Releases: hashicorp/vault
Releases · hashicorp/vault
v1.7.4
1.7.4
26 August 2021
SECURITY:
- UI Secret Caching: The Vault UI erroneously cached and exposed user-viewed secrets between authenticated sessions in a single shared browser, if the browser window / tab was not refreshed or closed between logout and a subsequent login. This vulnerability, CVE-2021-38554, was fixed in Vault 1.8.0 and will be addressed in pending 1.7.4 / 1.6.6 releases.
CHANGES:
- go: Update go version to 1.15.15 [GH-12411]
IMPROVEMENTS:
- ui: Updated node to v14, latest stable build [GH-12049]
BUG FIXES:
- replication (enterprise): Fix a panic that could occur when checking the last wal and the log shipper buffer is empty.
- cli: vault debug now puts newlines after every captured log line. [GH-12175]
- database/couchbase: change default template to truncate username at 128 characters [GH-12299]
- physical/raft: Fix safeio.Rename error when restoring snapshots on windows [GH-12377]
- secrets/database/cassandra: Fixed issue where the PEM parsing logic of
pem_bundle
andpem_json
didn't work for CA-only configurations [GH-11861] - secrets/database: Fixed an issue that prevented external database plugin processes from restarting after a shutdown. [GH-12087]
- ui: Automatically refresh the page when user logs out [GH-12035]
- ui: Fix database role CG access [GH-12111]
- ui: Fixes metrics page when read on counter config not allowed [GH-12348]
- ui: fix control group access for database credential [GH-12024]
- ui: fix oidc login with Safari [GH-11884]
1.7.3
June 16th, 2021
CHANGES:
- go: Update go version to 1.15.13 [GH-11857]
IMPROVEMENTS:
- db/cassandra: Added tls_server_name to specify server name for TLS validation [GH-11820]
- ui: Add specific error message if unseal fails due to license [GH-11705]
BUG FIXES:
- auth/jwt: Updates the hashicorp/cap library to
v0.1.0
to
bring in a verification key caching fix. [GH-11784] - core (enterprise): serialize access to HSM entropy generation to avoid errors in concurrent key generation.
- secret: fix the bug where transit encrypt batch doesn't work with key_version [GH-11628]
- secrets/ad: Forward all creds requests to active node [GH-76] [GH-11836]
- tokenutil: Perform the num uses check before token type. [GH-11647]
v1.6.6
1.6.6
26 August 2021
SECURITY:
- UI Secret Caching: The Vault UI erroneously cached and exposed user-viewed secrets between authenticated sessions in a single shared browser, if the browser window / tab was not refreshed or closed between logout and a subsequent login. This vulnerability, CVE-2021-38554, was fixed in Vault 1.8.0 and will be addressed in pending 1.7.4 / 1.6.6 releases.
CHANGES:
- go: Update go version to 1.15.15 [GH-12423]
IMPROVEMENTS:
- db/cassandra: Added tls_server_name to specify server name for TLS validation [GH-11820]
BUG FIXES:
- physical/raft: Fix safeio.Rename error when restoring snapshots on windows [GH-12377]
- secret: fix the bug where transit encrypt batch doesn't work with key_version [GH-11628]
- secrets/database: Fixed an issue that prevented external database plugin processes from restarting after a shutdown. [GH-12087]
- ui: Automatically refresh the page when user logs out [GH-12035]
- ui: Fixes metrics page when read on counter config not allowed [GH-12348]
- ui: fix oidc login with Safari [GH-11884]
v1.8.1
1.8.1
August 5th, 2021
CHANGES:
- go: Update go version to 1.16.6 [GH-12245]
IMPROVEMENTS:
- serviceregistration: add
external-source: "vault"
metadata value for Consul registration. [GH-12163]
BUG FIXES:
- auth/aws: Remove warning stating AWS Token TTL will be capped by the Default Lease TTL. [GH-12026]
- auth/jwt: Fixes OIDC auth from the Vault UI when using
form_post
as theoidc_response_mode
. [GH-12258] - core (enterprise): Disallow autogenerated licenses to be used in diagnose even when config is specified
- core: fix byte printing for diagnose disk checks [GH-12229]
- identity: do not allow a role's token_ttl to be longer than the signing key's verification_ttl [GH-12151]
v1.8.0
1.8.0
July 28th, 2021
CHANGES:
- agent: Errors in the template engine will no longer cause agent to exit unless
explicitly defined to do so. A new configuration parameter,
exit_on_retry_failure
, within the new top-level stanza,template_config
, can
be set totrue
in order to cause agent to exit. Note that for agent to exit if
template.error_on_missing_key
is set totrue
,exit_on_retry_failure
must
be also set totrue
. Otherwise, the template engine will log an error but then
restart its internal runner. [GH-11775] - agent: Update to use IAM Service Account Credentials endpoint for signing JWTs
when using GCP Auto-Auth method [GH-11473] - core (enterprise): License/EULA changes that ensure the presence of a valid HashiCorp license to
start Vault. More information is available in the Vault License FAQ
FEATURES:
- GCP Secrets Engine Static Accounts: Adds ability to use existing service accounts for generation
of service account keys and access tokens. [GH-12023] - Key Management Secrets Engine (Enterprise): Adds general availability for distributing and managing keys in AWS KMS. [GH-11958]
- License Autoloading (Enterprise): Licenses may now be automatically loaded from the environment or disk.
- MySQL Database UI: The UI now supports adding and editing MySQL connections in the database secret engine [GH-11532]
- Vault Diagnose: A new
vault operator
command to detect common issues with vault server setups.
IMPROVEMENTS:
- agent/template: Added static_secret_render_interval to specify how often to fetch non-leased secrets [GH-11934]
- agent: Allow Agent auto auth to read symlinked JWT files [GH-11502]
- api: Allow a leveled logger to be provided to
api.Client
throughSetLogger
. [GH-11696] - auth/aws: Underlying error included in validation failure message. [GH-11638]
- cli/api: Add lease lookup command [GH-11129]
- core: Add
prefix_filter
to telemetry config [GH-12025] - core: Add a darwin/arm64 binary release supporting the Apple M1 CPU [GH-12071]
- core: Add a small (<1s) exponential backoff to failed TCP listener Accept failures. [GH-11588]
- core (enterprise): Add controlled capabilities to control group policy stanza
- core: Add metrics for standby node forwarding. [GH-11366]
- core: Add metrics to report if a node is a perf standby, if a node is a dr secondary or primary, and if a node is a perf secondary or primary. [GH-11472]
- core: Send notifications to systemd on start, stop, and configuration reload. [GH-11517]
- core: add irrevocable lease list and count apis [GH-11607]
- core: allow arbitrary length stack traces upon receiving SIGUSR2 (was 32MB) [GH-11364]
- db/cassandra: Added tls_server_name to specify server name for TLS validation [GH-11820]
- go: Update to Go 1.16.5 [GH-11802]
- raft: Improve raft batch size selection [GH-11907]
- raft: change freelist type to map and set nofreelistsync to true [GH-11895]
- replication: Delay evaluation of X-Vault-Index headers until merkle sync completes.
- secrets/rabbitmq: Add ability to customize dynamic usernames [GH-11899]
- secrets/ad: Add
rotate-role
endpoint to allow rotations of service accounts. [GH-11942] - secrets/aws: add IAM tagging support for iam_user roles [GH-10953]
- secrets/aws: add ability to provide a role session name when generating STS credentials [GH-11345]
- secrets/database/elasticsearch: Add ability to customize dynamic usernames [GH-11957]
- secrets/database/influxdb: Add ability to customize dynamic usernames [GH-11796]
- secrets/database/mongodb: Add ability to customize
SocketTimeout
,ConnectTimeout
, andServerSelectionTimeout
[GH-11600] - secrets/database/mongodb: Increased throughput by allowing for multiple request threads to simultaneously update users in MongoDB [GH-11600]
- secrets/database/mongodbatlas: Adds the ability to customize username generation for dynamic users in MongoDB Atlas. [GH-11956]
- secrets/database/redshift: Add ability to customize dynamic usernames [GH-12016]
- secrets/database/snowflake: Add ability to customize dynamic usernames [GH-11997]
- ssh: add support for templated values in SSH CA DefaultExtensions [GH-11495]
- storage/raft/autopilot (enterprise): Enable Autopilot on DR secondary clusters
- storage/raft: Support autopilot for HA only raft storage. [GH-11260]
- ui: Add Validation to KV secret engine [GH-11785]
- ui: Add database secret engine support for MSSQL [GH-11231]
- ui: Add push notification message when selecting okta auth. [GH-11442]
- ui: Add regex validation to Transform Template pattern input [GH-11586]
- ui: Add specific error message if unseal fails due to license [GH-11705]
- ui: Add validation support for open api form fields [GH-11963]
- ui: Added auth method descriptions to UI login page [GH-11795]
- ui: JSON fields on database can be cleared on edit [GH-11708]
- ui: Obscure secret values on input and displayOnly fields like certificates. [GH-11284]
- ui: Redesign of KV 2 Delete toolbar. [GH-11530]
- ui: Replace tool partials with components. [GH-11672]
- ui: Show description on secret engine list [GH-11995]
- ui: Update ember to latest LTS and upgrade UI dependencies [GH-11447]
- ui: Update partials to components [GH-11680]
- ui: Updated ivy code mirror component for consistency [GH-11500]
- ui: Updated node to v14, latest stable build [GH-12049]
- ui: Updated search select component styling [GH-11360]
- ui: add transform secrets engine to features list [GH-12003]
- ui: add validations for duplicate path kv engine [GH-11878]
- ui: show site-wide banners for license warnings if applicable [GH-11759]
- ui: update license page with relevant autoload info [GH-11778]
DEPRECATIONS:
- secrets/gcp: Deprecated the
/gcp/token/:roleset
and/gcp/key/:roleset
paths for generating
secrets for rolesets. Use/gcp/roleset/:roleset/token
and/gcp/roleset/:roleset/key
instead. [GH-12023]
BUG FIXES:
- activity: Omit wrapping tokens and control groups from client counts [GH-11826]
- agent/cert: Fix issue where the API client on agent was not honoring certificate
information from the auto-auth config map on renewals or retries. [GH-11576] - agent/template: fix command shell quoting issue [GH-11838]
- agent: Fixed agent templating to use configured tls servername values [GH-11288]
- agent: fix timestamp format in log messages from the templating engine [GH-11838]
- auth/approle: fixing dereference of nil pointer [GH-11864]
- auth/jwt: Updates the hashicorp/cap library to
v0.1.0
to
bring in a verification key caching fix. [GH-11784] - auth/kubernetes: Fix AliasLookahead to correctly extract ServiceAccount UID when using ephemeral JWTs [[GH-1207...
v1.8.0-rc2
Release vault v1.8.0-rc2
v1.8.0-rc1
Release vault v1.8.0-rc1
v1.7.3
Release vault v1.7.3
v1.7.2
1.7.2
May 20th, 2021
SECURITY:
- Non-Expiring Leases: Vault and Vault Enterprise renewed nearly-expiring token
leases and dynamic secret leases with a zero-second TTL, causing them to be
treated as non-expiring, and never revoked. This issue affects Vault and Vault
Enterprise versions 0.10.0 through 1.7.1, and is fixed in 1.5.9, 1.6.5, and
1.7.2 (CVE-2021-32923).
CHANGES:
- agent: Update to use IAM Service Account Credentials endpoint for signing JWTs
when using GCP Auto-Auth method [GH-11473] - auth/gcp: Update to v0.9.1 to use IAM Service Account Credentials API for
signing JWTs [GH-11494]
IMPROVEMENTS:
- api, agent: LifetimeWatcher now does more retries when renewal failures occur. This also impacts Agent auto-auth and leases managed via Agent caching. [GH-11445]
- auth/aws: Underlying error included in validation failure message. [GH-11638]
- http: Add optional HTTP response headers for hostname and raft node ID [GH-11289]
- secrets/aws: add ability to provide a role session name when generating STS credentials [GH-11345]
- secrets/database/mongodb: Add ability to customize
SocketTimeout
,ConnectTimeout
, andServerSelectionTimeout
[GH-11600] - secrets/database/mongodb: Increased throughput by allowing for multiple request threads to simultaneously update users in MongoDB [GH-11600]
BUG FIXES:
- agent/cert: Fix issue where the API client on agent was not honoring certificate
information from the auto-auth config map on renewals or retries. [GH-11576] - agent: Fixed agent templating to use configured tls servername values [GH-11288]
- core (enterprise): Fix plugins mounted in namespaces being unable to use password policies [GH-11596]
- core: correct logic for renewal of leases nearing their expiration time. [GH-11650]
- identity: Use correct mount accessor when refreshing external group memberships. [GH-11506]
- replication: Fix panic trying to update walState during identity group invalidation. [GH-1865]
- secrets/database: Fix marshalling to allow providing numeric arguments to external database plugins. [GH-11451]
- secrets/database: Fixed minor race condition when rotate-root is called [GH-11600]
- secrets/database: Fixes issue for V4 database interface where
SetCredentials
wasn't falling back to usingRotateRootCredentials
ifSetCredentials
isUnimplemented
[GH-11585] - secrets/keymgmt (enterprise): Fixes audit logging for the read key response.
- storage/raft: Support cluster address change for nodes in a cluster managed by autopilot [GH-11247]
- ui: Fix entity group membership and metadata not showing [GH-11641]
- ui: Fix text link URL on database roles list [GH-11597]
v1.6.5
1.6.5
May 20th, 2021
SECURITY:
- Non-Expiring Leases: Vault and Vault Enterprise renewed nearly-expiring token
leases and dynamic secret leases with a zero-second TTL, causing them to be
treated as non-expiring, and never revoked. This issue affects Vault and Vault
Enterprise versions 0.10.0 through 1.7.1, and is fixed in 1.5.9, 1.6.5, and
1.7.2 (CVE-2021-32923).
CHANGES:
- agent: Update to use IAM Service Account Credentials endpoint for signing JWTs
when using GCP Auto-Auth method [GH-11473] - auth/gcp: Update to v0.8.1 to use IAM Service Account Credentials API for
signing JWTs [GH-11498]
BUG FIXES:
- core (enterprise): Fix plugins mounted in namespaces being unable to use password policies [GH-11596]
- core: correct logic for renewal of leases nearing their expiration time. [GH-11650]
- secrets/database: Fix marshalling to allow providing numeric arguments to external database plugins. [GH-11451]
- secrets/database: Fixes issue for V4 database interface where
SetCredentials
wasn't falling back to usingRotateRootCredentials
ifSetCredentials
isUnimplemented
[GH-11585] - ui: Fix namespace-bug on login [GH-11182]
v1.5.9
1.5.9
May 20th, 2021
SECURITY:
- Non-Expiring Leases: Vault and Vault Enterprise renewed nearly-expiring token
leases and dynamic secret leases with a zero-second TTL, causing them to be
treated as non-expiring, and never revoked. This issue affects Vault and Vault
Enterprise versions 0.10.0 through 1.7.1, and is fixed in 1.5.9, 1.6.5, and
1.7.2 (CVE-2021-32923).
CHANGES:
- agent: Update to use IAM Service Account Credentials endpoint for signing JWTs
when using GCP Auto-Auth method [GH-11473] - auth/gcp: Update to v0.7.2 to use IAM Service Account Credentials API for
signing JWTs [GH-11499]
BUG FIXES:
- core: correct logic for renewal of leases nearing their expiration time. [GH-11650]