v1.13.3

1.13.3

June 08, 2023

CHANGES:

• core: Bump Go version to 1.20.4.
• core: Revert #19676 (VAULT_GRPC_MIN_CONNECT_TIMEOUT env var) as we decided it was unnecessary. [GH-20826]
• replication (enterprise): Add a new parameter for the update-primary API call
  that allows for setting of the primary cluster addresses directly, instead of
  via a token.
• storage/aerospike: Aerospike storage shouldn't be used on 32-bit architectures and is now unsupported on them. [GH-20825]

IMPROVEMENTS:

• Add debug symbols back to builds to fix Dynatrace support [GH-20519]
• audit: add a mount_point field to audit requests and response entries [GH-20411]
• autopilot: Update version to v0.2.0 to add better support for respecting min quorum [GH-19472]
• command/server: Add support for dumping pprof files to the filesystem via SIGUSR2 when
  VAULT_PPROF_WRITE_TO_FILE=true is set on the server. [GH-20609]
• core: Add possibility to decode a generated encoded root token via the rest API [GH-20595]
• core: include namespace path in granting_policies block of audit log
• core: report intermediate error messages during request forwarding [GH-20643]
• openapi: Fix generated types for duration strings [GH-20841]
• sdk/framework: Fix non-deterministic ordering of 'required' fields in OpenAPI spec [GH-20881]
• secrets/pki: add subject key identifier to read key response [GH-20642]

BUG FIXES:

• api: Properly Handle nil identity_policies in Secret Data [GH-20636]
• auth/ldap: Set default value for max_page_size properly [GH-20453]
• cli: CLI should take days as a unit of time for ttl like flags [GH-20477]
• cli: disable printing flags warnings messages for the ssh command [GH-20502]
• command/server: fixes panic in Vault server command when running in recovery mode [GH-20418]
• core (enterprise): Fix log shipper buffer size overflow issue for 32 bit architecture.
• core (enterprise): Fix logshipper buffer size to default to DefaultBufferSize only when reported system memory is zero.
• core (enterprise): Remove MFA Enforcment configuration for namespace when deleting namespace
• core/identity: Allow updates of only the custom-metadata for entity alias. [GH-20368]
• core: Fix Forwarded Writer construction to correctly find active nodes, allowing PKI cross-cluster functionality to succeed on existing mounts.
• core: Fix writes to readonly storage on performance standbys when user lockout feature is enabled. [GH-20783]
• core: prevent panic on login after namespace is deleted that had mfa enforcement [GH-20375]
• replication (enterprise): Fix a race condition with invalid tokens during WAL streaming that was causing Secondary clusters to be unable to connect to a Primary.
• replication (enterprise): fix bug where secondary grpc connections would timeout when connecting to a primary host that no longer exists.
• secrets/pki: Include per-issuer enable_aia_url_templating in issuer read endpoint. [GH-20354]
• secrets/transform (enterprise): Fix a caching bug affecting secondary nodes after a tokenization key rotation
• secrets/transform: Added importing of keys and key versions into the Transform secrets engine using the command 'vault transform import' and 'vault transform import-version'. [GH-20668]
• secrets/transit: Fix export of HMAC-only key, correctly exporting the key used for sign operations. For consumers of the previously incorrect key, use the plaintext export to retrieve these incorrect keys and import them as new versions.
  secrets/transit: Fix bug related to shorter dedicated HMAC key sizing.
  sdk/helper/keysutil: New HMAC type policies will have HMACKey equal to Key and be copied over on import. [GH-20864]
• ui: Fixes issue unsealing cluster for seal types other than shamir [GH-20897]
• ui: fixes issue creating mfa login enforcement from method enforcements tab [GH-20603]
• ui: fixes key_bits and signature_bits reverting to default values when editing a pki role [GH-20907]

v1.12.7

1.12.7

June 08, 2023

CHANGES:

• core: Bump Go version to 1.19.9.
• core: Revert #19676 (VAULT_GRPC_MIN_CONNECT_TIMEOUT env var) as we decided it was unnecessary. [GH-20826]

IMPROVEMENTS:

• audit: add a mount_point field to audit requests and response entries [GH-20411]
• command/server: Add support for dumping pprof files to the filesystem via SIGUSR2 when
  VAULT_PPROF_WRITE_TO_FILE=true is set on the server. [GH-20609]
• core: include namespace path in granting_policies block of audit log
• openapi: Fix generated types for duration strings [GH-20841]
• sdk/framework: Fix non-deterministic ordering of 'required' fields in OpenAPI spec [GH-20881]
• secrets/pki: add subject key identifier to read key response [GH-20642]
• ui: update TTL picker for consistency [GH-18114]

BUG FIXES:

• api: Properly Handle nil identity_policies in Secret Data [GH-20636]
• auth/ldap: Set default value for max_page_size properly [GH-20453]
• cli: CLI should take days as a unit of time for ttl like flags [GH-20477]
• cli: disable printing flags warnings messages for the ssh command [GH-20502]
• core (enterprise): Fix log shipper buffer size overflow issue for 32 bit architecture.
• core (enterprise): Fix logshipper buffer size to default to DefaultBufferSize only when reported system memory is zero.
• core (enterprise): Remove MFA Enforcment configuration for namespace when deleting namespace
• core: prevent panic on login after namespace is deleted that had mfa enforcement [GH-20375]
• replication (enterprise): Fix a race condition with invalid tokens during WAL streaming that was causing Secondary clusters to be unable to connect to a Primary.
• replication (enterprise): fix bug where secondary grpc connections would timeout when connecting to a primary host that no longer exists.
• secrets/transform (enterprise): Fix a caching bug affecting secondary nodes after a tokenization key rotation
• secrets/transit: Fix export of HMAC-only key, correctly exporting the key used for sign operations. For consumers of the previously incorrect key, use the plaintext export to retrieve these incorrect keys and import them as new versions.
  secrets/transit: Fix bug related to shorter dedicated HMAC key sizing.
  sdk/helper/keysutil: New HMAC type policies will have HMACKey equal to Key and be copied over on import. [GH-20864]
• ui: Fixes issue unsealing cluster for seal types other than shamir [GH-20897]

v1.11.11

1.11.11

June 08, 2023

CHANGES:

• core: Bump Go version to 1.19.9.
• core: Revert #19676 (VAULT_GRPC_MIN_CONNECT_TIMEOUT env var) as we decided it was unnecessary. [GH-20826]

IMPROVEMENTS:

• command/server: Add support for dumping pprof files to the filesystem via SIGUSR2 when
  VAULT_PPROF_WRITE_TO_FILE=true is set on the server. [GH-20609]
• secrets/pki: add subject key identifier to read key response [GH-20642]
• ui: update TTL picker for consistency [GH-18114]

BUG FIXES:

• api: Properly Handle nil identity_policies in Secret Data [GH-20636]
• auth/ldap: Set default value for max_page_size properly [GH-20453]
• cli: CLI should take days as a unit of time for ttl like flags [GH-20477]
• core (enterprise): Fix log shipper buffer size overflow issue for 32 bit architecture.
• core (enterprise): Fix logshipper buffer size to default to DefaultBufferSize only when reported system memory is zero.
• core (enterprise): Remove MFA Enforcment configuration for namespace when deleting namespace
• core: prevent panic on login after namespace is deleted that had mfa enforcement [GH-20375]
• replication (enterprise): Fix a race condition with invalid tokens during WAL streaming that was causing Secondary clusters to be unable to connect to a Primary.
• replication (enterprise): fix bug where secondary grpc connections would timeout when connecting to a primary host that no longer exists.
• secrets/transform (enterprise): Fix a caching bug affecting secondary nodes after a tokenization key rotation

v1.13.2

1.13.2

April 26, 2023

CHANGES:

• core: Bump Go version to 1.20.3.

IMPROVEMENTS:

• Add debug symbols back to builds to fix Dynatrace support [GH-20294]
• cli/namespace: Add detailed flag to output additional namespace information
  such as namespace IDs and custom metadata. [GH-20243]
• core/activity: add an endpoint to write test activity log data, guarded by a build flag [GH-20019]
• core: Add a raft sub-field to the storage and ha_storage details provided by the
  /sys/config/state/sanitized endpoint in order to include the max_entry_size. [GH-20044]
• core: include reason for ErrReadOnly on PBPWF writing failures
• sdk/ldaputil: added connection_timeout to tune connection timeout duration
  for all LDAP plugins. [GH-20144]
• secrets/pki: Decrease size and improve compatibility of OCSP responses by removing issuer certificate. [GH-20201]
• sys/wrapping: Add example how to unwrap without authentication in Vault [GH-20109]
• ui: Allows license-banners to be dismissed. Saves preferences in localStorage. [GH-19116]

BUG FIXES:

• auth/ldap: Add max_page_size configurable to LDAP configuration [GH-19032]
• command/server: Fix incorrect paths in generated config for -dev-tls flag on Windows [GH-20257]
• core (enterprise): Fix intermittent issue with token entries sometimes not being found when using a newly created token in a request to a secondary, even when SSCT new_token forwarding is set. When this occurred, this would result in the following error to the client: error performing token check: no lease entry found for token that ought to have one, possible eventual consistency issue.
• core (enterprise): Fix read on perf standbys failing with 412 after leadership change, unseal, restores or restarts when no writes occur
• core/seal: Fix handling of HMACing of seal-wrapped storage entries from HSMs using CKM_AES_CBC or CKM_AES_CBC_PAD.
• core/ssct (enterprise): Fixed race condition where a newly promoted DR may revert sscGenCounter
  resulting in 412 errors.
• core: Fix regression breaking non-raft clusters whose nodes share the same cluster_addr/api_addr. [GH-19721]
• helper/random: Fix race condition in string generator helper [GH-19875]
• kmip (enterprise): Fix a problem decrypting with keys that have no Process Start Date attribute.
• pki: Fix automatically turning off CRL signing on upgrade to Vault >= 1.12, if CA Key Usage disallows it [GH-20220]
• replication (enterprise): Fix a caching issue when replicating filtered data to
  a performance secondary. This resulted in the data being set to nil in the cache
  and a "invalid value" error being returned from the API.
• replication (enterprise): Fix replication status for Primary clusters showing its primary cluster's information (in case of DR) in secondaries field when known_secondaries field is nil
• sdk/helper/ocsp: Workaround bug in Go's ocsp.ParseResponse(...), causing validation to fail with embedded CA certificates.
  auth/cert: Fix OCSP validation against Vault's PKI engine. [GH-20181]
• secrets/aws: Revert changes that removed the lease on STS credentials, while leaving the new ttl field in place. [GH-20034]
• secrets/pki: Ensure cross-cluster delta WAL write failure only logs to avoid unattended forwarding. [GH-20057]
• secrets/pki: Fix building of unified delta CRLs and recovery during unified delta WAL write failures. [GH-20058]
• secrets/pki: Fix patching of leaf_not_after_behavior on issuers. [GH-20341]
• secrets/transform (enterprise): Address SQL connection leak when cleaning expired tokens
• ui: Fix OIDC provider logo showing when domain doesn't match [GH-20263]
• ui: Fix bad link to namespace when namespace name includes . [GH-19799]
• ui: fixes browser console formatting for help command output [GH-20064]
• ui: fixes remaining doc links to include /vault in path [GH-20070]
• ui: remove use of htmlSafe except when first sanitized [GH-20235]
• website/docs: Fix Kubernetes Auth Code Example to use the correct whitespace in import. [GH-20216]

v1.12.6

1.12.6

April 26, 2023

CHANGES:

• core: Bump Go version to 1.19.8.

IMPROVEMENTS:

• cli/namespace: Add detailed flag to output additional namespace information
  such as namespace IDs and custom metadata. [GH-20243]
• core/activity: add an endpoint to write test activity log data, guarded by a build flag [GH-20019]
• core: Add a raft sub-field to the storage and ha_storage details provided by the
  /sys/config/state/sanitized endpoint in order to include the max_entry_size. [GH-20044]
• sdk/ldaputil: added connection_timeout to tune connection timeout duration
  for all LDAP plugins. [GH-20144]
• secrets/pki: Decrease size and improve compatibility of OCSP responses by removing issuer certificate. [GH-20201]

BUG FIXES:

• auth/ldap: Add max_page_size configurable to LDAP configuration [GH-19032]
• command/server: Fix incorrect paths in generated config for -dev-tls flag on Windows [GH-20257]
• core (enterprise): Fix intermittent issue with token entries sometimes not being found when using a newly created token in a request to a secondary, even when SSCT new_token forwarding is set. When this occurred, this would result in the following error to the client: error performing token check: no lease entry found for token that ought to have one, possible eventual consistency issue.
• core (enterprise): Fix read on perf standbys failing with 412 after leadership change, unseal, restores or restarts when no writes occur
• core/ssct (enterprise): Fixed race condition where a newly promoted DR may revert sscGenCounter
  resulting in 412 errors.
• core: Fix regression breaking non-raft clusters whose nodes share the same cluster_addr/api_addr. [GH-19721]
• helper/random: Fix race condition in string generator helper [GH-19875]
• kmip (enterprise): Fix a problem decrypting with keys that have no Process Start Date attribute.
• openapi: Fix many incorrect details in generated API spec, by using better techniques to parse path regexps [GH-18554]
• pki: Fix automatically turning off CRL signing on upgrade to Vault >= 1.12, if CA Key Usage disallows it [GH-20220]
• replication (enterprise): Fix a caching issue when replicating filtered data to
  a performance secondary. This resulted in the data being set to nil in the cache
  and a "invalid value" error being returned from the API.
• replication (enterprise): Fix replication status for Primary clusters showing its primary cluster's information (in case of DR) in secondaries field when known_secondaries field is nil
• secrets/pki: Fix patching of leaf_not_after_behavior on issuers. [GH-20341]
• secrets/transform (enterprise): Address SQL connection leak when cleaning expired tokens
• ui: Fix OIDC provider logo showing when domain doesn't match [GH-20263]
• ui: Fix bad link to namespace when namespace name includes . [GH-19799]
• ui: fixes browser console formatting for help command output [GH-20064]
• ui: remove use of htmlSafe except when first sanitized [GH-20235]

v1.11.10

1.11.10

April 26, 2023

CHANGES:

• core: Bump Go version to 1.19.8.

IMPROVEMENTS:

• cli/namespace: Add detailed flag to output additional namespace information
  such as namespace IDs and custom metadata. [GH-20243]
• core/activity: add an endpoint to write test activity log data, guarded by a build flag [GH-20019]
• core: Add a raft sub-field to the storage and ha_storage details provided by the
  /sys/config/state/sanitized endpoint in order to include the max_entry_size. [GH-20044]
• sdk/ldaputil: added connection_timeout to tune connection timeout duration
  for all LDAP plugins. [GH-20144]

BUG FIXES:

• auth/ldap: Add max_page_size configurable to LDAP configuration [GH-19032]
• core (enterprise): Fix intermittent issue with token entries sometimes not being found when using a newly created token in a request to a secondary, even when SSCT new_token forwarding is set. When this occurred, this would result in the following error to the client: error performing token check: no lease entry found for token that ought to have one, possible eventual consistency issue.
• core (enterprise): Fix read on perf standbys failing with 412 after leadership change, unseal, restores or restarts when no writes occur
• core/ssct (enterprise): Fixed race condition where a newly promoted DR may revert sscGenCounter
  resulting in 412 errors.
• core: Fix regression breaking non-raft clusters whose nodes share the same cluster_addr/api_addr. [GH-19721]
• helper/random: Fix race condition in string generator helper [GH-19875]
• openapi: Fix many incorrect details in generated API spec, by using better techniques to parse path regexps [GH-18554]
• replication (enterprise): Fix replication status for Primary clusters showing its primary cluster's information (in case of DR) in secondaries field when known_secondaries field is nil
• secrets/pki: Fix patching of leaf_not_after_behavior on issuers. [GH-20341]
• secrets/transform (enterprise): Address SQL connection leak when cleaning expired tokens
• ui: Fix OIDC provider logo showing when domain doesn't match [GH-20263]
• ui: Fix bad link to namespace when namespace name includes . [GH-19799]
• ui: fixes browser console formatting for help command output [GH-20064]
• ui: remove use of htmlSafe except when first sanitized [GH-20235]

v1.13.1

1.13.1

March 29, 2023

IMPROVEMENTS:

• auth/github: Allow for an optional Github auth token environment variable to make authenticated requests when fetching org id
  website/docs: Add docs for VAULT_AUTH_CONFIG_GITHUB_TOKEN environment variable when writing Github config [GH-19244]
• core: Allow overriding gRPC connect timeout via VAULT_GRPC_MIN_CONNECT_TIMEOUT. This is an env var rather than a config setting because we don't expect this to ever be needed. It's being added as a last-ditch
  option in case all else fails for some replication issues we may not have fully reproduced. [GH-19676]
• core: validate name identifiers in mssql physical storage backend prior use [GH-19591]
• database/elasticsearch: Update error messages resulting from Elasticsearch API errors [GH-19545]
• events: Suppress log warnings triggered when events are sent but the events system is not enabled. [GH-19593]

BUG FIXES:

• agent: Fix panic when SIGHUP is issued to Agent while it has a non-TLS listener. [GH-19483]
• core (enterprise): Attempt to reconnect to a PKCS#11 HSM if we retrieve a CKR_FUNCTION_FAILED error.
• core: Fixed issue with remounting mounts that have a non-trailing space in the 'to' or 'from' paths. [GH-19585]
• kmip (enterprise): Do not require attribute Cryptographic Usage Mask when registering Secret Data managed objects.
• kmip (enterprise): Fix a problem forwarding some requests to the active node.
• openapi: Fix logic for labeling unauthenticated/sudo paths. [GH-19600]
• secrets/ldap: Invalidates WAL entry for static role if password_policy has changed. [GH-19640]
• secrets/pki: Fix PKI revocation request forwarding from standby nodes due to an error wrapping bug [GH-19624]
• secrets/transform (enterprise): Fix persistence problem with rotated tokenization key versions
• ui: Fixes crypto.randomUUID error in unsecure contexts from third party ember-data library [GH-19428]
• ui: fixes SSH engine config deletion [GH-19448]
• ui: fixes issue navigating back a level using the breadcrumb from secret metadata view [GH-19703]
• ui: fixes oidc tabs in auth form submitting with the root's default_role value after a namespace has been inputted [GH-19541]
• ui: pass encodeBase64 param to HMAC transit-key-actions. [GH-19429]
• ui: use URLSearchParams interface to capture namespace param from SSOs (ex. ADFS) with decoded state param in callback url [GH-19460]

v1.12.5

1.12.5

March 29, 2023

IMPROVEMENTS:

• auth/github: Allow for an optional Github auth token environment variable to make authenticated requests when fetching org id
  website/docs: Add docs for VAULT_AUTH_CONFIG_GITHUB_TOKEN environment variable when writing Github config [GH-19244]
• core: Allow overriding gRPC connect timeout via VAULT_GRPC_MIN_CONNECT_TIMEOUT. This is an env var rather than a config setting because we don't expect this to ever be needed. It's being added as a last-ditch
  option in case all else fails for some replication issues we may not have fully reproduced. [GH-19676]
• core: validate name identifiers in mssql physical storage backend prior use [GH-19591]

BUG FIXES:

• cli: Fix vault read handling to return raw data as secret.Data when there is no top-level data object from api response. [GH-17913]
• core (enterprise): Attempt to reconnect to a PKCS#11 HSM if we retrieve a CKR_FUNCTION_FAILED error.
• core: Fixed issue with remounting mounts that have a non-trailing space in the 'to' or 'from' paths. [GH-19585]
• kmip (enterprise): Do not require attribute Cryptographic Usage Mask when registering Secret Data managed objects.
• kmip (enterprise): Fix a problem forwarding some requests to the active node.
• openapi: Fix logic for labeling unauthenticated/sudo paths. [GH-19600]
• secrets/ldap: Invalidates WAL entry for static role if password_policy has changed. [GH-19641]
• secrets/transform (enterprise): Fix persistence problem with rotated tokenization key versions
• ui: fixes issue navigating back a level using the breadcrumb from secret metadata view [GH-19703]
• ui: pass encodeBase64 param to HMAC transit-key-actions. [GH-19429]
• ui: use URLSearchParams interface to capture namespace param from SSOs (ex. ADFS) with decoded state param in callback url [GH-19460]

v1.11.9

1.11.9

March 29, 2023

IMPROVEMENTS:

• auth/github: Allow for an optional Github auth token environment variable to make authenticated requests when fetching org id
  website/docs: Add docs for VAULT_AUTH_CONFIG_GITHUB_TOKEN environment variable when writing Github config [GH-19244]
• core: Allow overriding gRPC connect timeout via VAULT_GRPC_MIN_CONNECT_TIMEOUT. This is an env var rather than a config setting because we don't expect this to ever be needed. It's being added as a last-ditch
  option in case all else fails for some replication issues we may not have fully reproduced. [GH-19676]
• core: validate name identifiers in mssql physical storage backend prior use [GH-19591]

BUG FIXES:

• auth/kubernetes: Ensure a consistent TLS configuration for all k8s API requests [#190] [GH-19720]
• cli: Fix vault read handling to return raw data as secret.Data when there is no top-level data object from api response. [GH-17913]
• core (enterprise): Attempt to reconnect to a PKCS#11 HSM if we retrieve a CKR_FUNCTION_FAILED error.
• core: Fixed issue with remounting mounts that have a non-trailing space in the 'to' or 'from' paths. [GH-19585]
• openapi: Fix logic for labeling unauthenticated/sudo paths. [GH-19600]
• secrets/transform (enterprise): Fix persistence problem with rotated tokenization key versions
• ui: fixes issue navigating back a level using the breadcrumb from secret metadata view [GH-19703]
• ui: pass encodeBase64 param to HMAC transit-key-actions. [GH-19429]
• ui: use URLSearchParams interface to capture namespace param from SSOs (ex. ADFS) with decoded state param in callback url [GH-19460]

v1.13.0

1.13.0

March 01, 2023

SECURITY:

• secrets/ssh: removal of the deprecated dynamic keys mode. When any remaining dynamic key leases expire, an error stating secret is unsupported by this backend will be thrown by the lease manager. [GH-18874]

CHANGES:

• auth/alicloud: require the role field on login [GH-19005]
• auth/approle: Add maximum length of 4096 for approle role_names, as this value results in HMAC calculation [GH-17768]
• auth: Returns invalid credentials for ldap, userpass and approle when wrong credentials are provided for existent users.
  This will only be used internally for implementing user lockout. [GH-17104]
• core: Bump Go version to 1.20.1.
• core: Vault version has been moved out of sdk and into main vault module.
  Plugins using sdk/useragent.String must instead use sdk/useragent.PluginString. [GH-14229]
• logging: Removed legacy environment variable for log format ('LOGXI_FORMAT'), should use 'VAULT_LOG_FORMAT' instead [GH-17822]
• plugins: Mounts can no longer be pinned to a specific builtin version. Mounts previously pinned to a specific builtin version will now automatically upgrade to the latest builtin version, and may now be overridden if an unversioned plugin of the same name and type is registered. Mounts using plugin versions without builtin in their metadata remain unaffected. [GH-18051]
• plugins: GET /database/config/:name endpoint now returns an additional plugin_version field in the response data. [GH-16982]
• plugins: GET /sys/auth/:path/tune and GET /sys/mounts/:path/tune endpoints may now return an additional plugin_version field in the response data if set. [GH-17167]
• plugins: GET for /sys/auth, /sys/auth/:path, /sys/mounts, and /sys/mounts/:path paths now return additional plugin_version, running_plugin_version and running_sha256 fields in the response data for each mount. [GH-17167]
• sdk: Remove version package, make useragent.String versionless. [GH-19068]
• secrets/aws: do not create leases for non-renewable/non-revocable STS credentials to reduce storage calls [GH-15869]
• secrets/gcpkms: Updated plugin from v0.13.0 to v0.14.0 [GH-19063]
• sys/internal/inspect: Turns of this endpoint by default. A SIGHUP can now be used to reload the configs and turns this endpoint on.
• ui: Upgrade Ember to version 4.4.0 [GH-17086]

FEATURES:

• Azure Auth Managed Identities: Allow any Azure resource that supports managed identities to authenticate with Vault [GH-19077]
• Azure Auth Rotate Root: Add support for rotate root in Azure Auth engine [GH-19077]
• Event System (Alpha): Vault has a new opt-in experimental event system. Not yet suitable for production use. Events are currently only generated on writes to the KV secrets engine, but external plugins can also be updated to start generating events. [GH-19194]
• GCP Secrets Impersonated Account Support: Add support for GCP service account impersonation, allowing callers to generate a GCP access token without requiring Vault to store or retrieve a GCP service account key for each role. [GH-19018]
• Kubernetes Secrets Engine UI: Kubernetes is now available in the UI as a supported secrets engine. [GH-17893]
• New PKI UI: Add beta support for new and improved PKI UI [GH-18842]
• PKI Cross-Cluster Revocations: Revocation information can now be
  synchronized across primary and performance replica clusters offering
  a unified CRL/OCSP view of revocations across cluster boundaries. [GH-19196]
• Server UDS Listener: Adding listener to Vault server to serve http request via unix domain socket [GH-18227]
• Transit managed keys: The transit secrets engine now supports configuring and using managed keys
• User Lockout: Adds support to configure the user-lockout behaviour for failed logins to prevent
  brute force attacks for userpass, approle and ldap auth methods. [GH-19230]
• VMSS Flex Authentication: Adds support for Virtual Machine Scale Set Flex Authentication [GH-19077]
• Namespaces (enterprise): Added the ability to allow access to secrets and more to be shared across namespaces that do not share a namespace hierarchy. Using the new sys/config/group-policy-application API, policies can be configured to apply outside of namespace hierarchy, allowing this kind of cross-namespace sharing.
• OpenAPI-based Go & .NET Client Libraries (Beta): We have now made available two new OpenAPI-based Go & .NET Client libraries (beta). You can use them to perform various secret management operations easily from your applications.

IMPROVEMENTS:

• Redis ElastiCache DB Engine: Renamed configuration parameters for disambiguation; old parameters still supported for compatibility. [GH-18752]
• Bump github.com/hashicorp/go-plugin version from 1.4.5 to 1.4.8 [GH-19100]
• Reduced binary size [GH-17678]
• agent/config: Allow config directories to be specified with -config, and allow multiple -configs to be supplied. [GH-18403]
• agent: Add note in logs when starting Vault Agent indicating if the version differs to the Vault Server. [GH-18684]
• agent: Added token_file auto-auth configuration to allow using a pre-existing token for Vault Agent. [GH-18740]
• agent: Agent listeners can now be to be the metrics_only role, serving only metrics, as part of the listener's new top level role option. [GH-18101]
• agent: Configured Vault Agent listeners now listen without the need for caching to be configured. [GH-18137]
• agent: allows some parts of config to be reloaded without requiring a restart. [GH-18638]
• agent: fix incorrectly used loop variables in parallel tests and when finalizing seals [GH-16872]
• api: Remove dependency on sdk module. [GH-18962]
• api: Support VAULT_DISABLE_REDIRECTS environment variable (and --disable-redirects flag) to disable default client behavior and prevent the client following any redirection responses. [GH-17352]
• audit: Add elide_list_responses option, providing a countermeasure for a common source of oversized audit log entries [GH-18128]
• audit: Include stack trace when audit logging recovers from a panic. [GH-18121]
• auth/alicloud: upgrades dependencies [GH-18021]
• auth/azure: Adds support for authentication with Managed Service Identity (MSI) from a
  Virtual Machine Scale Set (VMSS) in flexible orchestration mode. [GH-17540]
• auth/azure: upgrades dependencies [GH-17857]
• auth/cert: Add configurable support for validating client certs with OCSP. [GH-17093]
• auth/cert: Support listing provisioned CRLs within the mount. [GH-18043]
• auth/cf: Remove incorrect usage of CreateOperation from path_config [GH-19098]
• auth/gcp: Upgrades dependencies [GH-17858]
• auth/oidc: Adds abort_on_error parameter to CLI login command to help in non-interactive contexts [GH-19076]
• auth/oidc: Adds ability to set Google Workspace domain for groups search [GH-19076]
• auth/token (enterprise): Allow batch token creation in perfStandby nodes
• auth: Allow naming login MFA methods and using those names instead of IDs in satisfying MFA requirement for requests.
  Make passcode arguments consistent across login MFA method types. [GH-18610]
• auth: Provide an IP address of the requests from Vault to a Duo challenge after successful authentication. [GH-18811]
• autopilot: Update version to v.0.2.0 to add better support for respecting min quorum
• cli/kv: improve kv CLI to remove data or custom metadata using kv patch [GH-18067]
• cli/pki: Add List-Intermedi...