Skip to content

Releases: hashicorp/vault

v1.5.9

21 May 20:29
534a12a
Compare
Choose a tag to compare

1.5.9

May 20th, 2021

SECURITY:

  • Non-Expiring Leases: Vault and Vault Enterprise renewed nearly-expiring token
    leases and dynamic secret leases with a zero-second TTL, causing them to be
    treated as non-expiring, and never revoked. This issue affects Vault and Vault
    Enterprise versions 0.10.0 through 1.7.1, and is fixed in 1.5.9, 1.6.5, and
    1.7.2 (CVE-2021-32923).

CHANGES:

  • agent: Update to use IAM Service Account Credentials endpoint for signing JWTs
    when using GCP Auto-Auth method [GH-11473]
  • auth/gcp: Update to v0.7.2 to use IAM Service Account Credentials API for
    signing JWTs [GH-11499]

BUG FIXES:

  • core: correct logic for renewal of leases nearing their expiration time. [GH-11650]

v1.7.1

23 Apr 16:09
9171422
Compare
Choose a tag to compare

Release vault 1.7.1

v1.6.4

21 Apr 17:18
a10df31
Compare
Choose a tag to compare

Release vault v1.6.4

v1.5.8

21 Apr 17:19
2df19e5
Compare
Choose a tag to compare

Release vault v1.5.8

v1.7.0

24 Mar 21:04
4e222b8
Compare
Choose a tag to compare

1.7.0

24 March 2021

CHANGES:

  • go: Update go version to 1.15.8 [GH-11060]

FEATURES:

  • Aerospike Storage Backend: Add support for using Aerospike as a storage backend [GH-10131]
  • agent: Support for persisting the agent cache to disk [GH-10938]
  • auth/jwt: Adds max_age role parameter and auth_time claim validation. [GH-10919]
  • kmip (enterprise): Use entropy augmentation to generate kmip certificates
  • sdk: Private key generation in the certutil package now allows custom io.Readers to be used. [GH-10653]
  • secrets/aws: add IAM tagging support for iam_user roles [GH-10953]
  • secrets/database/cassandra: Add ability to customize dynamic usernames [GH-10906]
  • secrets/database/couchbase: Add ability to customize dynamic usernames [GH-10995]
  • secrets/database/mongodb: Add ability to customize dynamic usernames [GH-10858]
  • secrets/database/mssql: Add ability to customize dynamic usernames [GH-10767]
  • secrets/database/mysql: Add ability to customize dynamic usernames [GH-10834]
  • secrets/database/postgresql: Add ability to customize dynamic usernames [GH-10766]
  • secrets/openldap: Added dynamic roles to OpenLDAP similar to the combined database engine [GH-10996]
  • secrets/terraform: New secret engine for managing Terraform Cloud API tokens [GH-10931]
  • ui: Adds check for feature flag on application, and updates namespace toolbar on login if present [GH-10588]
  • ui: Adds the wizard to the Database Secret Engine [GH-10982]
  • ui: Database secrets engine, supporting MongoDB only [GH-10655]

IMPROVEMENTS:

  • agent: Add template-retry stanza to agent config. [GH-10644]
  • agent: Agent can now run as a Windows service. [GH-10231]
  • agent: Better concurrent request handling on identical requests proxied through Agent. [GH-10705]
  • agent: Route templating server through cache when persistent cache is enabled. [GH-10927]
  • agent: change auto-auth to preload an existing token on start [GH-10850]
  • auth/ldap: Improve consistency in error messages [GH-10537]
  • auth/okta: Adds support for Okta Verify TOTP MFA. [GH-10942]
  • changelog: Add dependencies listed in dependencies/2-25-21 [GH-11015]
  • command/debug: Now collects logs (at level trace) as a periodic output. [GH-10609]
  • core (enterprise): "vault status" command works when a namespace is set. [GH-10725]
  • core (enterprise): Update Trial Enterprise license from 30 minutes to 6 hours
  • core/metrics: Added "vault operator usage" command. [GH-10365]
  • core/metrics: New telemetry metrics reporting lease expirations by time interval and namespace [GH-10375]
  • core: Added active since timestamp to the status output of active nodes. [GH-10489]
  • core: Check audit device with a test message before adding it. [GH-10520]
  • core: Track barrier encryption count and automatically rotate after a large number of operations or on a schedule [GH-10744]
  • core: add metrics for active entity count [GH-10514]
  • core: add partial month client count api [GH-11022]
  • core: dev mode listener allows unauthenticated sys/metrics requests [GH-10992]
  • core: reduce memory used by leases [GH-10726]
  • secrets/gcp: Truncate ServiceAccount display names longer than 100 characters. [GH-10558]
  • storage/raft (enterprise): Listing of peers is now allowed on DR secondary
    cluster nodes, as an update operation that takes in DR operation token for
    authenticating the request.
  • ui: Clarify language on usage metrics page empty state [GH-10951]
  • ui: Customize MongoDB input fields on Database Secrets Engine [GH-10949]
  • ui: Upgrade Ember-cli from 3.8 to 3.22. [GH-9972]
  • ui: Upgrade Storybook from 5.3.19 to 6.1.17. [GH-10904]
  • ui: Upgrade date-fns from 1.3.0 to 2.16.1. [GH-10848]
  • ui: Upgrade dependencies to resolve potential JS vulnerabilities [GH-10677]
  • ui: better errors on Database secrets engine role create [GH-10980]

BUG FIXES:

  • agent: Only set the namespace if the VAULT_NAMESPACE env var isn't present [GH-10556]
  • agent: Set TokenParent correctly in the Index to be cached. [GH-10833]
  • agent: Set namespace for template server in agent. [GH-10757]
  • api/sys/config/ui: Fixes issue where multiple UI custom header values are ignored and only the first given value is used [GH-10490]
  • api: Fixes CORS API methods that were outdated and invalid [GH-10444]
  • auth/jwt: Fixes bound_claims validation for provider-specific group and user info fetching. [GH-10546]
  • auth/jwt: Fixes an issue where JWT verification keys weren't updated after a jwks_url change. [GH-10919]
  • auth/jwt: Fixes an issue where jwt_supported_algs were not being validated for JWT auth using
    jwks_url and jwt_validation_pubkeys. [GH-10919]
  • auth/oci: Fixes alias name to use the role name, and not the literal string name [GH-10] [GH-10952]
  • consul-template: Update consul-template vendor version and associated dependencies to master,
    pulling in hashicorp/consul-template#1447 [GH-10756]
  • core (enterprise): Limit entropy augmentation during token generation to root tokens. [GH-10487]
  • core (enterprise): Vault EGP policies attached to path * were not correctly scoped to the namespace.
  • core/identity: Fix deadlock in entity merge endpoint. [GH-10877]
  • core: Avoid deadlocks by ensuring that if grabLockOrStop returns stopped=true, the lock will not be held. [GH-10456]
  • core: Avoid disclosing IP addresses in the errors of unauthenticated requests [GH-10579]
  • core: Fix client.Clone() to include the address [GH-10077]
  • core: Fix duplicate quotas on performance standby nodes. [GH-10855]
  • core: Fix rate limit resource quota migration from 1.5.x to 1.6.x by ensuring purgeInterval and
    staleAge are set appropriately. [GH-10536]
  • core: Make all APIs that report init status consistent, and make them report
    initialized=true when a Raft join is in progress. [GH-10498]
  • core: Make the response to an unauthenticated request to sys/internal endpoints consistent regardless of mount existence. [GH-10650]
  • core: Turn off case sensitivity for allowed entity alias check during token create operation. [GH-10743]
  • http: change max_request_size to be unlimited when the config value is less than 0 [GH-10072]
  • license: Fix license caching issue that prevents new licenses to get picked up by the license manager [GH-10424]
  • metrics: Protect emitMetrics from panicking during post-seal [GH-10708]
  • quotas/rate-limit: Fix quotas enforcing old rate limit quota paths [GH-10689]
  • replication (enterprise): Fix bug with not starting merkle sync while requests are in progress
  • secrets/data...
Read more

v1.7.0-rc2

17 Mar 16:34
d77a09d
Compare
Choose a tag to compare
v1.7.0-rc2 Pre-release
Pre-release

Release vault v1.7.0-rc2

v1.7.0-rc1

11 Mar 00:42
9af08a1
Compare
Choose a tag to compare
v1.7.0-rc1 Pre-release
Pre-release

CHANGES:

  • go: Update go version to 1.15.8 [GH-11060]

FEATURES:

  • Aerospike Storage Backend: Add support for using Aerospike as a storage backend [GH-10131]
  • agent: Support for persisting the agent cache to disk [GH-10938]
  • auth/jwt: Adds max_age role parameter and auth_time claim validation. [GH-10919]
  • kmip (enterprise): Use entropy augmentation to generate kmip certificates
  • sdk: Private key generation in the certutil package now allows custom io.Readers to be used. [GH-10653]
  • secrets/aws: add IAM tagging support for iam_user roles [GH-10953]
  • secrets/database/cassandra: Add ability to customize dynamic usernames [GH-10906]
  • secrets/database/couchbase: Add ability to customize dynamic usernames [GH-10995]
  • secrets/database/mongodb: Add ability to customize dynamic usernames [GH-10858]
  • secrets/database/mssql: Add ability to customize dynamic usernames [GH-10767]
  • secrets/database/mysql: Add ability to customize dynamic usernames [GH-10834]
  • secrets/database/postgresql: Add ability to customize dynamic usernames [GH-10766]
  • secrets/openldap: Added dynamic roles to OpenLDAP similar to the combined database engine [GH-10996]
  • secrets/terraform: New secret engine for managing Terraform Cloud API tokens [GH-10931]
  • ui: Adds check for feature flag on application, and updates namespace toolbar on login if present [GH-10588]
  • ui: Adds the wizard to the Database Secret Engine [GH-10982]
  • ui: Database secrets engine, supporting MongoDB only [GH-10655]

IMPROVEMENTS:

  • agent: Add template-retry stanza to agent config. [GH-10644]
  • agent: Agent can now run as a Windows service. [GH-10231]
  • agent: Better concurrent request handling on identical requests proxied through Agent. [GH-10705]
  • agent: Route templating server through cache when persistent cache is enabled. [GH-10927]
  • agent: change auto-auth to preload an existing token on start [GH-10850]
  • auth/ldap: Improve consistency in error messages [GH-10537]
  • auth/okta: Adds support for Okta Verify TOTP MFA. [GH-10942]
  • changelog: Add dependencies listed in dependencies/2-25-21 [GH-11015]
  • command/debug: Now collects logs (at level trace) as a periodic output. [GH-10609]
  • core (enterprise): "vault status" command works when a namespace is set. [GH-10725]
  • core (enterprise): Update Trial Enterprise license from 30 minutes to 6 hours
  • core/metrics: Added "vault operator usage" command. [GH-10365]
  • core/metrics: New telemetry metrics reporting lease expirations by time interval and namespace [GH-10375]
  • core: Added active since timestamp to the status output of active nodes. [GH-10489]
  • core: Check audit device with a test message before adding it. [GH-10520]
  • core: Track barrier encryption count and automatically rotate after a large number of operations or on a schedule [GH-10744]
  • core: add metrics for active entity count [GH-10514]
  • core: add partial month client count api [GH-11022]
  • core: dev mode listener allows unauthenticated sys/metrics requests [GH-10992]
  • core: reduce memory used by leases [GH-10726]
  • secrets/gcp: Truncate ServiceAccount display names longer than 100 characters. [GH-10558]
  • storage/raft (enterprise): Listing of peers is now allowed on DR secondary
    cluster nodes, as an update operation that takes in DR operation token for
    authenticating the request.
  • ui: Clarify language on usage metrics page empty state [GH-10951]
  • ui: Customize MongoDB input fields on Database Secrets Engine [GH-10949]
  • ui: Upgrade Ember-cli from 3.8 to 3.22. [GH-9972]
  • ui: Upgrade Storybook from 5.3.19 to 6.1.17. [GH-10904]
  • ui: Upgrade date-fns from 1.3.0 to 2.16.1. [GH-10848]
  • ui: Upgrade dependencies to resolve potential JS vulnerabilities [GH-10677]
  • ui: better errors on Database secrets engine role create [GH-10980]

BUG FIXES:

  • agent: Only set the namespace if the VAULT_NAMESPACE env var isn't present [GH-10556]
  • agent: Set TokenParent correctly in the Index to be cached. [GH-10833]
  • agent: Set namespace for template server in agent. [GH-10757]
  • api/sys/config/ui: Fixes issue where multiple UI custom header values are ignored and only the first given value is used [GH-10490]
  • api: Fixes CORS API methods that were outdated and invalid [GH-10444]
  • auth/jwt: Fixes bound_claims validation for provider-specific group and user info fetching. [GH-10546]
  • auth/jwt: Fixes an issue where JWT verification keys weren't updated after a jwks_url change. [GH-10919]
  • auth/jwt: Fixes an issue where jwt_supported_algs were not being validated for JWT auth using
    jwks_url and jwt_validation_pubkeys. [GH-10919]
  • auth/oci: Fixes alias name to use the role name, and not the literal string name [GH-10] [GH-10952]
  • consul-template: Update consul-template vendor version and associated dependencies to master,
    pulling in hashicorp/consul-template#1447 [GH-10756]
  • core (enterprise): Limit entropy augmentation during token generation to root tokens. [GH-10487]
  • core (enterprise): Vault EGP policies attached to path * were not correctly scoped to the namespace.
  • core/identity: Fix deadlock in entity merge endpoint. [GH-10877]
  • core: Avoid deadlocks by ensuring that if grabLockOrStop returns stopped=true, the lock will not be held. [GH-10456]
  • core: Avoid disclosing IP addresses in the errors of unauthenticated requests [GH-10579]
  • core: Fix client.Clone() to include the address [GH-10077]
  • core: Fix duplicate quotas on performance standby nodes. [GH-10855]
  • core: Fix rate limit resource quota migration from 1.5.x to 1.6.x by ensuring purgeInterval and
    staleAge are set appropriately. [GH-10536]
  • core: Make all APIs that report init status consistent, and make them report
    initialized=true when a Raft join is in progress. [GH-10498]
  • core: Make the response to an unauthenticated request to sys/internal endpoints consistent regardless of mount existence. [GH-10650]
  • core: Turn off case sensitivity for allowed entity alias check during token create operation. [GH-10743]
  • http: change max_request_size to be unlimited when the config value is less than 0 [GH-10072]
  • license: Fix license caching issue that prevents new licenses to get picked up by the license manager [GH-10424]
  • metrics: Protect emitMetrics from panicking during post-seal [GH-10708]
  • quotas/rate-limit: Fix quotas enforcing old rate limit quota paths [GH-10689]
  • replication (enterprise): Fix bug with not starting merkle sync while requests are in progress
  • secrets/database/influxdb: Fix issue where ...
Read more

v1.6.3

25 Feb 18:21
b540be4
Compare
Choose a tag to compare

SECURITY:

  • Limited Unauthenticated License Read: We addressed a security vulnerability that allowed for the unauthenticated
    reading of Vault licenses from DR Secondaries. This vulnerability affects Vault and Vault Enterprise and is
    fixed in 1.6.3 (CVE-2021-27668).

CHANGES:

  • secrets/mongodbatlas: Move from whitelist to access list API [GH-10966]

IMPROVEMENTS:

  • ui: Clarify language on usage metrics page empty state [GH-10951]

BUG FIXES:

  • auth/kubernetes: Cancel API calls to TokenReview endpoint when request context
    is closed [GH-10930]
  • core/identity: Fix deadlock in entity merge endpoint. [GH-10877]
  • quotas: Fix duplicate quotas on performance standby nodes. [GH-10855]
  • quotas/rate-limit: Fix quotas enforcing old rate limit quota paths [GH-10689]
  • replication (enterprise): Don't write request count data on DR Secondaries.
    Fixes DR Secondaries becoming out of sync approximately every 30s. [GH-10970]
  • secrets/azure (enterprise): Forward service principal credential creation to the
    primary cluster if called on a performance standby or performance secondary. [GH-10902]

v1.6.2

29 Jan 18:22
be65a22
Compare
Choose a tag to compare

SECURITY:

  • IP Address Disclosure: We fixed a vulnerability where, under some error
    conditions, Vault would return an error message disclosing internal IP
    addresses. This vulnerability affects Vault and Vault Enterprise and is fixed in
    1.6.2 (CVE-2021-3024).
  • Limited Unauthenticated Remove Peer: As of Vault 1.6, the remove-peer command
    on DR secondaries did not require authentication. This issue impacts the
    stability of HA architecture, as a bad actor could remove all standby
    nodes from a DR
    secondary. This issue affects Vault Enterprise 1.6.0 and 1.6.1, and is fixed in
    1.6.2 (CVE-2021-3282).
  • Mount Path Disclosure: Vault previously returned different HTTP status codes for
    existent and non-existent mount paths. This behavior would allow unauthenticated
    brute force attacks to reveal which paths had valid mounts. This issue affects
    Vault and Vault Enterprise and is fixed in 1.6.2 (CVE-2020-25594).

CHANGES:

  • go: Update go version to 1.15.7 [GH-10730]

FEATURES:

  • ui: Adds check for feature flag on application, and updates namespace toolbar on login if present [GH-10588]

IMPROVEMENTS:

  • core (enterprise): "vault status" command works when a namespace is set. [GH-10725]
  • core: reduce memory used by leases [GH-10726]
  • storage/raft (enterprise): Listing of peers is now allowed on DR secondary
    cluster nodes, as an update operation that takes in DR operation token for
    authenticating the request.

BUG FIXES:

  • agent: Set namespace for template server in agent. [GH-10757]
  • core: Make the response to an unauthenticated request to sys/internal endpoints consistent regardless of mount existence. [GH-10650]
  • metrics: Protect emitMetrics from panicking during post-seal [GH-10708]
  • secrets/gcp: Fix issue with account and iam_policy roleset WALs not being removed after attempts when GCP project no longer exists [GH-10759]
  • storage/raft (enterprise): Automated snapshots with Azure required specifying
    azure_blob_environment, which should have had as a default AZUREPUBLICCLOUD.
  • storage/raft (enterprise): Autosnapshots config and storage weren't excluded from
    performance replication, causing conflicts and errors.
  • ui: Fix bug that double encodes secret route when there are spaces in the path and makes you unable to view the version history. [GH-10596]
  • ui: Fix expected response from feature-flags endpoint [GH-10684]

v1.5.7

29 Jan 18:18
81d55e3
Compare
Choose a tag to compare

SECURITY:

  • IP Address Disclosure: We fixed a vulnerability where, under some error
    conditions, Vault would return an error message disclosing internal IP
    addresses. This vulnerability affects Vault and Vault Enterprise and is fixed in
    1.6.2 and 1.5.7 (CVE-2021-3024).
  • Mount Path Disclosure: Vault previously returned different HTTP status codes for
    existent and non-existent mount paths. This behavior would allow unauthenticated
    brute force attacks to reveal which paths had valid mounts. This issue affects
    Vault and Vault Enterprise and is fixed in 1.6.2 and 1.5.7 (CVE-2020-25594).

IMPROVEMENTS:

  • storage/raft (enterprise): Listing of peers is now allowed on DR secondary
    cluster nodes, as an update operation that takes in DR operation token for
    authenticating the request.

BUG FIXES:

  • core: Avoid disclosing IP addresses in the errors of unauthenticated requests [GH-10579]
  • core: Make the response to an unauthenticated request to sys/internal endpoints consistent regardless of mount existence. [GH-10650]