Non-Expiring Leases: Vault and Vault Enterprise renewed nearly-expiring token
leases and dynamic secret leases with a zero-second TTL, causing them to be
treated as non-expiring, and never revoked. This issue affects Vault and Vault
Enterprise versions 0.10.0 through 1.7.1, and is fixed in 1.5.9, 1.6.5, and
1.7.2 (CVE-2021-32923).
CHANGES:
agent: Update to use IAM Service Account Credentials endpoint for signing JWTs
when using GCP Auto-Auth method [GH-11473]
auth/gcp: Update to v0.9.1 to use IAM Service Account Credentials API for
signing JWTs [GH-11494]
IMPROVEMENTS:
api, agent: LifetimeWatcher now does more retries when renewal failures occur. This also impacts Agent auto-auth and leases managed via Agent caching. [GH-11445]
auth/aws: Underlying error included in validation failure message. [GH-11638]
http: Add optional HTTP response headers for hostname and raft node ID [GH-11289]
secrets/aws: add ability to provide a role session name when generating STS credentials [GH-11345]
secrets/database/mongodb: Add ability to customize SocketTimeout, ConnectTimeout, and ServerSelectionTimeout [GH-11600]
secrets/database/mongodb: Increased throughput by allowing for multiple request threads to simultaneously update users in MongoDB [GH-11600]
BUG FIXES:
agent/cert: Fix issue where the API client on agent was not honoring certificate
information from the auto-auth config map on renewals or retries. [GH-11576]
agent: Fixed agent templating to use configured tls servername values [GH-11288]
core (enterprise): Fix plugins mounted in namespaces being unable to use password policies [GH-11596]
core: correct logic for renewal of leases nearing their expiration time. [GH-11650]
identity: Use correct mount accessor when refreshing external group memberships. [GH-11506]
replication: Fix panic trying to update walState during identity group invalidation. [GH-1865]
secrets/database: Fix marshalling to allow providing numeric arguments to external database plugins. [GH-11451]
secrets/database: Fixed minor race condition when rotate-root is called [GH-11600]
secrets/database: Fixes issue for V4 database interface where SetCredentials wasn't falling back to using RotateRootCredentials if SetCredentials is Unimplemented [GH-11585]
secrets/keymgmt (enterprise): Fixes audit logging for the read key response.
storage/raft: Support cluster address change for nodes in a cluster managed by autopilot [GH-11247]
ui: Fix entity group membership and metadata not showing [GH-11641]
ui: Fix text link URL on database roles list [GH-11597]
Non-Expiring Leases: Vault and Vault Enterprise renewed nearly-expiring token
leases and dynamic secret leases with a zero-second TTL, causing them to be
treated as non-expiring, and never revoked. This issue affects Vault and Vault
Enterprise versions 0.10.0 through 1.7.1, and is fixed in 1.5.9, 1.6.5, and
1.7.2 (CVE-2021-32923).
CHANGES:
agent: Update to use IAM Service Account Credentials endpoint for signing JWTs
when using GCP Auto-Auth method [GH-11473]
auth/gcp: Update to v0.9.1 to use IAM Service Account Credentials API for
signing JWTs [GH-11494]
IMPROVEMENTS:
api, agent: LifetimeWatcher now does more retries when renewal failures occur. This also impacts Agent auto-auth and leases managed via Agent caching. [GH-11445]
auth/aws: Underlying error included in validation failure message. [GH-11638]
http: Add optional HTTP response headers for hostname and raft node ID [GH-11289]
secrets/aws: add ability to provide a role session name when generating STS credentials [GH-11345]
secrets/database/mongodb: Add ability to customize SocketTimeout, ConnectTimeout, and ServerSelectionTimeout [GH-11600]
secrets/database/mongodb: Increased throughput by allowing for multiple request threads to simultaneously update users in MongoDB [GH-11600]
BUG FIXES:
agent/cert: Fix issue where the API client on agent was not honoring certificate
information from the auto-auth config map on renewals or retries. [GH-11576]
agent: Fixed agent templating to use configured tls servername values [GH-11288]
core (enterprise): Fix plugins mounted in namespaces being unable to use password policies [GH-11596]
core: correct logic for renewal of leases nearing their expiration time. [GH-11650]
identity: Use correct mount accessor when refreshing external group memberships. [GH-11506]
replication: Fix panic trying to update walState during identity group invalidation. [GH-1865]
secrets/database: Fix marshalling to allow providing numeric arguments to external database plugins. [GH-11451]
secrets/database: Fixed minor race condition when rotate-root is called [GH-11600]
secrets/database: Fixes issue for V4 database interface where SetCredentials wasn't falling back to using RotateRootCredentials if SetCredentials is Unimplemented [GH-11585]
secrets/keymgmt (enterprise): Fixes audit logging for the read key response.
storage/raft: Support cluster address change for nodes in a cluster managed by autopilot [GH-11247]
ui: Fix entity group membership and metadata not showing [GH-11641]
ui: Fix text link URL on database roles list [GH-11597]
1.7.1
21 April 2021
SECURITY:
The PKI Secrets Engine tidy functionality may cause Vault to exclude revoked-but-unexpired certificates from the
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Bumps github.com/hashicorp/vault/api from 1.6.0 to 1.7.2.
Release notes
Sourced from github.com/hashicorp/vault/api's releases.
... (truncated)
Changelog
Sourced from github.com/hashicorp/vault/api's changelog.
... (truncated)
Commits
db0e424Don't force config regeneration (#11668)055e15cUpgrade packagespec to 0.2.6 (#11671)fff6f65Reload raft TLS keys on active startup (#11660) (#11663)814ad56go vendor cleanup48c5544Vault 1.7.2 Pre-staging (#11651)a671890Patch expiration fix over from ENT (#11650) (#11652)8ade2f9Backport 11259 changes 1.7.x (#11520)1164f75UI/fix identity model (#11641) (#11642)f0acfa8AWS Auth: Update error message to include underlying error (#11638) (#11639)fbff9bbAdd ability to customize some timeouts in MongoDB database plugin (#11600) (#...Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)