Bump github.com/hashicorp/vault/sdk from 0.5.2 to 0.5.3

[dependabot[bot]]

Bumps github.com/hashicorp/vault/sdk from 0.5.2 to 0.5.3.

Changelog

Sourced from github.com/hashicorp/vault/sdk's changelog.

0.5.3 (May 27th, 2016)

SECURITY:

• Consul ACL Token Revocation: An issue was reported to us indicating that generated Consul ACL tokens were not being properly revoked. Upon investigation, we found that this behavior was reproducible in a specific scenario: when a generated lease for a Consul ACL token had been renewed prior to revocation. In this case, the generated token was not being properly persisted internally through the renewal function, leading to an error during revocation due to the missing token. Unfortunately, this was coded as a user error rather than an internal error, and the revocation logic was expecting internal errors if revocation failed. As a result, the revocation logic believed the revocation to have succeeded when it in fact failed, causing the lease to be dropped while the token was still valid within Consul. In this release, the Consul backend properly persists the token through renewals, and the revocation logic has been changed to consider any error type to have been a failure to revoke, causing the lease to persist and attempt to be revoked later.

We have written an example shell script that searches through Consul's ACL tokens and looks for those generated by Vault, which can be used as a template for a revocation script as deemed necessary for any particular security response. The script is available at https://gist.github.com/jefferai/6233c2963f9407a858d84f9c27d725c0

Please note that any outstanding leases for Consul tokens produced prior to 0.5.3 that have been renewed will continue to exhibit this behavior. As a result, we recommend either revoking all tokens produced by the backend and issuing new ones, or if needed, a more advanced variant of the provided example could use the timestamp embedded in each generated token's name to decide which tokens are too old and should be deleted. This could then be run periodically up until the maximum lease time for any outstanding pre-0.5.3 tokens has expired.

This is a security-only release. There are no other code changes since 0.5.2. The binaries have one additional change: they are built against Go 1.6.1 rather than Go 1.6, as Go 1.6.1 contains two security fixes to the Go programming language itself.

Commits

• 9617c6e Cut version 0.5.3
• 48125e4 Port build script from master
• 1cecd80 Update Changelog
• b78d21c Return nil if token not in internal data
• d983c5e minor wording fix
• e859b0e Use Go 1.6.1, not 1.6.2
• 94c895f Update changelog
• a930d31 Bump Go version in Dockerfile
• c5da57a Bump version
• c6fb200 Fix the consul secret backends renewal revocation problem
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[codecov-commenter]

Codecov Report

Merging #70 (ec5d7cd) into main (b8cd786) will not change coverage. The diff coverage is n/a.

@@           Coverage Diff           @@
##             main      #70   +/-   ##
=======================================
  Coverage   41.03%   41.03%           
=======================================
  Files          10       10           
  Lines         675      675           
=======================================
  Hits          277      277           
  Misses        370      370           
  Partials       28       28           

Flag	Coverage Δ
unittests	41.03% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

---

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update b8cd786...ec5d7cd. Read the comment docs.

[dependabot[bot]]

Superseded by #81.