All Versions
113
Latest Version
Avg Release Cycle
26 days
Latest Release
-

Changelog History
Page 2

  • v1.5.2 Changes

    August 20th, 2020

    NOTE:

    ๐Ÿ’ป OSS binaries of 1.5.1, 1.4.4, 1.3.8, and 1.2.5 were built without the Vault UI. Enterprise binaries are not affected.

    KNOWN ISSUES:

    • AWS IAM logins may return an error depending on the headers sent with the request. For more details and a workaround, see the 1.5.2 Upgrade Guide
    • ๐Ÿ— In versions 1.2.6, 1.3.9, 1.4.5, and 1.5.2, enterprise licenses on the HSM build were not incorporated correctly - enterprise customers should use 1.2.6.1, 1.3.9.1, 1.4.5.1, and 1.5.2.1.
  • v1.5.2.1 Changes

    August 21st, 2020

    Enterprise Only

    NOTE:

    Includes correct license in the HSM binary.

  • v1.5.1 Changes

    August 20th, 2020

    ๐Ÿ”’ SECURITY:

    • ๐Ÿ›  When using the IAM AWS Auth Method, under certain circumstances, values Vault uses to validate identities and roles can be manipulated and bypassed. This vulnerability affects Vault and Vault Enterprise 0.7.1 and newer and is fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1 (CVE-2020-16250) (Discovered by Felix Wilhelm of Google Project Zero)
    • ๐Ÿ›  When using the GCP GCE Auth Method, under certain circumstances, values Vault uses to validate GCE VMs can be manipulated and bypassed. This vulnerability affects Vault and Vault Enterprise 0.8.3 and newer and is fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1 (CVE-2020-16251) (Discovered by Felix Wilhelm of Google Project Zero)
    • ๐Ÿ›  When using Vault Agent with cert auto-auth and caching enabled, under certain circumstances, clients without permission to access agent's token may retrieve the token without login credentials. This vulnerability affects Vault Agent 1.1.0 and newer and is fixed in 1.5.1 (CVE-2020-17455)

    KNOWN ISSUES:

    • ๐Ÿ’ป OSS binaries of 1.5.1, 1.4.4, 1.3.8, and 1.2.5 were built without the Vault UI. Enterprise binaries are not affected.
    • AWS IAM logins may return an error depending on the headers sent with the request. For more details and a workaround, see the 1.5.1 Upgrade Guide

    ๐Ÿ”„ CHANGES:

    • pki: The tidy operation will now remove revoked certificates if the parameter tidy_revoked_certs is set to true. This will result in certificate entries being immediately removed, as opposed to awaiting until its NotAfter time. Note that this only affects certificates that have been already revoked. [GH-9609]
    • โšก๏ธ go: Updated Go version to 1.14.7

    ๐Ÿ‘Œ IMPROVEMENTS:

    • ๐Ÿ‘ auth/jwt: Add support for fetching groups and user information from G Suite during authentication. [GH-9574]
    • ๐Ÿ”Œ auth/jwt: Add EdDSA to supported algorithms. [GH-129]
    • secrets/openldap: Add "ad" schema that allows the engine to correctly rotate AD passwords. [GH-9740]
    • pki: Add a allowed_domains_template parameter that enables the use of identity templating within the allowed_domains parameter. [GH-8509]
    • ๐Ÿ”Š secret/azure: Use write-ahead-logs to cleanup any orphaned Service Principals [GH-9773]
    • โšก๏ธ ui: Wrap TTL option on transit engine export action is updated to a new component. [GH-9632]
    • ๐Ÿ’ป ui: Wrap Tool uses newest version of TTL Picker component. [GH-9691]

    ๐Ÿ› BUG FIXES:

    • secrets/gcp: Ensure that the IAM policy version is appropriately set after a roleset's bindings have changed. [GH-9603]
    • replication (enterprise): Fix status API output incorrectly stating replication is in idle state.
    • replication (enterprise): Use PrimaryClusterAddr if it's been set
    • ๐Ÿ–จ core: Fix panic when printing over-long info fields at startup [GH-9681]
    • ๐ŸŽ core: Seal migration using the new minimal-downtime strategy didn't work properly with performance standbys. [GH-9690]
    • ๐Ÿ”ง core: Vault failed to start when there were non-string values in seal configuration [GH-9555]
    • core: Handle a trailing slash in the API address used for enabling replication
  • v1.5.0 Changes

    July 21st, 2020

    ๐Ÿ”„ CHANGES:

    • ๐Ÿ”Š audit: Token TTL and issue time are now provided in the auth portion of audit logs. [GH-9091]
    • 0๏ธโƒฃ auth/gcp: Changes the default name of the entity alias that gets created to be the role ID for both IAM and GCE authentication. [GH-99]
    • ๐Ÿ”ง core: Remove the addition of newlines to parsed configuration when using integer/boolean values [GH-8928]
    • cubbyhole: Reject reads and writes to an empty ("") path. [GH-8971]
    • 0๏ธโƒฃ secrets/azure: Default password generation changed from uuid to cryptographically secure randomized string [GH-40]
    • ๐Ÿšš storage/gcs: The credentials_file config option has been removed. The GOOGLE_APPLICATION_CREDENTIALS environment variable or default credentials may be used instead [GH-9424]
    • storage/raft: The storage configuration now accepts a new max_entry_size config that will limit the total size in bytes of any entry committed via raft. It defaults to "1048576" (1MiB). [GH-9027]
    • token: Token creation with custom token ID via id will no longer allow periods (.) as part of the input string. The final generated token value may contain periods, such as the s. prefix for service token indication. [GH-8646]
    • token: Token renewals will now return token policies within the token_policies , identity policies within identity_policies, and the full policy set within policies. [GH-8535]
    • โšก๏ธ go: Updated Go version to 1.14.4

    ๐Ÿ”‹ FEATURES:

    • Monitoring: We have released a Splunk App [9] for Enterprise customers. The app is accompanied by an updated monitoring guide and a few new metrics to enable OSS users to effectively monitor Vault.
    • Password Policies: Allows operators to customize how passwords are generated for select secret engines (OpenLDAP, Active Directory, Azure, and RabbitMQ).
    • ๐Ÿ’ป Replication UI Improvements: We have redesigned the replication UI to highlight the state and relationship between primaries and secondaries and improved management workflows, enabling a more holistic understanding of multiple Vault clusters.
    • Resource Quotas: As of 1.5, Vault supports specifying a quota to rate limit requests on OSS and Enterprise. Enterprise customers also have access to set quotas on the number of leases that can be generated on a path.
    • ๐Ÿ‘ OpenShift Support: We have updated the Helm charts to allow users to install Vault onto their OpenShift clusters.
    • Seal Migration: We have made updates to allow migrations from auto unseal to Shamir unseal on Enterprise.
    • ๐ŸŒ AWS Auth Web Identity Support: We've added support for AWS Web Identities, which will be used in the credentials chain if present.
    • Vault Monitor: Similar to the monitor command for Consul and Nomad, we have added the ability for Vault to stream logs from other Vault servers at varying log levels.
    • ๐Ÿ‘ AWS Secrets Groups Support: IAM users generated by Vault may now be added to IAM Groups.
    • โ†” Integrated Storage as HA Storage: In Vault 1.5, it is possible to use Integrated Storage as HA Storage with a different storage backend as regular storage.
    • OIDC Auth Provider Extensions: We've added support to OIDC Auth to incorporate IdP-specific extensions. Currently this includes expanded Azure AD groups support.
    • GCP Secrets: Support BigQuery dataset ACLs in absence of IAM endpoints.
    • KMIP: Add support for signing client certificates requests (CSRs) rather than having them be generated entirely within Vault.

    ๐Ÿ‘Œ IMPROVEMENTS:

    • audit: Replication status requests are no longer audited. [GH-8877]
    • audit: Added mount_type field to requests and responses. [GH-9167]
    • ๐ŸŒ auth/aws: Add support for Web Identity credentials [GH-7738]
    • ๐Ÿ”Œ auth/jwt: Support users that are members of more than 200 groups on Azure [GH-120]
    • ๐Ÿ”Œ auth/kerberos: Support identities without userPrincipalName [GH-44]
    • ๐Ÿ”Œ auth/kubernetes: Allow disabling iss validation [GH-91]
    • 0๏ธโƒฃ auth/kubernetes: Try reading the ca.crt and TokenReviewer JWT from the default service account [GH-83]
    • ๐Ÿ‘ cli: Support reading TLS parameters from file for the vault operator raft join command. [GH-9060]
    • ๐Ÿ”Š cli: Add a new subcommand, vault monitor, for tailing server logs in the console. [GH-8477]
    • ๐Ÿ— core: Add the Go version used to build a Vault binary to the server message output. [GH-9078]
    • ๐Ÿ”ง core: Added Password Policies for user-configurable password generation [GH-8637]
    • core: New telemetry metrics covering token counts, token creation, KV secret counts, lease creation. [GH-9239] [GH-9250] [GH-9244] [GH-9052]
    • โšก๏ธ physical/gcs: The storage backend now uses a dedicated client for HA lock updates to prevent lock table update failures when flooded by other client requests. [GH-9424]
    • โšก๏ธ physical/spanner: The storage backend now uses a dedicated client for HA lock updates to prevent lock table update failures when flooded by other client requests. [GH-9423]
    • ๐Ÿ”Œ plugin: Add SDK method, Sys.ReloadPlugin, and CLI command, vault plugin reload, for reloading plugins. [GH-8777]
    • ๐Ÿ”Œ plugin (enterprise): Add a scope field to plugin reload, which when global, reloads the plugin anywhere in a cluster. [GH-9347]
    • ๐Ÿ‘ sdk/framework: Support accepting TypeFloat parameters over the API [GH-8923]
    • โšก๏ธ secrets/aws: Add iam_groups parameter to role create/update [GH-8811]
    • ๐Ÿ”Œ secrets/database: Add static role rotation for MongoDB Atlas database plugin [GH-11]
    • ๐Ÿ”Œ secrets/database: Add static role rotation for MSSQL database plugin [GH-9062]
    • secrets/database: Allow InfluxDB to use insecure TLS without cert bundle [GH-8778]
    • ๐Ÿ”Œ secrets/gcp: Support BigQuery dataset ACLs in absence of IAM endpoints [GH-78]
    • secrets/pki: Allow 3072-bit RSA keys [GH-8343]
    • secrets/ssh: Add a CA-mode role option to specify signing algorithm [GH-9096]
    • ๐Ÿ”ง secrets/ssh: The Vault SSH Helper can now be configured to reference a mount in a namespace [GH-44]
    • secrets/transit: Transit requests that make use of keys now include a new field key_version in their responses [GH-9100]
    • secrets/transit: Improving transit batch encrypt and decrypt latencies [GH-8775]
    • sentinel: Add a sentinel config section, and "additional_enabled_modules", a list of Sentinel modules that may be imported in addition to the defaults.
    • โšก๏ธ ui: Update TTL picker styling on SSH secret engine [GH-8891]
    • ๐Ÿ”ง ui: Only render the JWT input field of the Vault login form on mounts configured for JWT auth [GH-8952]
    • ๐Ÿ’ป ui: Add replication dashboards. Improve replication management workflows. [GH-8705].
    • โšก๏ธ ui: Update alert banners to match design systems black text. [GH-9463].

    ๐Ÿ› BUG FIXES:

    • 0๏ธโƒฃ auth/oci: Fix issue where users of the Oracle Cloud Infrastructure (OCI) auth method could not authenticate when the plugin backend was mounted at a non-default path. [GH-7]
    • ๐ŸŽ core: Extend replicated cubbyhole fix in 1.4.0 to cover case where a performance primary is also a DR primary [GH-9148]
    • replication (enterprise): Use the PrimaryClusterAddr if it's been set
    • seal/awskms: fix AWS KMS auto-unseal when AWS_ROLE_SESSION_NAME not set [GH-9416]
    • ๐Ÿ“‡ sentinel: fix panic due to concurrent map access when rules iterate over metadata maps
    • ๐ŸŽ secrets/aws: Fix issue where performance standbys weren't able to generate STS credentials after an IAM access key rotation in AWS and root IAM credential update in Vault [GH-9186]
    • secrets/database: Fix issue where rotating root database credentials while Vault's storage backend is unavailable causes Vault to lose access to the database [GH-8782]
    • ๐ŸŽ secrets/database: Fix issue that prevents performance standbys from connecting to databases after a root credential rotation [GH-9129]
    • ๐Ÿ“œ secrets/database: Fix parsing of multi-line PostgreSQL statements [GH-8512]
    • โšก๏ธ secrets/gcp: Fix issue were updates were not being applied to the token_scopes of a roleset. [GH-90]
    • ๐Ÿ”– secrets/kv: Return the value of delete_version_after when reading kv/config, even if it is set to the default. [GH-42]
    • ๐Ÿ’ป ui: Add Toggle component into core addon so it is available in KMIP and other Ember Engines.[GH-8913]
    • ๐Ÿ’ป ui: Disallow max versions value of large than 9999999999999999 on kv2 secrets engine. [GH-9242]
    • โฌ†๏ธ ui: Add and upgrade missing dependencies to resolve a failure with make static-dist. [GH-9277]
  • v1.4.7 Changes

    September 24th, 2020

    ๐Ÿ”’ SECURITY:

    • โฑ Batch Token Expiry: We addressed an issue where batch token leases could outlive their TTL because we were not scheduling the expiration time correctly. This vulnerability affects Vault OSS and Vault Enterprise 1.0 and newer and is fixed in 1.4.7 and 1.5.4 (CVE-2020-25816).

    ๐Ÿ‘Œ IMPROVEMENTS:

    • ๐Ÿ”Š secret/azure: Use write-ahead-logs to cleanup any orphaned Service Principals [GH-9773]

    ๐Ÿ› BUG FIXES:

    • replication (enterprise): Don't stop replication if old filter path evaluation fails
  • v1.4.7.1 Changes

    October 15th, 2020

    Enterprise Only

    ๐Ÿ› BUG FIXES:

    • replication (enterprise): Fix panic when old filter path evaluation fails
  • v1.4.6 Changes

    August 27th, 2020

    NOTE:

    ๐Ÿ”’ All security content from 1.5.2, 1.5.1, 1.4.5, 1.4.4, 1.3.9, 1.3.8, 1.2.6, and 1.2.5 has been made fully open source, and the git tags for 1.5.3, 1.4.6, 1.3.10, and 1.2.7 will build correctly for open source users.

    ๐Ÿ› BUG FIXES:

    • auth/aws: Made header handling for IAM authentication more robust
    • ๐Ÿ›  secrets/ssh: Fixed a bug with role option for SSH signing algorithm to allow more than RSA signing [GH-9824]
  • v1.4.5 Changes

    August 20th, 2020

    NOTE:

    ๐Ÿ’ป OSS binaries of 1.5.1, 1.4.4, 1.3.8, and 1.2.5 were built without the Vault UI. Enterprise binaries are not affected.

    KNOWN ISSUES:

    • AWS IAM logins may return an error depending on the headers sent with the request. For more details and a workaround, see the 1.4.5 Upgrade Guide
    • ๐Ÿ— In versions 1.2.6, 1.3.9, 1.4.5, and 1.5.2, enterprise licenses on the HSM build were not incorporated correctly - enterprise customers should use 1.2.6.1, 1.3.9.1, 1.4.5.1, and 1.5.2.1.
  • v1.4.5.1 Changes

    August 21st, 2020

    Enterprise Only

    NOTE:

    Includes correct license in the HSM binary.

  • v1.4.4 Changes

    August 20th, 2020

    ๐Ÿ”’ SECURITY:

    • ๐Ÿ›  When using the IAM AWS Auth Method, under certain circumstances, values Vault uses to validate identities and roles can be manipulated and bypassed. This vulnerability affects Vault and Vault Enterprise 0.7.1 and newer and is fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1 (CVE-2020-16250) (Discovered by Felix Wilhelm of Google Project Zero)
    • ๐Ÿ›  When using the GCP GCE Auth Method, under certain circumstances, values Vault uses to validate GCE VMs can be manipulated and bypassed. This vulnerability affects Vault and Vault Enterprise 0.8.3 and newer and is fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1 (CVE-2020-16251) (Discovered by Felix Wilhelm of Google Project Zero)

    KNOWN ISSUES:

    • ๐Ÿ’ป OSS binaries of 1.5.1, 1.4.4, 1.3.8, and 1.2.5 were built without the Vault UI. Enterprise binaries are not affected.
    • AWS IAM logins may return an error depending on the headers sent with the request. For more details and a workaround, see the 1.4.4 Upgrade Guide

    ๐Ÿ› BUG FIXES:

    • auth/okta: fix bug introduced in 1.4.0: only 200 external groups were fetched even if user belonged to more [GH-9580]
    • seal/awskms: fix AWS KMS auto-unseal when AWS_ROLE_SESSION_NAME not set [GH-9416]
    • ๐ŸŽ secrets/aws: Fix possible issue creating access keys when using Performance Standbys [GH-9606]

    ๐Ÿ‘Œ IMPROVEMENTS:

    • auth/aws: Retry on transient failures during AWS IAM auth login attempts [GH-8727]
    • ๐Ÿ’ป ui: Add transit key algorithms aes128-gcm96, ecdsa-p384, ecdsa-p521 to the UI. [GH-9070] & [GH-9520]