auth/aws: fix config/rotate-root to store new key [GH-12715]
core/identity: Cleanup alias in the in-memory entity after an alias deletion by ID [GH-12834]
core/identity: Disallow entity alias creation/update if a conflicting alias exists for the target entity and mount combination [GH-12747]
http (enterprise): Always forward internal/counters endpoints from perf standbys to active node
identity/token: Adds missing call to unlock mutex in key deletion error handling [GH-12916]
kmip (enterprise): Fix handling of custom attributes when servicing GetAttributes requests
kmip (enterprise): Fix handling of invalid role parameters within various vault api calls
kmip (enterprise): Forward KMIP register operations to the active node
secrets/keymgmt (enterprise): Fix support for Azure Managed HSM Key Vault instances. [GH-12952]
transform (enterprise): Fix an error where the decode response of an expired token is an empty result rather than an error.
v1.8.4
1.8.4
6 October 2021
IMPROVEMENTS:
core: Update Oracle Cloud library to enable seal integration with the uk-gov-london-1 region [GH-12724]
BUG FIXES:
core: Fix a deadlock on HA leadership transfer [GH-12691]
database/postgres: Update postgres library (github.com/lib/pq) to properly remove terminated TLS connections from the connection pool. [GH-12413]
pki: Fix regression preventing email addresses being used as a common name within certificates [GH-12716]
storage/postgres: Update postgres library (github.com/lib/pq) to properly remove terminated TLS connections from the connection pool. [GH-12413]
ui: Fix bug where edit role form on auth method is invalid by default [GH-12646]
v1.8.3
1.8.3
29 September 2021
IMPROVEMENTS:
secrets/pki: Allow signing of self-issued certs with a different signature algorithm. [GH-12514]
BUG FIXES:
agent: Avoid possible unexpected fault address panic when using persistent cache. [GH-12534]
core (enterprise): Allow deletion of stored licenses on DR secondary nodes
core (enterprise): Fix bug where password generation through password policies do not work on namespaces if performed outside a request callback or from an external plugin. [GH-12635]
core (enterprise): Only delete quotas on primary cluster. [GH-12339]
identity: Fail alias rename if the resulting (name,accessor) exists already [GH-12473]
raft (enterprise): Fix panic when updating auto-snapshot config
secrets/db: Fix bug where Vault can rotate static role passwords early during start up under certain conditions. [GH-12563]
core/identity: Templated ACL policies would always match the first-created entity alias if multiple entity aliases existed for a specified entity and mount combination, potentially resulting in incorrect policy enforcement. This vulnerability, CVE-2021-43998, was fixed in Vault and Vault Enterprise 1.7.6, 1.8.5, and 1.9.0.
BUG FIXES:
auth/aws: fix config/rotate-root to store new key [GH-12715]
core/identity: Cleanup alias in the in-memory entity after an alias deletion by ID [GH-12834]
core/identity: Disallow entity alias creation/update if a conflicting alias exists for the target entity and mount combination [GH-12747]
http (enterprise): Always forward internal/counters endpoints from perf standbys to active node
identity/token: Adds missing call to unlock mutex in key deletion error handling [GH-12916]
kmip (enterprise): Fix handling of custom attributes when servicing GetAttributes requests
kmip (enterprise): Fix handling of invalid role parameters within various vault api calls
kmip (enterprise): Forward KMIP register operations to the active node
secrets/keymgmt (enterprise): Fix support for Azure Managed HSM Key Vault instances. [GH-12952]
transform (enterprise): Fix an error where the decode response of an expired token is an empty result rather than an error.
1.8.4
6 October 2021
SECURITY:
core/identity: A Vault user with write permission to an entity alias ID sharing a mount accessor with another user may acquire this other user’s policies by merging their identities. This vulnerability, CVE-2021-41802, was fixed in Vault and Vault Enterprise 1.7.5 and 1.8.4.
IMPROVEMENTS:
core: Update Oracle Cloud library to enable seal integration with the uk-gov-london-1 region [GH-12724]
BUG FIXES:
core: Fix a deadlock on HA leadership transfer [GH-12691]
database/postgres: Update postgres library (github.com/lib/pq) to properly remove terminated TLS connections from the connection pool. [GH-12413]
pki: Fix regression preventing email addresses being used as a common name within certificates [GH-12716]
storage/postgres: Update postgres library (github.com/lib/pq) to properly remove terminated TLS connections from the connection pool. [GH-12413]
ui: Fix bug where edit role form on auth method is invalid by default [GH-12646]
1.8.3
29 September 2021
IMPROVEMENTS:
secrets/pki: Allow signing of self-issued certs with a different signature algorithm. [GH-12514]
BUG FIXES:
agent: Avoid possible unexpected fault address panic when using persistent cache. [GH-12534]
core (enterprise): Allow deletion of stored licenses on DR secondary nodes
... (truncated)
Commits
647eccf update Go version from 1.16.7 to 1.16.9 (#13029)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/cruise-automation/isopod/network/alerts).
Bumps github.com/hashicorp/vault from 0.11.4 to 1.8.5.
Release notes
Sourced from github.com/hashicorp/vault's releases.
... (truncated)
Changelog
Sourced from github.com/hashicorp/vault's changelog.
... (truncated)
Commits
647eccfupdate Go version from 1.16.7 to 1.16.9 (#13029)0f4e4c6bump to go 1.16.9 (#13028)03a718dgo get sdk@release/1.8.x (#12994)6654f4b1.8.5 version bump (#12986)bebf096Fix go.mod, go.sum after go-kms-wrapping update (#12958)94f2ef9go-kms-wrapping update for Azure Key Vault's Managed HSM offering [backport 1...e777d3bAdds missing unlock of RWMutex in OIDC delete key (#12916) (#12922)dd80dbfBackport 12834 18x (#12869)3a186faUpdate dependencygo-mssqldbto v0.11.0 inrelease/1.8.x(#12873)c4cf784Backport 1.8.x: Fix auth/aws so that config/rotate-root saves new key pair (#...Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/cruise-automation/isopod/network/alerts).