morningconsult / docker-credential-vault-login

Automatically gets docker credentials from Hashicorp Vault
Apache License 2.0
77 stars 11 forks source link

chore(deps): bump github.com/hashicorp/vault/api from 1.7.1 to 1.7.2 #92

Closed dependabot[bot] closed 2 years ago

dependabot[bot] commented 2 years ago

Bumps github.com/hashicorp/vault/api from 1.7.1 to 1.7.2.

Release notes

Sourced from github.com/hashicorp/vault/api's releases.

v1.7.2

1.7.2

May 20th, 2021

SECURITY:

  • Non-Expiring Leases: Vault and Vault Enterprise renewed nearly-expiring token leases and dynamic secret leases with a zero-second TTL, causing them to be treated as non-expiring, and never revoked. This issue affects Vault and Vault Enterprise versions 0.10.0 through 1.7.1, and is fixed in 1.5.9, 1.6.5, and 1.7.2 (CVE-2021-32923).

CHANGES:

  • agent: Update to use IAM Service Account Credentials endpoint for signing JWTs when using GCP Auto-Auth method [GH-11473]
  • auth/gcp: Update to v0.9.1 to use IAM Service Account Credentials API for signing JWTs [GH-11494]

IMPROVEMENTS:

  • api, agent: LifetimeWatcher now does more retries when renewal failures occur. This also impacts Agent auto-auth and leases managed via Agent caching. [GH-11445]
  • auth/aws: Underlying error included in validation failure message. [GH-11638]
  • http: Add optional HTTP response headers for hostname and raft node ID [GH-11289]
  • secrets/aws: add ability to provide a role session name when generating STS credentials [GH-11345]
  • secrets/database/mongodb: Add ability to customize SocketTimeout, ConnectTimeout, and ServerSelectionTimeout [GH-11600]
  • secrets/database/mongodb: Increased throughput by allowing for multiple request threads to simultaneously update users in MongoDB [GH-11600]

BUG FIXES:

  • agent/cert: Fix issue where the API client on agent was not honoring certificate information from the auto-auth config map on renewals or retries. [GH-11576]
  • agent: Fixed agent templating to use configured tls servername values [GH-11288]
  • core (enterprise): Fix plugins mounted in namespaces being unable to use password policies [GH-11596]
  • core: correct logic for renewal of leases nearing their expiration time. [GH-11650]
  • identity: Use correct mount accessor when refreshing external group memberships. [GH-11506]
  • replication: Fix panic trying to update walState during identity group invalidation. [GH-1865]
  • secrets/database: Fix marshalling to allow providing numeric arguments to external database plugins. [GH-11451]
  • secrets/database: Fixed minor race condition when rotate-root is called [GH-11600]
  • secrets/database: Fixes issue for V4 database interface where SetCredentials wasn't falling back to using RotateRootCredentials if SetCredentials is Unimplemented [GH-11585]
  • secrets/keymgmt (enterprise): Fixes audit logging for the read key response.
  • storage/raft: Support cluster address change for nodes in a cluster managed by autopilot [GH-11247]
  • ui: Fix entity group membership and metadata not showing [GH-11641]
  • ui: Fix text link URL on database roles list [GH-11597]
Changelog

Sourced from github.com/hashicorp/vault/api's changelog.

1.7.10

March 3, 2022

BUG FIXES:

  • database/mssql: Removed string interpolation on internal queries and replaced them with inline queries using named parameters. [GH-13799]
  • ui: Fix issue removing raft storage peer via cli not reflected in UI until refresh [GH-13098]
  • ui: Trigger background token self-renewal if inactive and half of TTL has passed [GH-13950]

1.7.9

January 27, 2022

IMPROVEMENTS:

  • core: Fixes code scanning alerts [GH-13667]

BUG FIXES:

  • auth/oidc: Fixes OIDC auth from the Vault UI when using the implicit flow and form_post response mode. [GH-13493]
  • secrets/gcp: Fixes role bindings for BigQuery dataset resources. [GH-13735]
  • ui: Fixes breadcrumb bug for secrets navigation [GH-13604]
  • ui: Fixes issue saving KMIP role correctly [GH-13585]

1.7.8

December 21, 2021

CHANGES:

  • go: Update go version to 1.16.12 [GH-13422]

BUG FIXES:

  • auth/aws: Fixes ec2 login no longer supporting DSA signature verification [GH-12340]
  • identity: Fix a panic on arm64 platform when doing identity I/O. [GH-12371]

1.7.7

December 9, 2021

SECURITY:

  • storage/raft: Integrated Storage backend could be caused to crash by an authenticated user with write permissions to the KV secrets engine. This vulnerability, CVE-2021-45042, was fixed in Vault 1.7.7, 1.8.6, and 1.9.1.

BUG FIXES:

  • ha (enterprise): Prevents performance standby nodes from serving and caching stale data immediately after performance standby election completes
  • storage/raft: Fix a panic when trying to store a key > 32KB in a transaction. [GH-13286]
  • storage/raft: Fix a panic when trying to write a key > 32KB [GH-13282]
  • ui: Fixes issue restoring raft storage snapshot [GH-13107]
  • ui: Fixes issue with OIDC auth workflow when using MetaMask Chrome extension [GH-13133]
  • ui: Fixes issue with the number of PGP Key inputs not matching the key shares number in the initialization form on change [GH-13038]

... (truncated)

Commits


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)