search

odahu / odahu-flow

Apache License 2.0
12 stars 2 forks source link

Bump github.com/hashicorp/vault from 1.4.2 to 1.7.6 in /packages/operator #665

Closed dependabot[bot] closed 1 year ago

dependabot[bot] commented 2 years ago

Bumps github.com/hashicorp/vault from 1.4.2 to 1.7.6.

Release notes

Sourced from github.com/hashicorp/vault's releases.

v1.7.6

1.7.6

November 4, 2021

BUG FIXES:

  • auth/aws: fix config/rotate-root to store new key [GH-12715]
  • core/identity: Cleanup alias in the in-memory entity after an alias deletion by ID [GH-12834]
  • core/identity: Disallow entity alias creation/update if a conflicting alias exists for the target entity and mount combination [GH-12747]
  • core: Fix a deadlock on HA leadership transfer [GH-12691]
  • http (enterprise): Always forward internal/counters endpoints from perf standbys to active node
  • kmip (enterprise): Fix handling of custom attributes when servicing GetAttributes requests
  • kmip (enterprise): Fix handling of invalid role parameters within various vault api calls
  • kmip (enterprise): Forward KMIP register operations to the active node
  • secrets/keymgmt (enterprise): Fix support for Azure Managed HSM Key Vault instances. [GH-12957]
  • storage/postgres: Update postgres library (github.com/lib/pq) to properly remove terminated TLS connections from the connection pool. [GH-12413]
  • database/postgres: Update postgres library (github.com/lib/pq) to properly remove terminated TLS connections from the connection pool. [GH-12413]
  • transform (enterprise): Fix an error where the decode response of an expired token is an empty result rather than an error.

v1.7.5

1.7.5

29 September 2021

IMPROVEMENTS:

  • secrets/pki: Allow signing of self-issued certs with a different signature algorithm. [GH-12514]

BUG FIXES:

  • agent: Avoid possible unexpected fault address panic when using persistent cache. [GH-12534]
  • core (enterprise): Fix bug where password generation through password policies do not work on namespaces if performed outside a request callback or from an external plugin. [GH-12635]
  • core (enterprise): Only delete quotas on primary cluster. [GH-12339]
  • identity: Fail alias rename if the resulting (name,accessor) exists already [GH-12473]
  • raft (enterprise): Fix panic when updating auto-snapshot config
  • secrets/db: Fix bug where Vault can rotate static role passwords early during start up under certain conditions. [GH-12563]
  • secrets/openldap: Fix bug where Vault can rotate static role passwords early during start up under certain conditions. #28 [GH-12598]
  • storage/raft: Detect incomplete raft snapshots in api.RaftSnapshot(), and thereby in vault operator raft snapshot save. [GH-12388]
  • ui: Fixed api explorer routing bug [GH-12354]

v1.7.4

1.7.4

26 August 2021

SECURITY:

  • UI Secret Caching: The Vault UI erroneously cached and exposed user-viewed secrets between authenticated sessions in a single shared browser, if the browser window / tab was not refreshed or closed between logout and a subsequent login. This vulnerability, CVE-2021-38554, was fixed in Vault 1.8.0 and will be addressed in pending 1.7.4 / 1.6.6 releases.

CHANGES:

  • go: Update go version to 1.15.15 [GH-12411]

... (truncated)

Changelog

Sourced from github.com/hashicorp/vault's changelog.

1.7.6

November 4, 2021

SECURITY:

  • core/identity: Templated ACL policies would always match the first-created entity alias if multiple entity aliases existed for a specified entity and mount combination, potentially resulting in incorrect policy enforcement. This vulnerability, CVE-2021-43998, was fixed in Vault and Vault Enterprise 1.7.6, 1.8.5, and 1.9.0.

BUG FIXES:

  • auth/aws: fix config/rotate-root to store new key [GH-12715]
  • core/identity: Cleanup alias in the in-memory entity after an alias deletion by ID [GH-12834]
  • core/identity: Disallow entity alias creation/update if a conflicting alias exists for the target entity and mount combination [GH-12747]
  • core: Fix a deadlock on HA leadership transfer [GH-12691]
  • http (enterprise): Always forward internal/counters endpoints from perf standbys to active node
  • kmip (enterprise): Fix handling of custom attributes when servicing GetAttributes requests
  • kmip (enterprise): Fix handling of invalid role parameters within various vault api calls
  • kmip (enterprise): Forward KMIP register operations to the active node
  • secrets/keymgmt (enterprise): Fix support for Azure Managed HSM Key Vault instances. [GH-12957]
  • storage/postgres: Update postgres library (github.com/lib/pq) to properly remove terminated TLS connections from the connection pool. [GH-12413]
  • database/postgres: Update postgres library (github.com/lib/pq) to properly remove terminated TLS connections from the connection pool. [GH-12413]
  • transform (enterprise): Fix an error where the decode response of an expired token is an empty result rather than an error.

1.7.5

29 September 2021

SECURITY:

  • core/identity: A Vault user with write permission to an entity alias ID sharing a mount accessor with another user may acquire this other user’s policies by merging their identities. This vulnerability, CVE-2021-41802, was fixed in Vault and Vault Enterprise 1.7.5 and 1.8.4.

IMPROVEMENTS:

  • secrets/pki: Allow signing of self-issued certs with a different signature algorithm. [GH-12514]

BUG FIXES:

  • agent: Avoid possible unexpected fault address panic when using persistent cache. [GH-12534]
  • core (enterprise): Fix bug where password generation through password policies do not work on namespaces if performed outside a request callback or from an external plugin. [GH-12635]
  • core (enterprise): Only delete quotas on primary cluster. [GH-12339]
  • identity: Fail alias rename if the resulting (name,accessor) exists already [GH-12473]
  • raft (enterprise): Fix panic when updating auto-snapshot config
  • secrets/db: Fix bug where Vault can rotate static role passwords early during start up under certain conditions. [GH-12563]
  • secrets/openldap: Fix bug where Vault can rotate static role passwords early during start up under certain conditions. #28 [GH-12598]
  • storage/raft: Detect incomplete raft snapshots in api.RaftSnapshot(), and thereby in vault operator raft snapshot save. [GH-12388]
  • ui: Fixed api explorer routing bug [GH-12354]

1.7.4

26 August 2021

SECURITY:

... (truncated)

Commits
  • 2c49e3f updating go.mod for 1.7.6 (#13005)
  • 6bcf308 updating version (#12997)
  • fe735a9 go-kms-wrapping update for Azure Key Vault's Managed HSM offering [backport 1...
  • 1c7a0da Backport 1.7.x: Fix auth/aws so that config/rotate-root saves new key pair (#...
  • 4bc866b Backport 12834 17x (#12870)
  • 6d76709 Update dependency go-mssqldb to v0.11.0 in release/1.7.x (#12874)
  • 6a575c6 [VAULT-3252] Disallow alias creation if entity/accessor combination exists (#...
  • a1488e2 UI update changelog link (#12766) (#12776)
  • 6a45bae build: update base image: debian:bullseye-20210927 (#12737)
  • 4a28f6c Upgrade pq to fix connection failure cleanup bug (v1.8.0 => v1.10.3) (#12413)...
  • Additional commits viewable in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/odahu/odahu-flow/network/alerts).
codecov-commenter commented 2 years ago

Codecov Report

Merging #665 (2a0971e) into develop (14fe72b) will not change coverage. The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff            @@
##           develop     #665   +/-   ##
========================================
  Coverage    70.39%   70.39%           
========================================
  Files          140      140           
  Lines         6513     6513           
  Branches       370      370           
========================================
  Hits          4585     4585           
  Misses        1798     1798           
  Partials       130      130
Flag Coverage Δ
feedback 57.14% <ø> (ø)
go 57.14% <ø> (ø)
python 70.57% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

dependabot[bot] commented 1 year ago

Superseded by #670.