Non-Expiring Leases: Vault and Vault Enterprise renewed nearly-expiring token
leases and dynamic secret leases with a zero-second TTL, causing them to be
treated as non-expiring, and never revoked. This issue affects Vault and Vault
Enterprise versions 0.10.0 through 1.7.1, and is fixed in 1.5.9, 1.6.5, and
1.7.2 (CVE-2021-32923).
CHANGES:
agent: Update to use IAM Service Account Credentials endpoint for signing JWTs
when using GCP Auto-Auth method [GH-11473]
auth/gcp: Update to v0.7.2 to use IAM Service Account Credentials API for
signing JWTs [GH-11499]
BUG FIXES:
core: correct logic for renewal of leases nearing their expiration time. [GH-11650]
v1.5.8
Release vault v1.5.8
v1.5.7
SECURITY:
IP Address Disclosure: We fixed a vulnerability where, under some error
conditions, Vault would return an error message disclosing internal IP
addresses. This vulnerability affects Vault and Vault Enterprise and is fixed in
1.6.2 and 1.5.7 (CVE-2021-3024).
Mount Path Disclosure: Vault previously returned different HTTP status codes for
existent and non-existent mount paths. This behavior would allow unauthenticated
brute force attacks to reveal which paths had valid mounts. This issue affects
Vault and Vault Enterprise and is fixed in 1.6.2 and 1.5.7 (CVE-2020-25594).
IMPROVEMENTS:
storage/raft (enterprise): Listing of peers is now allowed on DR secondary
cluster nodes, as an update operation that takes in DR operation token for
authenticating the request.
Binaries for 32-bit macOS (i.e. the darwin_386 build) will no longer be published. This target was dropped in the latest version of the Go compiler.
CHANGES:
agent: Agent now properly returns a non-zero exit code on error, such as one due to template rendering failure. Using error_on_missing_key in the template config will cause agent to immediately exit on failure. In order to make agent properly exit due to continuous failure from template rendering errors, the old behavior of indefinitely restarting the template server is now changed to exit once the default retry attempt of 12 times (with exponential backoff) gets exhausted. [GH-9670]
token: Periodic tokens generated by auth methods will have the period value stored in its token entry. [GH-7885]
core: New telemetry metrics reporting mount table size and number of entries [GH-10201]
Couchbase Secrets: Vault can now manage static and dynamic credentials for Couchbase. [GH-9664]
Expanded Password Policy Support: Custom password policies are now supported for all database engines.
Integrated Storage Auto Snapshots (Enterprise): This feature enables an operator to schedule snapshots of the integrated storage backend and ensure those snapshots are persisted elsewhere.
Integrated Storage Cloud Auto Join: This feature for integrated storage enables Vault nodes running in the cloud to automatically discover and join a Vault cluster via operator-supplied metadata.
Key Management Secrets Engine (Enterprise; Tech Preview): This new secret engine allows securely distributing and managing keys to Azure cloud KMS services.
Seal Migration: With Vault 1.6, we will support migrating from an auto unseal mechanism to a different mechanism of the same type. For example, if you were using an AWS KMS key to automatically unseal, you can now migrate to a different AWS KMS key.
Tokenization (Enterprise; Tech Preview): Tokenization supports creating irreversible “tokens” from sensitive data. Tokens can be used in less secure environments, protecting the original data.
Vault Client Count: Vault now counts the number of active entities (and non-entity tokens) per month and makes this information available via the "Metrics" section of the UI.
IMPROVEMENTS:
auth/approle: Role names can now be referenced in templated policies through the approle.metadata.role_name property [GH-9529]
auth/aws: Improve logic check on wildcard BoundIamPrincipalARNs and include role name on error messages on check failure [GH-10036]
auth/jwt: Add support for fetching groups and user information from G Suite during authentication. [GH-123]
auth/jwt: Adding EdDSA (ed25519) to supported algorithms [GH-129]
secrets/transit: fix missing plaintext in bulk decrypt response [GH-9991]
command/server: Delay informational messages in -dev mode until logs have settled. [GH-9702]
command/server: Add environment variable support for disable_mlock. [GH-9931]
core/metrics: Add metrics for storage cache [GH_10079]
core/metrics: Add metrics for leader status [GH 10147]
physical/azure: Add the ability to use Azure Instance Metadata Service to set the credentials for Azure Blob storage on the backend. [GH-10189]
sdk/framework: Add a time type for API fields. [GH-9911]
secrets/database: Added support for password policies to all databases [GH-9641,
and more]
secrets/database/cassandra: Added support for static credential rotation [GH-10051]
secrets/database/elasticsearch: Added support for static credential rotation [GH-19]
secrets/database/hanadb: Added support for root credential & static credential rotation [GH-10142]
secrets/database/hanadb: Default password generation now includes dashes. Custom statements may need to be updated
to include quotes around the password field [GH-10142]
secrets/database/influxdb: Added support for static credential rotation [GH-10118]
secrets/database/mongodbatlas: Added support for root credential rotation [GH-14]
secrets/database/mongodbatlas: Support scopes field in creations statements for MongoDB Atlas database plugin [GH-15]
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Bumps github.com/hashicorp/vault/api from 1.4.1 to 1.6.0.
Release notes
Sourced from github.com/hashicorp/vault/api's releases.
... (truncated)
Changelog
Sourced from github.com/hashicorp/vault/api's changelog.
... (truncated)
Commits
7ce0bd9
Update sdk and go mod vendor (#10366)5e6e246
Remove rc version (#10364)0ab9ef0
Ui/test metrics mirage (#10341) (#10355)68c653d
Error on root rotation when username is empty (#10344) (#10354)82e4a89
Backport 10285 10335 1.6.x (#10340)11c3095
Move "counters" path to the logical system's local path list. (#10314) (#10316)942903f
Fix inner link on transform item (#10324) (#10325)d1ca4e6
Update query params sent to activity endpoint so that they aren't rounded inc...daadba9
Remove darwin/386 since Go 1.15 doesn't support it. (#10312)664bde2
Fix docker image name. (#10311)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)