v1.11.5

1.11.5

November 2, 2022

IMPROVEMENTS:

• database/snowflake: Allow parallel requests to Snowflake [GH-17594]
• sdk/ldap: Added support for paging when searching for groups using group filters [GH-17640]

BUG FIXES:

• core/managed-keys (enterprise): Return better error messages when encountering key creation failures
• core/managed-keys (enterprise): fix panic when having cache_disable true
• core: prevent memory leak when using control group factors in a policy [GH-17532]
• core: prevent panic during mfa after enforcement's namespace is deleted [GH-17562]
• kmip (enterprise): Fix a problem in the handling of attributes that caused Import operations to fail.
• login: Store token in tokenhelper for interactive login MFA [GH-17040]
• secrets/pki: Do not ignore provided signature bits value when signing intermediate and leaf certificates with a managed key [GH-17328]
• secrets/pki: Do not read revoked certificates from backend when CRL is disabled [GH-17384]
• secrets/pki: Respond to tidy-status, tidy-cancel on PR Secondary clusters. [GH-17497]
• ui/keymgmt: Sets the defaultValue for type when creating a key. [GH-17407]
• ui: Fixes oidc/jwt login issue with alternate mount path and jwt login via mount path tab [GH-17661]

v1.12.1

1.12.1

November 2, 2022

IMPROVEMENTS:

• api: Support VAULT_DISABLE_REDIRECTS environment variable (and --disable-redirects flag) to disable default client behavior and prevent the client following any redirection responses. [GH-17352]
• database/snowflake: Allow parallel requests to Snowflake [GH-17593]
• plugins: Add plugin version information to key plugin lifecycle log lines. [GH-17430]
• sdk/ldap: Added support for paging when searching for groups using group filters [GH-17640]

BUG FIXES:

• cli: Remove empty table heading for vault secrets list -detailed output. [GH-17577]
• core/managed-keys (enterprise): Return better error messages when encountering key creation failures
• core/managed-keys (enterprise): Switch to using hash length as PSS Salt length within the test/sign api for better PKCS#11 compatibility
• core: Fix panic caused in Vault Agent when rendering certificate templates [GH-17419]
• core: Fixes spurious warnings being emitted relating to "unknown or unsupported fields" for JSON config [GH-17660]
• core: prevent memory leak when using control group factors in a policy [GH-17532]
• core: prevent panic during mfa after enforcement's namespace is deleted [GH-17562]
• kmip (enterprise): Fix a problem in the handling of attributes that caused Import operations to fail.
• kmip (enterprise): Fix selection of Cryptographic Parameters for Encrypt/Decrypt operations.
• login: Store token in tokenhelper for interactive login MFA [GH-17040]
• secrets/pki: Respond to tidy-status, tidy-cancel on PR Secondary clusters. [GH-17497]
• ui: Fixes oidc/jwt login issue with alternate mount path and jwt login via mount path tab [GH-17661]

v1.10.8

1.10.8

November 2, 2022

BUG FIXES:

• core/managed-keys (enterprise): Return better error messages when encountering key creation failures
• core/managed-keys (enterprise): fix panic when having cache_disable true
• core: prevent memory leak when using control group factors in a policy [GH-17532]
• core: prevent panic during mfa after enforcement's namespace is deleted [GH-17562]
• login: Store token in tokenhelper for interactive login MFA [GH-17040]
• secrets/pki: Do not ignore provided signature bits value when signing intermediate and leaf certificates with a managed key [GH-17328]
• secrets/pki: Respond to tidy-status, tidy-cancel on PR Secondary clusters. [GH-17497]
• ui: Fixes oidc/jwt login issue with alternate mount path and jwt login via mount path tab [GH-17661]

v1.12.0

1.12.0

October 13, 2022

CHANGES:

• api: Exclusively use GET /sys/plugins/catalog endpoint for listing plugins, and add details field to list responses. [GH-17347]
• auth: GET /sys/auth/:name endpoint now returns an additional deprecation_status field in the response data for builtins. [GH-16849]
• auth: GET /sys/auth endpoint now returns an additional deprecation_status field in the response data for builtins. [GH-16849]
• auth: POST /sys/auth/:type endpoint response contains a warning for Deprecated auth methods. [GH-17058]
• auth: auth enable returns an error and POST /sys/auth/:type endpoint reports an error for Pending Removal auth methods. [GH-17005]
• core/entities: Fixed stranding of aliases upon entity merge, and require explicit selection of which aliases should be kept when some must be deleted [GH-16539]
• core: Bump Go version to 1.19.2.
• core: Validate input parameters for vault operator init command. Vault 1.12 CLI version is needed to run operator init now. [GH-16379]
• identity: a request to /identity/group that includes member_group_ids that contains a cycle will now be responded to with a 400 rather than 500 [GH-15912]
• licensing (enterprise): Terminated licenses will no longer result in shutdown. Instead, upgrades will not be allowed if the license termination time is before the build date of the binary.
• plugins: Add plugin version to auth register, list, and mount table [GH-16856]
• plugins: GET /sys/plugins/catalog/:type/:name endpoint contains deprecation status for builtin plugins. [GH-17077]
• plugins: GET /sys/plugins/catalog/:type/:name endpoint now returns an additional version field in the response data. [GH-16688]
• plugins: GET /sys/plugins/catalog/ endpoint contains deprecation status in detailed list. [GH-17077]
• plugins: GET /sys/plugins/catalog endpoint now returns an additional detailed field in the response data with a list of additional plugin metadata. [GH-16688]
• plugins: plugin info displays deprecation status for builtin plugins. [GH-17077]
• plugins: plugin list now accepts a -detailed flag, which display deprecation status and version info. [GH-17077]
• secrets/azure: Removed deprecated AAD graph API support from the secrets engine. [GH-17180]
• secrets: All database-specific (standalone DB) secrets engines are now marked Pending Removal. [GH-17038]
• secrets: GET /sys/mounts/:name endpoint now returns an additional deprecation_status field in the response data for builtins. [GH-16849]
• secrets: GET /sys/mounts endpoint now returns an additional deprecation_status field in the response data for builtins. [GH-16849]
• secrets: POST /sys/mounts/:type endpoint response contains a warning for Deprecated secrets engines. [GH-17058]
• secrets: secrets enable returns an error and POST /sys/mount/:type endpoint reports an error for Pending Removal secrets engines. [GH-17005]

FEATURES:

• GCP Cloud KMS support for managed keys: Managed keys now support using GCP Cloud KMS keys
• LDAP Secrets Engine: Adds the ldap secrets engine with service account check-out functionality for all supported schemas. [GH-17152]
• OCSP Responder: PKI mounts now have an OCSP responder that implements a subset of RFC6960, answering single serial number OCSP requests for a specific cluster's revoked certificates in a mount. [GH-16723]
• Redis DB Engine: Adding the new Redis database engine that supports the generation of static and dynamic user roles and root credential rotation on a stand alone Redis server. [GH-17070]
• Redis ElastiCache DB Plugin: Added Redis ElastiCache as a built-in plugin. [GH-17075]
• Secrets/auth plugin multiplexing: manage multiple plugin configurations with a single plugin process [GH-14946]
• Transform Key Import (BYOK): The transform secrets engine now supports importing keys for tokenization and FPE transformations
• HCP (enterprise): Adding foundational support for self-managed vault nodes to securely communicate with HashiCorp Cloud Platform as an opt-in feature
• ui: UI support for Okta Number Challenge. [GH-15998]

IMPROVEMENTS:

• :core/managed-keys (enterprise): Allow operators to specify PSS signatures and/or hash algorithm for the test/sign api
• activity (enterprise): Added new clients unit tests to test accuracy of estimates
• agent/auto-auth: Add exit_on_err which when set to true, will cause Agent to exit if any errors are encountered during authentication. [GH-17091]
• agent: Added disable_idle_connections configuration to disable leaving idle connections open in auto-auth, caching and templating. [GH-15986]
• agent: Added disable_keep_alives configuration to disable keep alives in auto-auth, caching and templating. [GH-16479]
• agent: JWT auto auth now supports a remove_jwt_after_reading config option which defaults to true. [GH-11969]
• agent: Send notifications to systemd on start and stop. [GH-9802]
• api/mfa: Add namespace path to the MFA read/list endpoint [GH-16911]
• api: Add a sentinel error for missing KV secrets [GH-16699]
• auth/alicloud: Enables AliCloud roles to be compatible with Vault's role based quotas. [GH-17251]
• auth/approle: SecretIDs can now be generated with an per-request specified TTL and num_uses.
  When either the ttl and num_uses fields are not specified, the role's configuration is used. [GH-14474]
• auth/aws: PKCS7 signatures will now use SHA256 by default in prep for Go 1.18 [GH-16455]
• auth/azure: Enables Azure roles to be compatible with Vault's role based quotas. [GH-17194]
• auth/cert: Add metadata to identity-alias [GH-14751]
• auth/cert: Operators can now specify a CRL distribution point URL, in which case the cert auth engine will fetch and use the CRL from that location rather than needing to push CRLs directly to auth/cert. [GH-17136]
• auth/cf: Enables CF roles to be compatible with Vault's role based quotas. [GH-17196]
• auth/gcp: Add support for GCE regional instance groups [GH-16435]
• auth/gcp: Updates dependencies: google.golang.org/[email protected], github.com/hashicorp/[email protected]. [GH-17160]
• auth/jwt: Adds support for Microsoft US Gov L4 to the Azure provider for groups fetching. [GH-16525]
• auth/jwt: Improves detection of Windows Subsystem for Linux (WSL) for CLI-based logins. [GH-16525]
• auth/kerberos: add add_group_aliases config to include LDAP groups in Vault group aliases [GH-16890]
• auth/kerberos: add remove_instance_name parameter to the login CLI and the Kerberos config in Vault. This removes any instance names found in the keytab service principal name. [GH-16594]
• auth/kubernetes: Role resolution for K8S Auth [GH-156] [GH-17161]
• auth/oci: Add support for role resolution. [GH-17212]
• auth/oidc: Adds support for group membership parsing when using SecureAuth as an OIDC provider. [GH-16274]
• cli: CLI commands will print a warning if flags will be ignored because they are passed after positional arguments. [GH-16441]
• cli: auth and secrets list -detailed commands now show Deprecation Status for builtin plugins. [GH-16849]
• cli: vault plugin list now has a details field in JSON format, and version and type information in table format. [[GH-17347](https://github.com/hashicorp/vault...

v1.12.0-rc1

core: Parse VAULT_ALLOW_PENDING_REMOVAL_MOUNTS as bool (#17319) (#17365)

* docs: Update VAULT_ALLOW_PENDING_REMOVAL_MOUNTS doc

v1.11.4

backport of commit 7f22056686b5a8e71c66e73eeaab4403809b791c (#17039)

Co-authored-by: Troy Ready <[email protected]>

v1.10.7

backport of commit 6c399c1c3b1c24ee830ef62d7966687a01dc5833 (#17287)

Co-authored-by: Violet Hynes <[email protected]>

v1.9.10

Backport of #17138: Populate CRL data on backend startup (#17150)

* Load existing CRLs on startup and after invalidate (#17138)

* Load existing CRLs on startup and after invalidate

* changelog

* Populate during renew calls also (#17143)

* Remove unused config fetch

v1.11.3

Backport of UI/OIDC auth bug for hcp namespace flag into release/1.11…

v1.10.6

Backport of UI/OIDC auth bug for hcp namespace flag into release/1.10…