Non-Expiring Leases: Vault and Vault Enterprise renewed nearly-expiring token
leases and dynamic secret leases with a zero-second TTL, causing them to be
treated as non-expiring, and never revoked. This issue affects Vault and Vault
Enterprise versions 0.10.0 through 1.7.1, and is fixed in 1.5.9, 1.6.5, and
1.7.2 (CVE-2021-32923).
CHANGES:
agent: Update to use IAM Service Account Credentials endpoint for signing JWTs
when using GCP Auto-Auth method [GH-11473]
auth/gcp: Update to v0.9.1 to use IAM Service Account Credentials API for
signing JWTs [GH-11494]
IMPROVEMENTS:
api, agent: LifetimeWatcher now does more retries when renewal failures occur. This also impacts Agent auto-auth and leases managed via Agent caching. [GH-11445]
auth/aws: Underlying error included in validation failure message. [GH-11638]
http: Add optional HTTP response headers for hostname and raft node ID [GH-11289]
secrets/aws: add ability to provide a role session name when generating STS credentials [GH-11345]
secrets/database/mongodb: Add ability to customize SocketTimeout, ConnectTimeout, and ServerSelectionTimeout [GH-11600]
secrets/database/mongodb: Increased throughput by allowing for multiple request threads to simultaneously update users in MongoDB [GH-11600]
BUG FIXES:
agent/cert: Fix issue where the API client on agent was not honoring certificate
information from the auto-auth config map on renewals or retries. [GH-11576]
agent: Fixed agent templating to use configured tls servername values [GH-11288]
core (enterprise): Fix plugins mounted in namespaces being unable to use password policies [GH-11596]
core: correct logic for renewal of leases nearing their expiration time. [GH-11650]
identity: Use correct mount accessor when refreshing external group memberships. [GH-11506]
replication: Fix panic trying to update walState during identity group invalidation. [GH-1865]
secrets/database: Fix marshalling to allow providing numeric arguments to external database plugins. [GH-11451]
secrets/database: Fixed minor race condition when rotate-root is called [GH-11600]
secrets/database: Fixes issue for V4 database interface where SetCredentials wasn't falling back to using RotateRootCredentials if SetCredentials is Unimplemented [GH-11585]
secrets/keymgmt (enterprise): Fixes audit logging for the read key response.
storage/raft: Support cluster address change for nodes in a cluster managed by autopilot [GH-11247]
ui: Fix entity group membership and metadata not showing [GH-11641]
ui: Fix text link URL on database roles list [GH-11597]
identity: Fix a panic on arm64 platform when doing identity I/O. [GH-12371]
1.7.7
December 9, 2021
SECURITY:
storage/raft: Integrated Storage backend could be caused to crash by an authenticated user with write permissions to the KV secrets engine. This vulnerability, CVE-2021-45042, was fixed in Vault 1.7.7, 1.8.6, and 1.9.1.
BUG FIXES:
ha (enterprise): Prevents performance standby nodes from serving and caching stale data immediately after performance standby election completes
storage/raft: Fix a panic when trying to store a key > 32KB in a transaction. [GH-13286]
storage/raft: Fix a panic when trying to write a key > 32KB [GH-13282]
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Bumps github.com/hashicorp/vault/api from 1.7.1 to 1.7.2.
Release notes
Sourced from github.com/hashicorp/vault/api's releases.
Changelog
Sourced from github.com/hashicorp/vault/api's changelog.
... (truncated)
Commits
db0e424
Don't force config regeneration (#11668)055e15c
Upgrade packagespec to 0.2.6 (#11671)fff6f65
Reload raft TLS keys on active startup (#11660) (#11663)814ad56
go vendor cleanup48c5544
Vault 1.7.2 Pre-staging (#11651)a671890
Patch expiration fix over from ENT (#11650) (#11652)8ade2f9
Backport 11259 changes 1.7.x (#11520)1164f75
UI/fix identity model (#11641) (#11642)f0acfa8
AWS Auth: Update error message to include underlying error (#11638) (#11639)fbff9bb
Add ability to customize some timeouts in MongoDB database plugin (#11600) (#...Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)