fix(deps): update module github.com/hashicorp/vault to v1.18.0 [security] #109
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v1.17.1
->v1.18.0
GitHub Vulnerability Alerts
CVE-2024-6468
Vault and Vault Enterprise did not properly handle requests originating from unauthorized IP addresses when the TCP listener option, proxy_protocol_behavior, was set to deny_unauthorized. When receiving a request from a source IP address that was not listed in proxy_protocol_authorized_addrs, the Vault API server would shut down and no longer respond to any HTTP requests, potentially resulting in denial of service.
While this bug also affected versions of Vault up to 1.17.1 and 1.16.5, a separate regression in those release series did not allow Vault operators to configure the deny_unauthorized option, thus not allowing the conditions for the denial of service to occur.
Fixed in Vault and Vault Enterprise 1.17.2, 1.16.6, and 1.15.12
CVE-2024-7594
Vault’s SSH secrets engine did not require the valid_principals list to contain a value by default. If the valid_principals and default_user fields of the SSH secrets engine configuration are not set, an SSH certificate requested by an authorized user to Vault’s SSH secrets engine could be used to authenticate as any user on the host. Fixed in Vault Community Edition 1.17.6, and in Vault Enterprise 1.17.6, 1.16.10, and 1.15.15.
CVE-2024-9180
A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their privileges to Vault’s root policy. Fixed in Vault Community Edition 1.18.0 and Vault Enterprise 1.18.0, 1.17.7, 1.16.11, and 1.15.16
Release Notes
hashicorp/vault (github.com/hashicorp/vault)
v1.18.0
Compare Source
CHANGES:
when querying the activity log endpoints. [GH-27350]
will automatically be set the billing period start date. [GH-27426]
sudo
ACL capability. [GH-27846]start_time
andend_time
. [GH-28064]The endTime will be set to the end of the current month. This applies to /sys/internal/counters/activity,
/sys/internal/counters/activity/export, and the vault operator usage command that utilizes /sys/internal/counters/activity. [GH-27379]
-dev-three-node
and-dev-four-cluster
CLI options have been removed. [GH-27578]control group: could not find token
, andcontrol group: token is not a valid control group token
.allow_empty_principals
to allow keys or certs to apply to any user/principal. [GH-28466]FEATURES:
session tags when generating temporary credentials using the AWS secrets
engine. [GH-27620]
for write requests as a GA feature (enabled by default) for Integrated Storage.
with only core features using the BUILD_MINIMAL environment variable. [GH-27394]
IMPROVEMENTS:
visibly sensible totals. [GH-27547]
X-Vault-Namespace
header or within the path) and all child namespaces. [GH-27846]/sys/internal/counters/activity
will now include a warning if the specified usage period contains estimated client counts. [GH-28068]log before returning (if there are errors to log, and the context is done). [GH-27859]
eviction, and avoid duplicate loading during multiple simultaneous logins on
the same role. [GH-27902]
--dev-no-kv
flag to prevent auto mounting a key-value secret backend when running a dev server [GH-16974]vault operator usage
will now include a warning if the specified usage period contains estimated client counts. [GH-28068]disable_host_initial_lookup
option to backend, allowing the disabling of initial host lookup. [GH-9733]service_meta
config field. [GH-11084]GetMSIEndpoint
, which supports more than just the metadata service. [GH-10624]vault/settings/secrets/configure/<backend>
tovault/secrets/<backend>/configuration/edit
[GH-27918]current_billing_period
from dashboard activity log request [GH-27559]BUG FIXES:
max_lease_ttl
tune value for tokens created viaauth/token/create
. [GH-28498]-address
not being set when it is. [GH-27265]vault hcp connect
where HCP resources with uppercase letters were inaccessible when entering the correct project name. [GH-27694]vault secrets move
andvault auth move
command will no longer attempt to write to storage on performance standby nodes. [GH-28059]setting of 'deny_unauthorized' [GH-27459]
sys/internal/ui/mounts
for a mount prefixed by a namespace path when path filters are configured. [GH-27939]is cancelled and will now use a new context with a 5 second timeout.
If the existing context is cancelled a new context, will be used. [GH-27531]
proxy_protocol_behavior
withdeny_unauthorized
,which causes the Vault TCP listener to close after receiving an untrusted upstream proxy connection. [GH-27589]
allow_forwarding_via_header
to be configured on the cluster. [GH-27891]//
) in the mount path, when the token should otherwise have access.app_name
andinstallation_id
are setuse versioned plugins. [GH-27881]
default_role
input missing from oidc auth method configuration form [GH-28539]v1.17.6
Compare Source
1.17.6
September 25, 2024
CHANGES:
allow_empty_principals
to allow keys or certs to apply to any user/principal. [GH-28466]IMPROVEMENTS:
current_billing_period
from dashboard activity log request [GH-27559]BUG FIXES:
app_name
andinstallation_id
are setv1.17.5
Compare Source
1.17.5
August 30, 2024
SECURITY:
core/audit: fix regression where client tokens and token accessors were being
displayed in the audit log in plaintext HCSEC-2024-18
BUG FIXES:
v1.17.4
Compare Source
1.17.4
August 29, 2024
CHANGES:
IMPROVEMENTS:
visibly sensible totals. [GH-27547]
/sys/internal/counters/activity
will now include a warning if the specified usage period contains estimated client counts. [GH-28068]vault operator usage
will now include a warning if the specified usage period contains estimated client counts. [GH-28068]BUG FIXES:
vault secrets move
andvault auth move
command will no longer attempt to write to storage on performance standby nodes. [GH-28059]v1.17.3
Compare Source
1.17.3
August 07, 2024
CHANGES:
IMPROVEMENTS:
log before returning (if there are errors to log, and the context is done). [GH-27859]
eviction, and avoid duplicate loading during multiple simultaneous logins on
the same role. [GH-27902]
BUG FIXES:
sys/internal/ui/mounts
for a mount prefixed by a namespace path when path filters are configured. [GH-27939]allow_forwarding_via_header
to be configured on the cluster. [GH-27891]use versioned plugins. [GH-27881]
v1.17.2
Compare Source
1.17.2
July 10, 2024
CHANGES:
FEATURES:
session tags when generating temporary credentials using the AWS secrets
engine. [GH-27620]
BUG FIXES:
vault hcp connect
where HCP resources with uppercase letters were inaccessible when entering the correct project name. [GH-27694]proxy_protocol_behavior
withdeny_unauthorized
,which causes the Vault TCP listener to close after receiving an untrusted upstream proxy connection. [GH-27589]
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.