auth/github: Allow for an optional Github auth token environment variable to make authenticated requests when fetching org id
website/docs: Add docs for VAULT_AUTH_CONFIG_GITHUB_TOKEN environment variable when writing Github config [GH-19244]
core: Allow overriding gRPC connect timeout via VAULT_GRPC_MIN_CONNECT_TIMEOUT. This is an env var rather than a config setting because we don't expect this to ever be needed. It's being added as a last-ditch
option in case all else fails for some replication issues we may not have fully reproduced. [GH-19676]
core: validate name identifiers in mssql physical storage backend prior use [GH-19591]
database/elasticsearch: Update error messages resulting from Elasticsearch API errors [GH-19545]
events: Suppress log warnings triggered when events are sent but the events system is not enabled. [GH-19593]
BUG FIXES:
agent: Fix panic when SIGHUP is issued to Agent while it has a non-TLS listener. [GH-19483]
core (enterprise): Attempt to reconnect to a PKCS#11 HSM if we retrieve a CKR_FUNCTION_FAILED error.
core: Fixed issue with remounting mounts that have a non-trailing space in the 'to' or 'from' paths. [GH-19585]
kmip (enterprise): Do not require attribute Cryptographic Usage Mask when registering Secret Data managed objects.
kmip (enterprise): Fix a problem forwarding some requests to the active node.
openapi: Fix logic for labeling unauthenticated/sudo paths. [GH-19600]
secrets/ldap: Invalidates WAL entry for static role if password_policy has changed. [GH-19640]
secrets/pki: Fix PKI revocation request forwarding from standby nodes due to an error wrapping bug [GH-19624]
secrets/transform (enterprise): Fix persistence problem with rotated tokenization key versions
ui: Fixes crypto.randomUUID error in unsecure contexts from third party ember-data library [GH-19428]
ui: fixes issue navigating back a level using the breadcrumb from secret metadata view [GH-19703]
ui: fixes oidc tabs in auth form submitting with the root's default_role value after a namespace has been inputted [GH-19541]
ui: pass encodeBase64 param to HMAC transit-key-actions. [GH-19429]
ui: use URLSearchParams interface to capture namespace param from SSOs (ex. ADFS) with decoded state param in callback url [GH-19460]
v1.13.0
1.13.0
March 01, 2023
SECURITY:
secrets/ssh: removal of the deprecated dynamic keys mode. When any remaining dynamic key leases expire, an error stating secret is unsupported by this backend will be thrown by the lease manager. [GH-18874]
CHANGES:
auth/alicloud: require the role field on login [GH-19005]
auth/approle: Add maximum length of 4096 for approle role_names, as this value results in HMAC calculation [GH-17768]
auth: Returns invalid credentials for ldap, userpass and approle when wrong credentials are provided for existent users.
This will only be used internally for implementing user lockout. [GH-17104]
Add debug symbols back to builds to fix Dynatrace support [GH-20294]
cli/namespace: Add detailed flag to output additional namespace information
such as namespace IDs and custom metadata. [GH-20243]
core/activity: add an endpoint to write test activity log data, guarded by a build flag [GH-20019]
core: Add a raft sub-field to the storage and ha_storage details provided by the
/sys/config/state/sanitized endpoint in order to include the max_entry_size. [GH-20044]
core: include reason for ErrReadOnly on PBPWF writing failures
sdk/ldaputil: added connection_timeout to tune connection timeout duration
for all LDAP plugins. [GH-20144]
secrets/pki: Decrease size and improve compatibility of OCSP responses by removing issuer certificate. [GH-20201]
sys/wrapping: Add example how to unwrap without authentication in Vault [GH-20109]
ui: Allows license-banners to be dismissed. Saves preferences in localStorage. [GH-19116]
BUG FIXES:
auth/ldap: Add max_page_size configurable to LDAP configuration [GH-19032]
command/server: Fix incorrect paths in generated config for -dev-tls flag on Windows [GH-20257]
core (enterprise): Fix intermittent issue with token entries sometimes not being found when using a newly created token in a request to a secondary, even when SSCT new_token forwarding is set. When this occurred, this would result in the following error to the client: error performing token check: no lease entry found for token that ought to have one, possible eventual consistency issue.
core (enterprise): Fix read on perf standbys failing with 412 after leadership change, unseal, restores or restarts when no writes occur
core/seal: Fix handling of HMACing of seal-wrapped storage entries from HSMs using CKM_AES_CBC or CKM_AES_CBC_PAD.
core/ssct (enterprise): Fixed race condition where a newly promoted DR may revert sscGenCounter
resulting in 412 errors.
core: Fix regression breaking non-raft clusters whose nodes share the same cluster_addr/api_addr. [GH-19721]
helper/random: Fix race condition in string generator helper [GH-19875]
kmip (enterprise): Fix a problem decrypting with keys that have no Process Start Date attribute.
pki: Fix automatically turning off CRL signing on upgrade to Vault >= 1.12, if CA Key Usage disallows it [GH-20220]
replication (enterprise): Fix a caching issue when replicating filtered data to
a performance secondary. This resulted in the data being set to nil in the cache
and a "invalid value" error being returned from the API.
replication (enterprise): Fix replication status for Primary clusters showing its primary cluster's information (in case of DR) in secondaries field when known_secondaries field is nil
sdk/helper/ocsp: Workaround bug in Go's ocsp.ParseResponse(...), causing validation to fail with embedded CA certificates.
auth/cert: Fix OCSP validation against Vault's PKI engine. [GH-20181]
secrets/aws: Revert changes that removed the lease on STS credentials, while leaving the new ttl field in place. [GH-20034]
secrets/pki: Ensure cross-cluster delta WAL write failure only logs to avoid unattended forwarding. [GH-20057]
secrets/pki: Fix building of unified delta CRLs and recovery during unified delta WAL write failures. [GH-20058]
secrets/pki: Fix patching of leaf_not_after_behavior on issuers. [GH-20341]
secrets/transform (enterprise): Address SQL connection leak when cleaning expired tokens
ui: Fix OIDC provider logo showing when domain doesn't match [GH-20263]
ui: Fix bad link to namespace when namespace name includes . [GH-19799]
ui: fixes browser console formatting for help command output [GH-20064]
ui: fixes remaining doc links to include /vault in path [GH-20070]
... (truncated)
Commits
b9b773f backport of commit 18890322c68928484a03c54d328360ca43f32b3a (#20352)
9037c26 backport of commit 8856cc13d3b9e8e4e10b8402270039d788e58cd5 (#20348)
d63cc54 backport of commit 464b9de169e157495d18865a34c1bc2627194675 (#20344)
2b244b4 backport of commit a2a3c49a175b1226792de41badd7a917a9b8d6aa (#20345)
4d8b6c8 backport of commit 1c9b5d4333a28bbabd168389002348af6d5b2921 (#20339)
3ca228b Backport of enos: always use the initial release during upgrades into release...
71c3a46 backport of commit 788f337bbfd81c9689f07ba98cbdf77a67515ba8 (#20325)
02d5fa1 Backport of Add guidelines for agent/server version compatibility into releas...
6452228 backport of commit 9ff6ee572eb1db3774305954b45a7662edb8a410 (#20313)
e55c713 backport of commit 666ad87bd28829f8692dd6cf943e78f90052a9ce (#20311)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Bumps github.com/hashicorp/vault from 1.3.2 to 1.13.2.
Release notes
Sourced from github.com/hashicorp/vault's releases.
... (truncated)
Changelog
Sourced from github.com/hashicorp/vault's changelog.
... (truncated)
Commits
b9b773f
backport of commit 18890322c68928484a03c54d328360ca43f32b3a (#20352)9037c26
backport of commit 8856cc13d3b9e8e4e10b8402270039d788e58cd5 (#20348)d63cc54
backport of commit 464b9de169e157495d18865a34c1bc2627194675 (#20344)2b244b4
backport of commit a2a3c49a175b1226792de41badd7a917a9b8d6aa (#20345)4d8b6c8
backport of commit 1c9b5d4333a28bbabd168389002348af6d5b2921 (#20339)3ca228b
Backport of enos: always use the initial release during upgrades into release...71c3a46
backport of commit 788f337bbfd81c9689f07ba98cbdf77a67515ba8 (#20325)02d5fa1
Backport of Add guidelines for agent/server version compatibility into releas...6452228
backport of commit 9ff6ee572eb1db3774305954b45a7662edb8a410 (#20313)e55c713
backport of commit 666ad87bd28829f8692dd6cf943e78f90052a9ce (#20311)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)