Skip to content

Releases: hashicorp/vault

v1.7.4

26 Aug 22:47
f6274ee
Compare
Choose a tag to compare

1.7.4

26 August 2021

SECURITY:

  • UI Secret Caching: The Vault UI erroneously cached and exposed user-viewed secrets between authenticated sessions in a single shared browser, if the browser window / tab was not refreshed or closed between logout and a subsequent login. This vulnerability, CVE-2021-38554, was fixed in Vault 1.8.0 and will be addressed in pending 1.7.4 / 1.6.6 releases.

CHANGES:

  • go: Update go version to 1.15.15 [GH-12411]

IMPROVEMENTS:

  • ui: Updated node to v14, latest stable build [GH-12049]

BUG FIXES:

  • replication (enterprise): Fix a panic that could occur when checking the last wal and the log shipper buffer is empty.
  • cli: vault debug now puts newlines after every captured log line. [GH-12175]
  • database/couchbase: change default template to truncate username at 128 characters [GH-12299]
  • physical/raft: Fix safeio.Rename error when restoring snapshots on windows [GH-12377]
  • secrets/database/cassandra: Fixed issue where the PEM parsing logic of pem_bundle and pem_json didn't work for CA-only configurations [GH-11861]
  • secrets/database: Fixed an issue that prevented external database plugin processes from restarting after a shutdown. [GH-12087]
  • ui: Automatically refresh the page when user logs out [GH-12035]
  • ui: Fix database role CG access [GH-12111]
  • ui: Fixes metrics page when read on counter config not allowed [GH-12348]
  • ui: fix control group access for database credential [GH-12024]
  • ui: fix oidc login with Safari [GH-11884]

1.7.3

June 16th, 2021

CHANGES:

  • go: Update go version to 1.15.13 [GH-11857]

IMPROVEMENTS:

  • db/cassandra: Added tls_server_name to specify server name for TLS validation [GH-11820]
  • ui: Add specific error message if unseal fails due to license [GH-11705]

BUG FIXES:

  • auth/jwt: Updates the hashicorp/cap library to v0.1.0 to
    bring in a verification key caching fix. [GH-11784]
  • core (enterprise): serialize access to HSM entropy generation to avoid errors in concurrent key generation.
  • secret: fix the bug where transit encrypt batch doesn't work with key_version [GH-11628]
  • secrets/ad: Forward all creds requests to active node [GH-76] [GH-11836]
  • tokenutil: Perform the num uses check before token type. [GH-11647]

v1.6.6

26 Aug 22:38
b939b4d
Compare
Choose a tag to compare

1.6.6

26 August 2021

SECURITY:

  • UI Secret Caching: The Vault UI erroneously cached and exposed user-viewed secrets between authenticated sessions in a single shared browser, if the browser window / tab was not refreshed or closed between logout and a subsequent login. This vulnerability, CVE-2021-38554, was fixed in Vault 1.8.0 and will be addressed in pending 1.7.4 / 1.6.6 releases.

CHANGES:

  • go: Update go version to 1.15.15 [GH-12423]

IMPROVEMENTS:

  • db/cassandra: Added tls_server_name to specify server name for TLS validation [GH-11820]

BUG FIXES:

  • physical/raft: Fix safeio.Rename error when restoring snapshots on windows [GH-12377]
  • secret: fix the bug where transit encrypt batch doesn't work with key_version [GH-11628]
  • secrets/database: Fixed an issue that prevented external database plugin processes from restarting after a shutdown. [GH-12087]
  • ui: Automatically refresh the page when user logs out [GH-12035]
  • ui: Fixes metrics page when read on counter config not allowed [GH-12348]
  • ui: fix oidc login with Safari [GH-11884]

v1.8.1

05 Aug 15:20
4b0264f
Compare
Choose a tag to compare

1.8.1

August 5th, 2021

CHANGES:

  • go: Update go version to 1.16.6 [GH-12245]

IMPROVEMENTS:

  • serviceregistration: add external-source: "vault" metadata value for Consul registration. [GH-12163]

BUG FIXES:

  • auth/aws: Remove warning stating AWS Token TTL will be capped by the Default Lease TTL. [GH-12026]
  • auth/jwt: Fixes OIDC auth from the Vault UI when using form_post as the oidc_response_mode. [GH-12258]
  • core (enterprise): Disallow autogenerated licenses to be used in diagnose even when config is specified
  • core: fix byte printing for diagnose disk checks [GH-12229]
  • identity: do not allow a role's token_ttl to be longer than the signing key's verification_ttl [GH-12151]

v1.8.0

28 Jul 14:08
82a99f1
Compare
Choose a tag to compare

1.8.0

July 28th, 2021

CHANGES:

  • agent: Errors in the template engine will no longer cause agent to exit unless
    explicitly defined to do so. A new configuration parameter,
    exit_on_retry_failure, within the new top-level stanza, template_config, can
    be set to true in order to cause agent to exit. Note that for agent to exit if
    template.error_on_missing_key is set to true, exit_on_retry_failure must
    be also set to true. Otherwise, the template engine will log an error but then
    restart its internal runner. [GH-11775]
  • agent: Update to use IAM Service Account Credentials endpoint for signing JWTs
    when using GCP Auto-Auth method [GH-11473]
  • core (enterprise): License/EULA changes that ensure the presence of a valid HashiCorp license to
    start Vault. More information is available in the Vault License FAQ

FEATURES:

  • GCP Secrets Engine Static Accounts: Adds ability to use existing service accounts for generation
    of service account keys and access tokens. [GH-12023]
  • Key Management Secrets Engine (Enterprise): Adds general availability for distributing and managing keys in AWS KMS. [GH-11958]
  • License Autoloading (Enterprise): Licenses may now be automatically loaded from the environment or disk.
  • MySQL Database UI: The UI now supports adding and editing MySQL connections in the database secret engine [GH-11532]
  • Vault Diagnose: A new vault operator command to detect common issues with vault server setups.

IMPROVEMENTS:

  • agent/template: Added static_secret_render_interval to specify how often to fetch non-leased secrets [GH-11934]
  • agent: Allow Agent auto auth to read symlinked JWT files [GH-11502]
  • api: Allow a leveled logger to be provided to api.Client through SetLogger. [GH-11696]
  • auth/aws: Underlying error included in validation failure message. [GH-11638]
  • cli/api: Add lease lookup command [GH-11129]
  • core: Add prefix_filter to telemetry config [GH-12025]
  • core: Add a darwin/arm64 binary release supporting the Apple M1 CPU [GH-12071]
  • core: Add a small (<1s) exponential backoff to failed TCP listener Accept failures. [GH-11588]
  • core (enterprise): Add controlled capabilities to control group policy stanza
  • core: Add metrics for standby node forwarding. [GH-11366]
  • core: Add metrics to report if a node is a perf standby, if a node is a dr secondary or primary, and if a node is a perf secondary or primary. [GH-11472]
  • core: Send notifications to systemd on start, stop, and configuration reload. [GH-11517]
  • core: add irrevocable lease list and count apis [GH-11607]
  • core: allow arbitrary length stack traces upon receiving SIGUSR2 (was 32MB) [GH-11364]
  • db/cassandra: Added tls_server_name to specify server name for TLS validation [GH-11820]
  • go: Update to Go 1.16.5 [GH-11802]
  • raft: Improve raft batch size selection [GH-11907]
  • raft: change freelist type to map and set nofreelistsync to true [GH-11895]
  • replication: Delay evaluation of X-Vault-Index headers until merkle sync completes.
  • secrets/rabbitmq: Add ability to customize dynamic usernames [GH-11899]
  • secrets/ad: Add rotate-role endpoint to allow rotations of service accounts. [GH-11942]
  • secrets/aws: add IAM tagging support for iam_user roles [GH-10953]
  • secrets/aws: add ability to provide a role session name when generating STS credentials [GH-11345]
  • secrets/database/elasticsearch: Add ability to customize dynamic usernames [GH-11957]
  • secrets/database/influxdb: Add ability to customize dynamic usernames [GH-11796]
  • secrets/database/mongodb: Add ability to customize SocketTimeout, ConnectTimeout, and ServerSelectionTimeout [GH-11600]
  • secrets/database/mongodb: Increased throughput by allowing for multiple request threads to simultaneously update users in MongoDB [GH-11600]
  • secrets/database/mongodbatlas: Adds the ability to customize username generation for dynamic users in MongoDB Atlas. [GH-11956]
  • secrets/database/redshift: Add ability to customize dynamic usernames [GH-12016]
  • secrets/database/snowflake: Add ability to customize dynamic usernames [GH-11997]
  • ssh: add support for templated values in SSH CA DefaultExtensions [GH-11495]
  • storage/raft/autopilot (enterprise): Enable Autopilot on DR secondary clusters
  • storage/raft: Support autopilot for HA only raft storage. [GH-11260]
  • ui: Add Validation to KV secret engine [GH-11785]
  • ui: Add database secret engine support for MSSQL [GH-11231]
  • ui: Add push notification message when selecting okta auth. [GH-11442]
  • ui: Add regex validation to Transform Template pattern input [GH-11586]
  • ui: Add specific error message if unseal fails due to license [GH-11705]
  • ui: Add validation support for open api form fields [GH-11963]
  • ui: Added auth method descriptions to UI login page [GH-11795]
  • ui: JSON fields on database can be cleared on edit [GH-11708]
  • ui: Obscure secret values on input and displayOnly fields like certificates. [GH-11284]
  • ui: Redesign of KV 2 Delete toolbar. [GH-11530]
  • ui: Replace tool partials with components. [GH-11672]
  • ui: Show description on secret engine list [GH-11995]
  • ui: Update ember to latest LTS and upgrade UI dependencies [GH-11447]
  • ui: Update partials to components [GH-11680]
  • ui: Updated ivy code mirror component for consistency [GH-11500]
  • ui: Updated node to v14, latest stable build [GH-12049]
  • ui: Updated search select component styling [GH-11360]
  • ui: add transform secrets engine to features list [GH-12003]
  • ui: add validations for duplicate path kv engine [GH-11878]
  • ui: show site-wide banners for license warnings if applicable [GH-11759]
  • ui: update license page with relevant autoload info [GH-11778]

DEPRECATIONS:

  • secrets/gcp: Deprecated the /gcp/token/:roleset and /gcp/key/:roleset paths for generating
    secrets for rolesets. Use /gcp/roleset/:roleset/token and /gcp/roleset/:roleset/key instead. [GH-12023]

BUG FIXES:

  • activity: Omit wrapping tokens and control groups from client counts [GH-11826]
  • agent/cert: Fix issue where the API client on agent was not honoring certificate
    information from the auto-auth config map on renewals or retries. [GH-11576]
  • agent/template: fix command shell quoting issue [GH-11838]
  • agent: Fixed agent templating to use configured tls servername values [GH-11288]
  • agent: fix timestamp format in log messages from the templating engine [GH-11838]
  • auth/approle: fixing dereference of nil pointer [GH-11864]
  • auth/jwt: Updates the hashicorp/cap library to v0.1.0 to
    bring in a verification key caching fix. [GH-11784]
  • auth/kubernetes: Fix AliasLookahead to correctly extract ServiceAccount UID when using ephemeral JWTs [[GH-1207...
Read more

v1.8.0-rc2

14 Jul 21:50
89492a0
Compare
Choose a tag to compare
v1.8.0-rc2 Pre-release
Pre-release

Release vault v1.8.0-rc2

v1.8.0-rc1

16 Jun 16:08
ad4b249
Compare
Choose a tag to compare
v1.8.0-rc1 Pre-release
Pre-release

Release vault v1.8.0-rc1

v1.7.3

16 Jun 16:20
5d517c8
Compare
Choose a tag to compare

Release vault v1.7.3

v1.7.2

21 May 20:30
db0e424
Compare
Choose a tag to compare

1.7.2

May 20th, 2021

SECURITY:

  • Non-Expiring Leases: Vault and Vault Enterprise renewed nearly-expiring token
    leases and dynamic secret leases with a zero-second TTL, causing them to be
    treated as non-expiring, and never revoked. This issue affects Vault and Vault
    Enterprise versions 0.10.0 through 1.7.1, and is fixed in 1.5.9, 1.6.5, and
    1.7.2 (CVE-2021-32923).

CHANGES:

  • agent: Update to use IAM Service Account Credentials endpoint for signing JWTs
    when using GCP Auto-Auth method [GH-11473]
  • auth/gcp: Update to v0.9.1 to use IAM Service Account Credentials API for
    signing JWTs [GH-11494]

IMPROVEMENTS:

  • api, agent: LifetimeWatcher now does more retries when renewal failures occur. This also impacts Agent auto-auth and leases managed via Agent caching. [GH-11445]
  • auth/aws: Underlying error included in validation failure message. [GH-11638]
  • http: Add optional HTTP response headers for hostname and raft node ID [GH-11289]
  • secrets/aws: add ability to provide a role session name when generating STS credentials [GH-11345]
  • secrets/database/mongodb: Add ability to customize SocketTimeout, ConnectTimeout, and ServerSelectionTimeout [GH-11600]
  • secrets/database/mongodb: Increased throughput by allowing for multiple request threads to simultaneously update users in MongoDB [GH-11600]

BUG FIXES:

  • agent/cert: Fix issue where the API client on agent was not honoring certificate
    information from the auto-auth config map on renewals or retries. [GH-11576]
  • agent: Fixed agent templating to use configured tls servername values [GH-11288]
  • core (enterprise): Fix plugins mounted in namespaces being unable to use password policies [GH-11596]
  • core: correct logic for renewal of leases nearing their expiration time. [GH-11650]
  • identity: Use correct mount accessor when refreshing external group memberships. [GH-11506]
  • replication: Fix panic trying to update walState during identity group invalidation. [GH-1865]
  • secrets/database: Fix marshalling to allow providing numeric arguments to external database plugins. [GH-11451]
  • secrets/database: Fixed minor race condition when rotate-root is called [GH-11600]
  • secrets/database: Fixes issue for V4 database interface where SetCredentials wasn't falling back to using RotateRootCredentials if SetCredentials is Unimplemented [GH-11585]
  • secrets/keymgmt (enterprise): Fixes audit logging for the read key response.
  • storage/raft: Support cluster address change for nodes in a cluster managed by autopilot [GH-11247]
  • ui: Fix entity group membership and metadata not showing [GH-11641]
  • ui: Fix text link URL on database roles list [GH-11597]

v1.6.5

21 May 20:30
01ca3c4
Compare
Choose a tag to compare

1.6.5

May 20th, 2021

SECURITY:

  • Non-Expiring Leases: Vault and Vault Enterprise renewed nearly-expiring token
    leases and dynamic secret leases with a zero-second TTL, causing them to be
    treated as non-expiring, and never revoked. This issue affects Vault and Vault
    Enterprise versions 0.10.0 through 1.7.1, and is fixed in 1.5.9, 1.6.5, and
    1.7.2 (CVE-2021-32923).

CHANGES:

  • agent: Update to use IAM Service Account Credentials endpoint for signing JWTs
    when using GCP Auto-Auth method [GH-11473]
  • auth/gcp: Update to v0.8.1 to use IAM Service Account Credentials API for
    signing JWTs [GH-11498]

BUG FIXES:

  • core (enterprise): Fix plugins mounted in namespaces being unable to use password policies [GH-11596]
  • core: correct logic for renewal of leases nearing their expiration time. [GH-11650]
  • secrets/database: Fix marshalling to allow providing numeric arguments to external database plugins. [GH-11451]
  • secrets/database: Fixes issue for V4 database interface where SetCredentials wasn't falling back to using RotateRootCredentials if SetCredentials is Unimplemented [GH-11585]
  • ui: Fix namespace-bug on login [GH-11182]

v1.5.9

21 May 20:29
534a12a
Compare
Choose a tag to compare

1.5.9

May 20th, 2021

SECURITY:

  • Non-Expiring Leases: Vault and Vault Enterprise renewed nearly-expiring token
    leases and dynamic secret leases with a zero-second TTL, causing them to be
    treated as non-expiring, and never revoked. This issue affects Vault and Vault
    Enterprise versions 0.10.0 through 1.7.1, and is fixed in 1.5.9, 1.6.5, and
    1.7.2 (CVE-2021-32923).

CHANGES:

  • agent: Update to use IAM Service Account Credentials endpoint for signing JWTs
    when using GCP Auto-Auth method [GH-11473]
  • auth/gcp: Update to v0.7.2 to use IAM Service Account Credentials API for
    signing JWTs [GH-11499]

BUG FIXES:

  • core: correct logic for renewal of leases nearing their expiration time. [GH-11650]