The PKI Secrets Engine tidy functionality may cause Vault to exclude revoked-but-unexpired certificates from the
Vault CRL. This vulnerability affects Vault and Vault Enterprise 1.5.1 and newer and was fixed in versions
1.5.8, 1.6.4, and 1.7.1. (CVE-2021-27668)
The Cassandra Database and Storage backends were not correctly verifying TLS certificates. This issue affects all
versions of Vault and Vault Enterprise and was fixed in versions 1.6.4, and 1.7.1. (CVE-2021-27400)
core: Fix cleanup of storage entries from cubbyholes within namespaces. [GH-11408]
core: Fix goroutine leak when updating rate limit quota [GH-11371]
core: Fix storage entry leak when revoking leases created with non-orphan batch tokens. [GH-11377]
core: requests forwarded by standby weren't always timed out. [GH-11322]
pki: Only remove revoked entry for certificates during tidy if they are past their NotAfter value [GH-11367]
replication: Fix: mounts created within a namespace that was part of an Allow
filtering rule would not appear on performance secondary if created after rule
was defined. [GH-1807]
replication: Perf standby nodes on newly enabled DR secondary sometimes couldn't connect to active node with TLS errors. [GH-1823]
secrets/database/cassandra: Fixed issue where hostnames were not being validated when using TLS [GH-11365]
secrets/database/cassandra: Updated default statement for password rotation to allow for special characters. This applies to root and static credentials. [GH-11262]
storage/dynamodb: Handle throttled batch write requests by retrying, without which writes could be lost. [GH-10181]
storage/raft: leader_tls_servername wasn't used unless leader_ca_cert_file and/or mTLS were configured. [GH-11252]
ui: Add root rotation statements support to appropriate database secret engine plugins [GH-11404]
ui: Fix bug where the UI does not recognize version 2 KV until refresh, and fix [object Object] error message [GH-11258]
ui: Fix footer URL linking to the correct version changelog. [GH-11283]
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
Bumps github.com/hashicorp/vault from 1.7.0 to 1.7.1.
Release notes
Sourced from github.com/hashicorp/vault's releases.
Changelog
Sourced from github.com/hashicorp/vault's changelog.
Commits
9171422
core/token: fix panic looking up invalid batch tokens (#11415) (#11417)6977c11
stage: update GO_VERSION_MIN and sdk dep (#11414)b296e15
Make cubbyhole revocation/tidying compatible with cubbys in namespaces. (#114...8f371c3
Backport 1.7.1: Add root rotation statements support to database secret engin...0739917
Add support for unauthenticated pprof access on a per-listener basis,… (#1132...224e04e
Cassandra DB plugin: Allow special chars in usernames (#11262) (#11385)9c9675f
Backport (1.7.x): Validate hostnames when using TLS in Cassandra #11365 (#11390)af3f8c4
Update to Go 1.15.11 (#11395)3144d8f
pki: fix tidy removal on revoked entries (#11367) (#11400)7f6a5e3
Updates the JWT/OIDC auth plugin to v0.9.3 (#11388) (#11399)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually