auth/aws: fix config/rotate-root to store new key [GH-12715]
core/identity: Cleanup alias in the in-memory entity after an alias deletion by ID [GH-12834]
core/identity: Disallow entity alias creation/update if a conflicting alias exists for the target entity and mount combination [GH-12747]
core: Fix a deadlock on HA leadership transfer [GH-12691]
http (enterprise): Always forward internal/counters endpoints from perf standbys to active node
kmip (enterprise): Fix handling of custom attributes when servicing GetAttributes requests
kmip (enterprise): Fix handling of invalid role parameters within various vault api calls
kmip (enterprise): Forward KMIP register operations to the active node
secrets/keymgmt (enterprise): Fix support for Azure Managed HSM Key Vault instances. [GH-12957]
storage/postgres: Update postgres library (github.com/lib/pq) to properly remove terminated TLS connections from the connection pool. [GH-12413]
database/postgres: Update postgres library (github.com/lib/pq) to properly remove terminated TLS connections from the connection pool. [GH-12413]
transform (enterprise): Fix an error where the decode response of an expired token is an empty result rather than an error.
v1.7.5
1.7.5
29 September 2021
IMPROVEMENTS:
secrets/pki: Allow signing of self-issued certs with a different signature algorithm. [GH-12514]
BUG FIXES:
agent: Avoid possible unexpected fault address panic when using persistent cache. [GH-12534]
core (enterprise): Fix bug where password generation through password policies do not work on namespaces if performed outside a request callback or from an external plugin. [GH-12635]
core (enterprise): Only delete quotas on primary cluster. [GH-12339]
identity: Fail alias rename if the resulting (name,accessor) exists already [GH-12473]
raft (enterprise): Fix panic when updating auto-snapshot config
secrets/db: Fix bug where Vault can rotate static role passwords early during start up under certain conditions. [GH-12563]
secrets/openldap: Fix bug where Vault can rotate static role passwords early during start up under certain conditions. #28 [GH-12598]
storage/raft: Detect incomplete raft snapshots in api.RaftSnapshot(), and thereby in vault operator raft snapshot save. [GH-12388]
UI Secret Caching: The Vault UI erroneously cached and exposed user-viewed secrets between authenticated sessions in a single shared browser, if the browser window / tab was not refreshed or closed between logout and a subsequent login. This vulnerability, CVE-2021-38554, was fixed in Vault 1.8.0 and will be addressed in pending 1.7.4 / 1.6.6 releases.
core/identity: Templated ACL policies would always match the first-created entity alias if multiple entity aliases existed for a specified entity and mount combination, potentially resulting in incorrect policy enforcement. This vulnerability, CVE-2021-43998, was fixed in Vault and Vault Enterprise 1.7.6, 1.8.5, and 1.9.0.
BUG FIXES:
auth/aws: fix config/rotate-root to store new key [GH-12715]
core/identity: Cleanup alias in the in-memory entity after an alias deletion by ID [GH-12834]
core/identity: Disallow entity alias creation/update if a conflicting alias exists for the target entity and mount combination [GH-12747]
core: Fix a deadlock on HA leadership transfer [GH-12691]
http (enterprise): Always forward internal/counters endpoints from perf standbys to active node
kmip (enterprise): Fix handling of custom attributes when servicing GetAttributes requests
kmip (enterprise): Fix handling of invalid role parameters within various vault api calls
kmip (enterprise): Forward KMIP register operations to the active node
secrets/keymgmt (enterprise): Fix support for Azure Managed HSM Key Vault instances. [GH-12957]
storage/postgres: Update postgres library (github.com/lib/pq) to properly remove terminated TLS connections from the connection pool. [GH-12413]
database/postgres: Update postgres library (github.com/lib/pq) to properly remove terminated TLS connections from the connection pool. [GH-12413]
transform (enterprise): Fix an error where the decode response of an expired token is an empty result rather than an error.
1.7.5
29 September 2021
SECURITY:
core/identity: A Vault user with write permission to an entity alias ID sharing a mount accessor with another user may acquire this other user’s policies by merging their identities. This vulnerability, CVE-2021-41802, was fixed in Vault and Vault Enterprise 1.7.5 and 1.8.4.
IMPROVEMENTS:
secrets/pki: Allow signing of self-issued certs with a different signature algorithm. [GH-12514]
BUG FIXES:
agent: Avoid possible unexpected fault address panic when using persistent cache. [GH-12534]
core (enterprise): Fix bug where password generation through password policies do not work on namespaces if performed outside a request callback or from an external plugin. [GH-12635]
core (enterprise): Only delete quotas on primary cluster. [GH-12339]
identity: Fail alias rename if the resulting (name,accessor) exists already [GH-12473]
raft (enterprise): Fix panic when updating auto-snapshot config
secrets/db: Fix bug where Vault can rotate static role passwords early during start up under certain conditions. [GH-12563]
secrets/openldap: Fix bug where Vault can rotate static role passwords early during start up under certain conditions. #28 [GH-12598]
storage/raft: Detect incomplete raft snapshots in api.RaftSnapshot(), and thereby in vault operator raft snapshot save. [GH-12388]
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/cruise-automation/isopod/network/alerts).
dependabot[bot]
commented
2 years ago
Bumps github.com/hashicorp/vault from 0.11.4 to 1.7.6.
Release notes
Sourced from github.com/hashicorp/vault's releases.
... (truncated)
Changelog
Sourced from github.com/hashicorp/vault's changelog.
... (truncated)
Commits
2c49e3fupdating go.mod for 1.7.6 (#13005)6bcf308updating version (#12997)fe735a9go-kms-wrapping update for Azure Key Vault's Managed HSM offering [backport 1...1c7a0daBackport 1.7.x: Fix auth/aws so that config/rotate-root saves new key pair (#...4bc866bBackport 12834 17x (#12870)6d76709Update dependencygo-mssqldbto v0.11.0 inrelease/1.7.x(#12874)6a575c6[VAULT-3252] Disallow alias creation if entity/accessor combination exists (#...a1488e2UI update changelog link (#12766) (#12776)6a45baebuild: update base image: debian:bullseye-20210927 (#12737)4a28f6cUpgrade pq to fix connection failure cleanup bug (v1.8.0 => v1.10.3) (#12413)...Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/cruise-automation/isopod/network/alerts).