All Versions
171
Latest Version
Avg Release Cycle
26 days
Latest Release
-

Changelog History
Page 7

  • v1.6.0 Changes

    November 11th, 2020

    NOTE:

    🍎 Binaries for 32-bit macOS (i.e. the darwin_386 build) will no longer be published. This target was dropped in the latest version of the Go compiler.

    πŸ”„ CHANGES:

    • agent: Agent now properly returns a non-zero exit code on error, such as one due to template rendering failure. Using error_on_missing_key in the template config will cause agent to immediately exit on failure. In order to make agent properly exit due to continuous failure from template rendering errors, the old behavior of indefinitely restarting the template server is now changed to exit once the default retry attempt of 12 times (with exponential backoff) gets exhausted. [GH-9670]
    • token: Periodic tokens generated by auth methods will have the period value stored in its token entry. [GH-7885]
    • core: New telemetry metrics reporting mount table size and number of entries [GH-10201]
    • ⚑️ go: Updated Go version to 1.15.4 [GH-10366]

    πŸ”‹ FEATURES:

    • Couchbase Secrets: Vault can now manage static and dynamic credentials for Couchbase. [GH-9664]
    • πŸ‘ Expanded Password Policy Support: Custom password policies are now supported for all database engines.
    • ↔ Integrated Storage Auto Snapshots (Enterprise): This feature enables an operator to schedule snapshots of the integrated storage backend and ensure those snapshots are persisted elsewhere.
    • ↔ Integrated Storage Cloud Auto Join: This feature for integrated storage enables Vault nodes running in the cloud to automatically discover and join a Vault cluster via operator-supplied metadata.
    • Key Management Secrets Engine (Enterprise; Tech Preview): This new secret engine allows securely distributing and managing keys to Azure cloud KMS services.
    • Seal Migration: With Vault 1.6, we will support migrating from an auto unseal mechanism to a different mechanism of the same type. For example, if you were using an AWS KMS key to automatically unseal, you can now migrate to a different AWS KMS key.
    • Tokenization (Enterprise; Tech Preview): Tokenization supports creating irreversible β€œtokens” from sensitive data. Tokens can be used in less secure environments, protecting the original data.
    • Vault Client Count: Vault now counts the number of active entities (and non-entity tokens) per month and makes this information available via the "Metrics" section of the UI.

    πŸ‘Œ IMPROVEMENTS:

    • πŸ“‡ auth/approle: Role names can now be referenced in templated policies through the approle.metadata.role_name property [GH-9529]
    • auth/aws: Improve logic check on wildcard BoundIamPrincipalARNs and include role name on error messages on check failure [GH-10036]
    • πŸ”Œ auth/jwt: Add support for fetching groups and user information from G Suite during authentication. [GH-123]
    • πŸ”Œ auth/jwt: Adding EdDSA (ed25519) to supported algorithms [GH-129]
    • πŸ”Œ auth/jwt: Improve cli authorization error [GH-137]
    • auth/jwt: Add OIDC namespace_in_state option [GH-140]
    • secrets/transit: fix missing plaintext in bulk decrypt response [GH-9991]
    • πŸ”Š command/server: Delay informational messages in -dev mode until logs have settled. [GH-9702]
    • πŸ‘ command/server: Add environment variable support for disable_mlock. [GH-9931]
    • core/metrics: Add metrics for storage cache [GH_10079]
    • core/metrics: Add metrics for leader status [GH 10147]
    • πŸ“‡ physical/azure: Add the ability to use Azure Instance Metadata Service to set the credentials for Azure Blob storage on the backend. [GH-10189]
    • sdk/framework: Add a time type for API fields. [GH-9911]
    • πŸ‘ secrets/database: Added support for password policies to all databases [GH-9641, and more]
    • πŸ‘ secrets/database/cassandra: Added support for static credential rotation [GH-10051]
    • πŸ”Œ secrets/database/elasticsearch: Added support for static credential rotation [GH-19]
    • πŸ‘ secrets/database/hanadb: Added support for root credential & static credential rotation [GH-10142]
    • ⚑️ secrets/database/hanadb: Default password generation now includes dashes. Custom statements may need to be updated to include quotes around the password field [GH-10142]
    • πŸ‘ secrets/database/influxdb: Added support for static credential rotation [GH-10118]
    • πŸ”Œ secrets/database/mongodbatlas: Added support for root credential rotation [GH-14]
    • πŸ”Œ secrets/database/mongodbatlas: Support scopes field in creations statements for MongoDB Atlas database plugin [GH-15]
    • 🌲 seal/awskms: Add logging during awskms auto-unseal [GH-9794]
    • ⚑️ storage/azure: Update SDK library to use azure-storage-blob-go since previous library has been deprecated. [GH-9577]
    • πŸ”Œ secrets/ad: rotate-root now supports POST requests like other secret engines [GH-70]
    • πŸ’» ui: Add ui functionality for the Transform Secret Engine [GH-9665]
    • πŸ’» ui: Pricing metrics dashboard [GH-10049]

    πŸ› BUG FIXES:

    • πŸ”Œ auth/jwt: Fix bug preventing config edit UI from rendering [GH-141]
    • cli: Don't open or overwrite a raft snapshot file on an unsuccessful vault operator raft snapshot [GH-9894]
    • core: Implement constant time version of shamir GF(28) math [GH-9932]
    • πŸ”Œ core: Fix resource leak in plugin API (plugin-dependent, not all plugins impacted) [GH-9557]
    • core: Fix race involved in enabling certain features via a license change
    • πŸ“œ core: Fix error handling in HCL parsing of objects with invalid syntax [GH-410]
    • identity: Check for timeouts in entity API [GH-9925]
    • secrets/database: Fix handling of TLS options in mongodb connection strings [GH-9519]
    • πŸ”Œ secrets/gcp: Ensure that the IAM policy version is appropriately set after a roleset's bindings have changed. [GH-93]
    • πŸ’» ui: Mask LDAP bindpass while typing [GH-10087]
    • ⚑️ ui: Update language in promote dr modal flow [GH-10155]
    • ⚑️ ui: Update language on replication primary dashboard for clarity [GH-10205]
    • ⚑️ core: Fix bug where updating an existing path quota could introduce a conflict. [GH-10285]

  • v1.5.9 Changes

    May 20th, 2021

    πŸ”’ SECURITY:

    • Non-Expiring Leases: Vault and Vault Enterprise renewed nearly-expiring token leases and dynamic secret leases with a zero-second TTL, causing them to be treated as non-expiring, and never revoked. This issue affects Vault and Vault πŸ›  Enterprise versions 0.10.0 through 1.7.1, and is fixed in 1.5.9, 1.6.5, and 1.7.2 (CVE-2021-32923).

    πŸ”„ CHANGES:

    • ⚑️ agent: Update to use IAM Service Account Credentials endpoint for signing JWTs when using GCP Auto-Auth method [GH-11473]
    • ⚑️ auth/gcp: Update to v0.7.2 to use IAM Service Account Credentials API for signing JWTs [GH-11499]

    πŸ› BUG FIXES:

    • core: correct logic for renewal of leases nearing their expiration time. [GH-11650]

  • v1.5.8 Changes

    21 April 2021

    πŸ”’ SECURITY:

    • The PKI Secrets Engine tidy functionality may cause Vault to exclude revoked-but-unexpired certificates from the Vault CRL. This vulnerability affects Vault and Vault Enterprise 1.5.1 and newer and was fixed in versions 1.5.8, 1.6.4, and 1.7.1. (CVE-2021-27668)

    πŸ”„ CHANGES:

    • ⚑️ go: Update to Go 1.14.15 [GH-11397]

    πŸ‘Œ IMPROVEMENTS:

    • core: Add tls_max_version listener config option. [GH-11226]

    πŸ› BUG FIXES:

    • πŸ”€ core/identity: Fix deadlock in entity merge endpoint. [GH-10877]
    • core: Fix cleanup of storage entries from cubbyholes within namespaces. [GH-11408]
    • 🚚 pki: Only remove revoked entry for certificates during tidy if they are past their NotAfter value [GH-11367]
    • πŸ”’ core: Avoid deadlocks by ensuring that if grabLockOrStop returns stopped=true, the lock will not be held. [GH-10456]

  • v1.5.7 Changes

    January 29, 2021

    πŸ”’ SECURITY:

    • πŸ›  IP Address Disclosure: We fixed a vulnerability where, under some error conditions, Vault would return an error message disclosing internal IP βž• addresses. This vulnerability affects Vault and Vault Enterprise and is fixed in 1.6.2 and 1.5.7 (CVE-2021-3024).
    • Mount Path Disclosure: Vault previously returned different HTTP status codes for existent and non-existent mount paths. This behavior would allow unauthenticated brute force attacks to reveal which paths had valid mounts. This issue affects πŸ›  Vault and Vault Enterprise and is fixed in 1.6.2 and 1.5.7 (CVE-2020-25594).

    πŸ‘Œ IMPROVEMENTS:

    • storage/raft (enterprise): Listing of peers is now allowed on DR secondary ⚑️ cluster nodes, as an update operation that takes in DR operation token for authenticating the request.

    πŸ› BUG FIXES:

    • core: Avoid disclosing IP addresses in the errors of unauthenticated requests [GH-10579]
    • core: Make the response to an unauthenticated request to sys/internal endpoints consistent regardless of mount existence. [GH-10650]

  • v1.5.6 Changes

    December 16, 2020

    πŸ”’ SECURITY:

    • LDAP Auth Method: We addressed an issue where error messages returned by the LDAP auth methold allowed user enumeration [GH-10537]. This vulnerability affects Vault OSS and Vault Enterprise and is fixed in 1.5.6 and 1.6.1 (CVE-2020-35177).
    • πŸ›  Sentinel EGP: We've fixed incorrect handling of namespace paths to prevent users within namespaces from applying Sentinel EGP policies to paths above their namespace. This vulnerability affects Vault Enterprise and is fixed in 1.5.6 and 1.6.1.

    πŸ‘Œ IMPROVEMENTS:

    • auth/ldap: Improve consistency in error messages [GH-10537]

    πŸ› BUG FIXES:

    • core (enterprise): Vault EGP policies attached to path * were not correctly scoped to the namespace.
    • ⚑️ core: Fix bug where updating an existing path quota could introduce a conflict [GH-10285]
    • πŸ‘― core: Fix client.Clone() to include the address [GH-10077]
    • quotas (enterprise): Reset cache before loading quotas in the db during startup
    • secrets/transit: allow for null string to be used for optional parameters in encrypt and decrypt [GH-10386]

  • v1.5.5 Changes

    October 21, 2020

    πŸ‘Œ IMPROVEMENTS:

    • 0️⃣ auth/aws, core/seal, secret/aws: Set default IMDS timeouts to match AWS SDK [GH-10133]

    πŸ› BUG FIXES:

    • auth/aws: Restrict region selection when in the aws-us-gov partition to avoid IAM errors [GH-9947]
    • 🚚 core (enterprise): Allow operators to add and remove (Raft) peers in a DR secondary cluster using Integrated Storage.
    • 🚚 core (enterprise): Add DR operation token to the remove peer API and CLI command (when DR secondary).
    • core (enterprise): Fix deadlock in handling EGP policies
    • core (enterprise): Fix extraneous error messages in DR Cluster
    • secrets/mysql: Conditionally overwrite TLS parameters for MySQL secrets engine [GH-9729]
    • πŸ”Œ secrets/ad: Fix bug where password_policy setting was not using correct key when ad/config was read [GH-71]
    • πŸ’» ui: Fix issue with listing roles and methods on the same auth methods with different names [GH-10122]

  • v1.5.4 Changes

    September 24th, 2020

    πŸ”’ SECURITY:

    • ⏱ Batch Token Expiry: We addressed an issue where batch token leases could outlive their TTL because we were not scheduling the expiration time correctly. This vulnerability affects Vault OSS and Vault Enterprise 1.0 and newer and is fixed in 1.4.7 and 1.5.4 (CVE-2020-25816).

    πŸ‘Œ IMPROVEMENTS:

    • secrets/pki: Handle expiration of a cert not in storage as a success [GH-9880]
    • 0️⃣ auth/kubernetes: Add an option to disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod [GH-97]
    • βͺ secrets/gcp: Add check for 403 during rollback to prevent repeated deletion calls [GH-97]
    • 🐎 core: Disable usage metrics collection on performance standby nodes. [GH-9966]
    • 0️⃣ credential/aws: Added X-Amz-Content-Sha256 as a default STS request header [GH-10009]

    πŸ› BUG FIXES:

    • agent: Fix disable_fast_negotiation not being set on the auth method when configured by user. [GH-9892]
    • πŸ”Œ core (enterprise): Fix hang when cluster-wide plugin reload cleanup is slow on unseal
    • πŸ”Œ core (enterprise): Fix an error in cluster-wide plugin reload cleanup following such a reload
    • core: Fix crash when metrics collection encounters zero-length keys in KV store [GH-9811]
    • mfa (enterprise): Fix incorrect handling of PingID responses that could result in auth requests failing
    • 🐎 replication (enterprise): Improve race condition when using a newly created token on a performance standby node
    • replication (enterprise): Only write failover cluster addresses if they've changed
    • πŸ’» ui: fix bug where dropdown for identity/entity management is not reflective of actual policy [GH-9958]

  • v1.5.3 Changes

    August 27th, 2020

    NOTE:

    πŸ”’ All security content from 1.5.2, 1.5.1, 1.4.5, 1.4.4, 1.3.9, 1.3.8, 1.2.6, and 1.2.5 has been made fully open source, and the git tags for 1.5.3, 1.4.6, 1.3.10, and 1.2.7 will build correctly for open source users.

    πŸ› BUG FIXES:

    • auth/aws: Made header handling for IAM authentication more robust
    • πŸ›  secrets/ssh: Fixed a bug with role option for SSH signing algorithm to allow more than RSA signing

  • v1.5.2 Changes

    August 20th, 2020

    NOTE:

    πŸ’» OSS binaries of 1.5.1, 1.4.4, 1.3.8, and 1.2.5 were built without the Vault UI. Enterprise binaries are not affected.

    KNOWN ISSUES:

    • AWS IAM logins may return an error depending on the headers sent with the request. For more details and a workaround, see the 1.5.2 Upgrade Guide
    • πŸ— In versions 1.2.6, 1.3.9, 1.4.5, and 1.5.2, enterprise licenses on the HSM build were not incorporated correctly - enterprise customers should use 1.2.6.1, 1.3.9.1, 1.4.5.1, and 1.5.2.1.

  • v1.5.2.1 Changes

    August 21st, 2020

    Enterprise Only

    NOTE:

    Includes correct license in the HSM binary.