitivity for allowed entity alias check during token create operation. [GH-10743]
- http: change max_request_size to be unlimited when the config value is less than 0 [GH-10072]
- license: Fix license caching issue that prevents new licenses to get picked up by the license manager [GH-10424]
- metrics: Protect emitMetrics from panicking during post-seal [GH-10708]
- quotas/rate-limit: Fix quotas enforcing old rate limit quota paths [GH-10689]
- replication (enterprise): Fix bug with not starting merkle sync while requests are in progress
- secrets/database/influxdb: Fix issue where ...
v1.6.3
SECURITY:
- Limited Unauthenticated License Read: We addressed a security vulnerability that allowed for the unauthenticated
reading of Vault licenses from DR Secondaries. This vulnerability affects Vault and Vault Enterprise and is
fixed in 1.6.3 (CVE-2021-27668).
CHANGES:
- secrets/mongodbatlas: Move from whitelist to access list API [GH-10966]
IMPROVEMENTS:
- ui: Clarify language on usage metrics page empty state [GH-10951]
BUG FIXES:
- auth/kubernetes: Cancel API calls to TokenReview endpoint when request context
is closed [GH-10930] - core/identity: Fix deadlock in entity merge endpoint. [GH-10877]
- quotas: Fix duplicate quotas on performance standby nodes. [GH-10855]
- quotas/rate-limit: Fix quotas enforcing old rate limit quota paths [GH-10689]
- replication (enterprise): Don't write request count data on DR Secondaries.
Fixes DR Secondaries becoming out of sync approximately every 30s. [GH-10970] - secrets/azure (enterprise): Forward service principal credential creation to the
primary cluster if called on a performance standby or performance secondary. [GH-10902]
v1.6.2
SECURITY:
- IP Address Disclosure: We fixed a vulnerability where, under some error
conditions, Vault would return an error message disclosing internal IP
addresses. This vulnerability affects Vault and Vault Enterprise and is fixed in
1.6.2 (CVE-2021-3024). - Limited Unauthenticated Remove Peer: As of Vault 1.6, the remove-peer command
on DR secondaries did not require authentication. This issue impacts the
stability of HA architecture, as a bad actor could remove all standby
nodes from a DR
secondary. This issue affects Vault Enterprise 1.6.0 and 1.6.1, and is fixed in
1.6.2 (CVE-2021-3282). - Mount Path Disclosure: Vault previously returned different HTTP status codes for
existent and non-existent mount paths. This behavior would allow unauthenticated
brute force attacks to reveal which paths had valid mounts. This issue affects
Vault and Vault Enterprise and is fixed in 1.6.2 (CVE-2020-25594).
CHANGES:
- go: Update go version to 1.15.7 [GH-10730]
FEATURES:
- ui: Adds check for feature flag on application, and updates namespace toolbar on login if present [GH-10588]
IMPROVEMENTS:
- core (enterprise): "vault status" command works when a namespace is set. [GH-10725]
- core: reduce memory used by leases [GH-10726]
- storage/raft (enterprise): Listing of peers is now allowed on DR secondary
cluster nodes, as an update operation that takes in DR operation token for
authenticating the request.
BUG FIXES:
- agent: Set namespace for template server in agent. [GH-10757]
- core: Make the response to an unauthenticated request to sys/internal endpoints consistent regardless of mount existence. [GH-10650]
- metrics: Protect emitMetrics from panicking during post-seal [GH-10708]
- secrets/gcp: Fix issue with account and iam_policy roleset WALs not being removed after attempts when GCP project no longer exists [GH-10759]
- storage/raft (enterprise): Automated snapshots with Azure required specifying
azure_blob_environment
, which should have had as a defaultAZUREPUBLICCLOUD
. - storage/raft (enterprise): Autosnapshots config and storage weren't excluded from
performance replication, causing conflicts and errors. - ui: Fix bug that double encodes secret route when there are spaces in the path and makes you unable to view the version history. [GH-10596]
- ui: Fix expected response from feature-flags endpoint [GH-10684]
v1.5.7
SECURITY:
- IP Address Disclosure: We fixed a vulnerability where, under some error
conditions, Vault would return an error message disclosing internal IP
addresses. This vulnerability affects Vault and Vault Enterprise and is fixed in
1.6.2 and 1.5.7 (CVE-2021-3024). - Mount Path Disclosure: Vault previously returned different HTTP status codes for
existent and non-existent mount paths. This behavior would allow unauthenticated
brute force attacks to reveal which paths had valid mounts. This issue affects
Vault and Vault Enterprise and is fixed in 1.6.2 and 1.5.7 (CVE-2020-25594).
IMPROVEMENTS:
- storage/raft (enterprise): Listing of peers is now allowed on DR secondary
cluster nodes, as an update operation that takes in DR operation token for
authenticating the request.
BUG FIXES: