All Versions
171
Latest Version
Avg Release Cycle
26 days
Latest Release
-

Changelog History
Page 3

  • v1.9.8 Changes

    July 21, 2022

    πŸ”„ CHANGES:

    • core: Bump Go version to 1.17.12.

    πŸ‘Œ IMPROVEMENTS:

    • 0️⃣ secrets/ssh: Allow additional text along with a template definition in defaultExtension value fields. [GH-16018]

    πŸ› BUG FIXES:

    • core/identity: Replicate member_entity_ids and policies in identity/group across nodes identically [GH-16088]
    • core/replication (enterprise): Don't flush merkle tree pages to disk after losing active duty
    • core/seal: Fix possible keyring truncation when using the file backend. [GH-15946]
    • storage/raft (enterprise): Prevent unauthenticated voter status change with rejoin [GH-16324]
    • transform (enterprise): Fix a bug in the handling of nested or unmatched capture groups in FPE transformations.
    • πŸ“‡ ui: Fix issue where metadata tab is hidden even though policy grants access [GH-15824]
    • ⚑️ ui: Updated leasId to leaseId in the "Copy Credentials" section of "Generate AWS Credentials" [GH-15685]
  • v1.9.7 Changes

    June 10, 2022

    πŸ”„ CHANGES:

    πŸ‘Œ IMPROVEMENTS:

    • πŸ“œ ui: Allow namespace param to be parsed from state queryParam [GH-15378]

    πŸ› BUG FIXES:

    • agent: Redact auto auth token from renew endpoints [GH-15380]
    • auth/ldap: The logic for setting the entity alias when username_as_alias is set πŸ›  has been fixed. The previous behavior would make a request to the LDAP server to get user_attr before discarding it and using the username instead. This would πŸ‘‰ make it impossible for a user to connect if this attribute was missing or had πŸ›  multiple values, even though it would not be used anyway. This has been fixed and the username is now used without making superfluous LDAP searches. [GH-15525]
    • core (enterprise): Fix overcounting of lease count quota usage at startup.
    • core/config: Only ask the system about network interfaces when address configs contain a template having the format: {{ ... }} [GH-15224]
    • πŸ”Š core: Prevent changing file permissions of audit logs when mode 0000 is used. [GH-15759]
    • core: Prevent metrics generation from causing deadlocks. [GH-15693]
    • πŸ›  core: fixed systemd reloading notification [GH-15041]
    • core: pre-calculate namespace specific paths when tainting a route during postUnseal [GH-15067]
    • πŸ”§ storage/raft (enterprise): Auto-snapshot configuration now forbids slashes in file prefixes for all types, and "/" in path prefix for local storage type. Strip leading prefix in path prefix for AWS. Improve error handling/reporting.
    • 0️⃣ transform (enterprise): Fix non-overridable column default value causing tokenization tokens to expire prematurely when using the MySQL storage backend.
    • πŸ’» ui: Fixes client count timezone bug [GH-15743]
    • πŸ’» ui: Fixes issue logging in with OIDC from a listed auth mounts tab [GH-15666]
  • v1.9.6 Changes

    April 29, 2022

    πŸ› BUG FIXES:

    • raft: fix Raft TLS key rotation panic that occurs if active key is more than 24 hours old [GH-15156]
    • πŸ‘ sdk: Fix OpenApi spec generator to properly convert TypeInt64 to OAS supported int64 [GH-15104]
  • v1.9.5 Changes

    April 22, 2022

    πŸ”„ CHANGES:

    • core: A request that fails path validation due to relative path check will now be responded to with a 400 rather than 500. [GH-14328]
    • core: Bump Go version to 1.17.9. [GH-15045]

    πŸ‘Œ IMPROVEMENTS:

    • auth/ldap: Add username_as_alias configurable to change how aliases are named [GH-14324]
    • 🐧 core: Systemd unit file included with the Linux packages now sets the service type to notify. [GH-14385]
    • ⬆️ sentinel (enterprise): Upgrade sentinel to v0.18.5 to avoid potential naming collisions in the remote installer
    • πŸ”Œ website/docs: added a link to an Enigma secret plugin. [GH-14389]

    πŸ› BUG FIXES:

    • ⚑️ api/sys/raft: Update RaftSnapshotRestore to use net/http client allowing bodies larger than allocated memory to be streamed [GH-14269]
    • api: Respect increment value in grace period calculations in LifetimeWatcher [GH-14836]
    • auth/approle: Add maximum length for input values that result in SHA56 HMAC calculation [GH-14746]
    • ⚑️ cassandra: Update gocql Cassandra client to fix "no hosts available in the pool" error [GH-14973]
    • πŸ“œ cli: Fix panic caused by parsing key=value fields whose value is a single backslash [GH-14523]
    • πŸ“‡ core (enterprise): Allow local alias create RPCs to persist alias metadata
    • core/metrics: Fix incorrect table size metric for local mounts [GH-14755]
    • πŸ“œ core: Fix panic caused by parsing JSON integers for fields defined as comma-delimited integers [GH-15072]
    • πŸ“œ core: Fix panic caused by parsing JSON integers for fields defined as comma-delimited strings [GH-14522]
    • πŸ“œ core: Fix panic caused by parsing policies with empty slice values. [GH-14501]
    • core: Fix panic for help request URL paths without /v1/ prefix [GH-14704]
    • core: fixing excessive unix file permissions [GH-14791]
    • core: fixing excessive unix file permissions on dir, files and archive created by vault debug command [GH-14846]
    • πŸ”§ core: report unused or redundant keys in server configuration [GH-14752]
    • core: time.After() used in a select statement can lead to memory leak [GH-14814]
    • πŸ›  identity/token: Fixes a bug where duplicate public keys could appear in the .well-known JWKS [GH-14543]
    • metrics/autosnapshots (enterprise) : Fix bug that could cause vault.autosnapshots.save.errors to not be incremented when there is an autosnapshot save error.
    • replication (enterprise): fix panic due to missing entity during invalidation of local aliases. [GH-14622]
    • πŸ’» ui: Fix Generated Token's Policies helpText to clarify that comma separated values are not excepted in this field. [GH-15046]
    • πŸ’» ui: Fix issue where UI incorrectly handled API errors when mounting backends [GH-14551]
    • πŸ’» ui: Fixes caching issue on kv new version create [GH-14489]
    • πŸ’» ui: Fixes edit auth method capabilities issue [GH-14966]
    • πŸ’» ui: Fixes issue logging out with wrapped token query parameter [GH-14329]
    • πŸ’» ui: Fixes issue with correct auth method not selected when logging out from OIDC or JWT methods [GH-14545]
    • πŸ’» ui: Redirects to managed namespace if incorrect namespace in URL param [GH-14422]
    • πŸ’» ui: fix search-select component showing blank selections when editing group member entity [GH-15058]
    • πŸ’» ui: masked values no longer give away length or location of special characters [GH-15025]
  • v1.9.4 Changes

    March 3, 2022

    πŸ”’ SECURITY:

    • πŸ”§ secrets/pki: Vault and Vault Enterprise (β€œVault”) allowed the PKI secrets engine under certain configurations to issue wildcard certificates to authorized users for a specified domain, even if the PKI role policy attribute allow_subdomains is set to false. This vulnerability, CVE-2022-25243, was fixed in Vault 1.8.9 and 1.9.4.
    • πŸ”§ transform (enterprise): Vault Enterprise (β€œVault”) clusters using the tokenization transform feature can expose the tokenization key through the tokenization key configuration endpoint to authorized operators with read permissions on this endpoint. This vulnerability, CVE-2022-25244, was fixed in Vault Enterprise 1.7.10, 1.8.9, and 1.9.4.

    πŸ”„ CHANGES:

    • secrets/azure: Changes the configuration parameter use_microsoft_graph_api to use the Microsoft 0️⃣ Graph API by default. [GH-14130]

    πŸ‘Œ IMPROVEMENTS:

    • core: Bump Go version to 1.17.7. [GH-14232]
    • secrets/pki: Restrict issuance of wildcard certificates via role parameter (allow_wildcard_certificates) [GH-14238]

    πŸ› BUG FIXES:

    • πŸ›  Fixed bug where auth method only considers system-identity when multiple identities are available. #50 [GH-14138]
    • auth/kubernetes: Properly handle the migration of role storage entries containing an empty alias_name_source [GH-13925]
    • auth/kubernetes: ensure valid entity alias names created for projected volume tokens [GH-14144]
    • πŸ‘ identity/oidc: Adds support for port-agnostic validation of loopback IP redirect URIs. [GH-13871]
    • πŸ›  identity/oidc: Fixes inherited group membership when evaluating client assignments [GH-14013]
    • πŸ›  secrets/azure: Fixed bug where Azure environment did not change Graph URL [GH-13973]
    • πŸ›  secrets/azure: Fixes the rotate root operation for upgraded configurations with a root_password_ttl of zero. [GH-14130]
    • πŸ›  secrets/gcp: Fixed bug where error was not reported for invalid bindings [GH-13974]
    • secrets/openldap: Fix panic from nil logger in backend [GH-14171]
    • secrets/pki: Fix issuance of wildcard certificates matching glob patterns [GH-14235]
    • storage/raft: Fix issues allowing invalid nodes to become leadership candidates. [GH-13703]
    • 0️⃣ ui: Fix default TTL display and set on database role [GH-14224]
    • πŸ’» ui: Fix incorrect validity message on transit secrets engine [GH-14233]
    • πŸ’» ui: Fix kv engine access bug [GH-13872]
    • πŸ’» ui: Fix issue removing raft storage peer via cli not reflected in UI until refresh [GH-13098]
    • πŸ’» ui: Trigger background token self-renewal if inactive and half of TTL has passed [GH-13950]
  • v1.9.3 Changes

    January 27, 2022

    πŸ‘Œ IMPROVEMENTS:

    • πŸ‘ auth/kubernetes: Added support for dynamically reloading short-lived tokens for better Kubernetes 1.21+ compatibility [GH-13698]
    • πŸ“‡ auth/ldap: Add username to alias metadata [GH-13669]
    • πŸ“‡ core/identity: Support updating an alias' custom_metadata to be empty. [GH-13395]
    • πŸ›  core: Fixes code scanning alerts [GH-13667]
    • http (enterprise): Serve /sys/license/status endpoint within namespaces

    πŸ› BUG FIXES:

    • πŸ’» auth/oidc: Fixes OIDC auth from the Vault UI when using the implicit flow and form_post response mode. [GH-13492]
    • πŸ‘ cli: Fix using kv patch with older server versions that don't support HTTP PATCH. [GH-13615]
    • β†ͺ core (enterprise): Workaround AWS CloudHSM v5 SDK issue not allowing read-only sessions
    • ⚑️ core/identity: Address a data race condition between local updates to aliases and invalidations [GH-13476]
    • πŸ‘ core: add support for go-sockaddr templates in the top-level cluster_addr field [GH-13678]
    • identity/oidc: Check for a nil signing key on rotation to prevent panics. [GH-13716]
    • kmip (enterprise): Fix locate by name operations fail to find key after a rekey operation.
    • secrets/database/mssql: Accept a boolean for contained_db, rather than just a string. [GH-13469]
    • πŸ›  secrets/gcp: Fixes role bindings for BigQuery dataset resources. [GH-13548]
    • 🐎 secrets/pki: Fix regression causing performance secondaries to forward certificate generation to the primary. [GH-13759]
    • 🐧 storage/raft: On linux, use map_populate for bolt files to improve startup time. [GH-13573]
    • storage/raft: Units for bolt metrics now given in milliseconds instead of nanoseconds [GH-13749]
    • πŸ’» ui: Fixes breadcrumb bug for secrets navigation [GH-13604]
    • πŸ’» ui: Fixes issue saving KMIP role correctly [GH-13585]
  • v1.9.2 Changes

    December 21, 2021

    πŸ”„ CHANGES:

    • ⚑️ go: Update go version to 1.17.5 [GH-13408]

    πŸ‘Œ IMPROVEMENTS:

    • auth/jwt: The Authorization Code flow makes use of the Proof Key for Code Exchange (PKCE) extension. [GH-13365]

    πŸ› BUG FIXES:

    • πŸ’» ui: Fix client count current month data not showing unless monthly history data exists [GH-13396]
  • v1.9.1 Changes

    December 9, 2021

    πŸ”’ SECURITY:

    • πŸ›  storage/raft: Integrated Storage backend could be caused to crash by an authenticated user with write permissions to the KV secrets engine. This vulnerability, CVE-2021-45042, was fixed in Vault 1.7.7, 1.8.6, and 1.9.1.

    πŸ‘Œ IMPROVEMENTS:

    • ⬆️ storage/aerospike: Upgrade aerospike-client-go to v5.6.0. [GH-12165]

    πŸ› BUG FIXES:

    • auth/approle: Fix regression where unset cidrlist is returned as nil instead of zero-length array. [GH-13235]
    • 🐎 ha (enterprise): Prevents performance standby nodes from serving and caching stale data immediately after performance standby election completes
    • πŸ‘ http:Fix /sys/monitor endpoint returning streaming not supported [GH-13200]
    • identity/oidc: Make the nonce parameter optional for the Authorization Endpoint of OIDC providers. [GH-13231]
    • πŸ›  identity: Fixes a panic in the OIDC key rotation due to a missing nil check. [GH-13298]
    • πŸ”’ sdk/queue: move lock before length check to prevent panics. [GH-13146]
    • πŸ›  secrets/azure: Fixes service principal generation when assigning roles that have DataActions. [GH-13277]
    • secrets/pki: Recognize ed25519 when requesting a response in PKCS8 format [GH-13257]
    • storage/raft: Fix a panic when trying to store a key > 32KB in a transaction. [GH-13286]
    • storage/raft: Fix a panic when trying to write a key > 32KB [GH-13282]
    • πŸ’» ui: Do not show verify connection value on database connection config page [GH-13152]
    • πŸ’» ui: Fixes issue restoring raft storage snapshot [GH-13107]
    • πŸ’» ui: Fixes issue with OIDC auth workflow when using MetaMask Chrome extension [GH-13133]
    • πŸ“‡ ui: Fixes issue with automate secret deletion value not displaying initially if set in secret metadata edit view [GH-13177]
    • πŸ’» ui: Fixes issue with placeholder not displaying for automatically deleted secrets when deletion time has passed [GH-13166]
    • πŸ“œ ui: Fixes node-forge error when parsing EC (elliptical curve) certs [GH-13238]
  • v1.9.0 Changes

    November 17, 2021

    πŸ”„ CHANGES:

    • auth/kubernetes: disable_iss_validation defaults to true. #127 [GH-12975]
    • expiration: VAULT_16_REVOKE_PERMITPOOL environment variable has been removed. [GH-12888]
    • expiration: VAULT_LEASE_USE_LEGACY_REVOCATION_STRATEGY environment variable has 🚚 been removed. [GH-12888]
    • ⚑️ go: Update go version to 1.17.2
    • secrets/ssh: Roles with empty allowed_extensions will now forbid end-users ⚑️ specifying extensions when requesting ssh key signing. Update roles setting allowed_extensions to * to permit any extension to be specified by an end-user. [GH-12847]

    πŸ”‹ FEATURES:

    • Customizable HTTP Headers: Add support to define custom HTTP headers for root path (/) and also on API endpoints (/v1/*) [GH-12485]
    • 🌲 Deduplicate Token With Entities in Activity Log: Vault tokens without entities are now tracked with client IDs and deduplicated in the Activity Log [GH-12820]
    • πŸ’» Elasticsearch Database UI: The UI now supports adding and editing Elasticsearch connections in the database secret engine. [GH-12672]
    • πŸ“‡ KV Custom Metadata: Add ability in kv-v2 to specify version-agnostic custom key metadata via the πŸ“‡ metadata endpoint. The data will be present in responses made to the data endpoint independent of the πŸ“‡ calling token's read access to the metadata endpoint. [GH-12907]
    • KV patch (Tech Preview): Add partial update support for the /<mount>/data/:path kv-v2 endpoint through HTTP PATCH. A new patch ACL capability has been added and is required to make such requests. [GH-12687]
    • Key Management Secrets Engine (Enterprise): Adds support for distributing and managing keys in GCP Cloud KMS.
    • Local Auth Mount Entities (enterprise): Logins on local auth mounts will generate identity entities for the tokens issued. The aliases of the entity resulting from local auth mounts (local-aliases), will be scoped by the cluster. This means that the local-aliases will never leave the geographical boundary of the cluster where they were issued. This is something to be mindful about for those who have implemented local auth mounts for complying with GDPR guidelines.
    • Namespaces (Enterprise): Adds support for locking Vault API for particular namespaces.
    • OIDC Identity Provider (Tech Preview): Adds support for Vault to be an OpenID Connect (OIDC) provider. [GH-12932]
    • πŸ’» Oracle Database UI: The UI now supports adding and editing Oracle connections in the database secret engine. [GH-12752]
    • πŸ’» Postgres Database UI: The UI now supports adding and editing Postgres connections in the database secret engine. [GH-12945]

    πŸ”’ SECURITY:

    • πŸ”€ core/identity: A Vault user with write permission to an entity alias ID sharing a mount accessor with another user may acquire this other user’s policies by merging their identities. This vulnerability, CVE-2021-41802, was fixed in Vault and Vault Enterprise 1.7.5, 1.8.4, and 1.9.0.
    • πŸ›  core/identity: Templated ACL policies would always match the first-created entity alias if multiple entity aliases existed for a specified entity and mount combination, potentially resulting in incorrect policy enforcement. This vulnerability, CVE-2021-43998, was fixed in Vault and Vault Enterprise 1.7.6, 1.8.5, and 1.9.0.

    πŸ‘Œ IMPROVEMENTS:

    • βͺ agent/cache: Process persistent cache leases in dependency order during restore to ensure child leases are always correctly restored [GH-12843]
    • agent/cache: Use an in-process listener between consul-template and vault-agent when caching is enabled and either templates or a listener is defined [GH-12762]
    • βͺ agent/cache: tolerate partial restore failure from persistent cache [GH-12718]
    • πŸ‘ agent/template: add support for new 'writeToFile' template function [GH-12505]
    • πŸ”§ api: Add configuration option for ensuring isolated read-after-write semantics for all Client requests. [GH-12814]
    • πŸ‘ api: adds native Login method to Go client module with different auth method interfaces to support easier authentication [GH-12796]
    • πŸ”€ api: Move mergeStates and other required utils from agent to api module [GH-12731]
    • api: Support VAULT_HTTP_PROXY environment variable to allow overriding the Vault client's HTTP proxy [GH-12582]
    • auth/approle: The role/:name/secret-id-accessor/lookup endpoint now returns a 404 status code when the secret_id_accessor cannot be found [GH-12788]
    • auth/approle: expose secret_id_accessor as WrappedAccessor when creating wrapped secret-id. [GH-12425]
    • πŸ‘ auth/aws: add profile support for AWS credentials when using the AWS auth method [GH-12621]
    • auth/kubernetes: validate JWT against the provided role on alias look ahead operations [GH-12688]
    • πŸ”§ auth/kubernetes: Add ability to configure entity alias names based on the serviceaccount's namespace and name. #110 #112 [GH-12633]
    • πŸ‘ auth/ldap: include support for an optional user filter field when searching for users [GH-11000]
    • 0️⃣ auth/oidc: Adds the skip_browser CLI option to allow users to skip opening the default browser during the authentication flow. [GH-12876]
    • auth/okta: Send x-forwarded-for in Okta Push Factor request [GH-12320]
    • auth/token: Add allowed_policies_glob and disallowed_policies_glob fields to token roles to allow glob matching of policies [GH-7277]
    • πŸ”§ cli: Operator diagnose now tests for missing or partial telemetry configurations. [GH-12802]
    • cli: add new http option : -header which enable sending arbitrary headers with the cli [GH-12508]
    • command: operator generate-root -decode: allow passing encoded token via stdin [GH-12881]
    • core/token: Return the token_no_default_policy config on token role read if set [GH-12565]
    • πŸ‘ core: Add support for go-sockaddr templated addresses in config. [GH-9109]
    • πŸ“‡ core: adds custom_metadata field for aliases [GH-12502]
    • ⚑️ core: Update Oracle Cloud library to enable seal integration with the uk-gov-london-1 region [GH-12724]
    • ⚑️ core: Update github.com/ulikunitz/xz to fix security vulnerability GHSA-25xm-hr59-7c27. [GH-12253]
    • ⬆️ core: Upgrade github.com/gogo/protobuf [GH-12255]
    • πŸ— core: build with Go 1.17, and mitigate a breaking change they made that could impact how approle and ssh interpret IPs/CIDRs [GH-12868]
    • core: observe the client counts broken down by namespace for partial month client count [GH-12393]
    • πŸš€ core: Artifact builds will now only run on merges to the release branches or to main
    • πŸš€ core: The dockerfile that is used to build the vault docker image available at hashicorp/vault now lives in the root of this repo, and the entrypoint is available under .release/docker/docker-entrypoint.sh
    • πŸš€ core: The vault linux packaging service configs and pre/post install scripts are now available under .release/linux
    • 🐧 core: Vault linux packages are now available for all supported linux architectures including arm, arm64, 386, and amd64
    • db/cassandra: make the connect_timeout config option actually apply to connection timeouts, in addition to non-connection operations [GH-12903]
    • identity/token: Only return keys from the .well-known/keys endpoint that are being used by roles to sign/verify tokens. [GH-12780]
    • identity: fix issue where Cache-Control header causes stampede of requests for JWKS keys [GH-12414]
    • ⬆️ physical/etcd: Upgrade etcd3 client to v3.5.0 and etcd2 to v2.305.0. [GH-11980]
    • pki: adds signature_bits field to customize signature algorithm on CAs and certs signed by Vault [GH-11245]
    • πŸ”Œ plugin: update the couchbase gocb version in the couchbase plugin [GH-12483]
    • replication (enterprise): Add merkle.flushDirty.num_pages_outstanding metric which specifies number of outstanding dirty pages that were not flushed. [GH-2093]
    • πŸ‘ sdk/framework: The '+' wildcard is now supported for parameterizing unauthenticated paths. [GH-12668]
    • secrets/aws: Add conditional template that allows custom usernames for both STS and IAM cases [GH-12185]
    • πŸ”Œ secrets/azure: Adds support for rotate-root. #70 [GH-13034]
    • 🚚 secrets/azure: Adds support for using Microsoft Graph API since Azure Active Directory API is being removed in 2022. #67 [GH-12629]
    • ⚑️ secrets/database: Update MSSQL dependency github.com/denisenkom/go-mssqldb to v0.11.0 and include support for contained databases in MSSQL plugin [GH-12839]
    • secrets/pki: Allow signing of self-issued certs with a different signature algorithm. [GH-12514]
    • secrets/pki: Use entropy augmentation when available when generating root and intermediate CA key material. [GH-12559]
    • secrets/pki: select appropriate signature algorithm for ECDSA signature on certificates. [GH-11216]
    • πŸ‘ secrets/pki: Support ed25519 as a key for the pki backend [GH-11780]
    • ⚑️ secrets/rabbitmq: Update dependency github.com/michaelklishin/rabbit-hole to v2 and resolve UserInfo.tags regression from RabbitMQ v3.9 [GH-12877]
    • secrets/ssh: Let allowed_users template mix templated and non-templated parts. [GH-10886]
    • secrets/ssh: Use entropy augmentation when available for generation of the signing key. [GH-12560]
    • πŸ“‡ serviceregistration: add external-source: "vault" metadata value for Consul registration. [GH-12163]
    • storage/raft: Best-effort handling of cancelled contexts. [GH-12162]
    • transform (enterprise): Add advanced features for encoding and decoding for Transform FPE
    • transform (enterprise): Add a reference field to batch items, and propogate it to the response
    • πŸ“‡ ui: Add KV secret search box when no metadata list access. [GH-12626]
    • πŸ“‡ ui: Add custom metadata to KV secret engine and metadata to config [GH-12169]
    • πŸ’» ui: Creates new StatText component [GH-12295]
    • πŸ’» ui: client count monthly view [GH-12554]
    • πŸ’» ui: creates bar chart component for displaying client count data by namespace [GH-12437]
    • πŸ’» ui: Add creation time to KV 2 version history and version view [GH-12663]
    • πŸ’» ui: Added resize for JSON editor [GH-12906] [GH-12906]
    • ⚠ ui: Adds warning about white space in KV secret engine. [GH-12921]
    • πŸ’» ui: Click to copy database static role last rotation value in tooltip [GH-12890]
    • πŸ’» ui: Filter DB connection attributes so only relevant attrs POST to backend [GH-12770]
    • 🚚 ui: Removes empty rows from DB config views [GH-12819]
    • πŸ’» ui: Standardizes toolbar presentation of destructive actions [GH-12895]
    • ⚑️ ui: Updates font for table row value fields [GH-12908]
    • πŸ’» ui: namespace search in client count views [GH-12577]
    • πŸ“‡ ui: parse and display pki cert metadata [GH-12541]
    • πŸ— ui: replaces Vault's use of elazarl/go-bindata-assetfs in building the UI with Go's native Embed package [GH-11208]
    • ⚑️ ui: updated client tracking config view [GH-12422]

    πŸ—„ DEPRECATIONS:

    • auth/kubernetes: deprecate disable_iss_validation and issuer configuration fields #127 [GH-12975]

    πŸ› BUG FIXES:

    • 🌲 activity log (enterprise): allow partial monthly client count to be accessed from namespaces [GH-13086]
    • agent: Avoid possible unexpected fault address panic when using persistent cache. [GH-12534]
    • πŸ“œ api: Fixes storage APIs returning incorrect error when parsing responses [GH-12338]
    • auth/aws: Fix ec2 auth on instances that have a cert in their PKCS7 signature [GH-12519]
    • πŸ›  auth/aws: Fixes ec2 login no longer supporting DSA signature verification [GH-12340]
    • auth/aws: fix config/rotate-root to store new key [GH-12715]
    • auth/jwt: Fixes OIDC auth from the Vault UI when using form_post as the oidc_response_mode. [GH-12265]
    • cli/api: Providing consistency for the use of comma separated parameters in auth/secret enable/tune [GH-12126]
    • πŸ›  cli: fixes CLI requests when namespace is both provided as argument and part of the path [GH-12720]
    • πŸ›  cli: fixes CLI requests when namespace is both provided as argument and part of the path [GH-12911]
    • 🌲 cli: vault debug now puts newlines after every captured log line. [GH-12175]
    • core (enterprise): Allow deletion of stored licenses on DR secondary nodes
    • core (enterprise): Disallow autogenerated licenses to be used in diagnose even when config is specified
    • πŸ”Œ core (enterprise): Fix bug where password generation through password policies do not work on namespaces if performed outside a request callback or from an external plugin. [GH-12635]
    • core (enterprise): Fix data race during perf standby sealing
    • 🐎 core (enterprise): Fixes reading raft auto-snapshot configuration from performance standby node [GH-12317]
    • core (enterprise): Only delete quotas on primary cluster. [GH-12339]
    • core (enterprise): namespace header included in responses, Go client uses it when displaying error messages [GH-12196]
    • core/api: Fix an arm64 bug converting a negative int to an unsigned int [GH-12372]
    • ⚑️ core/identity: Address a data race condition between local updates to aliases and invalidations [GH-13093]
    • core/identity: Cleanup alias in the in-memory entity after an alias deletion by ID [GH-12834]
    • ⚑️ core/identity: Disallow entity alias creation/update if a conflicting alias exists for the target entity and mount combination [GH-12747]
    • core: Fix a deadlock on HA leadership transfer [GH-12691]
    • ⚠ core: Fix warnings logged on perf standbys re stored versions [GH-13042]
    • πŸ–¨ core: fix byte printing for diagnose disk checks [GH-12229]
    • ⬇️ core: revert some unintentionally downgraded dependencies from 1.9.0-rc1 [GH-13168]
    • 0️⃣ database/couchbase: change default template to truncate username at 128 characters [GH-12301]
    • ⚑️ database/postgres: Update postgres library (github.com/lib/pq) to properly remove terminated TLS connections from the connection pool. [GH-12413]
    • http (enterprise): Always forward internal/counters endpoints from perf standbys to active node
    • πŸ“š http: removed unpublished true from logical_system path, making openapi spec consistent with documentation [GH-12713]
    • identity/token: Adds missing call to unlock mutex in key deletion error handling [GH-12916]
    • identity: Fail alias rename if the resulting (name,accessor) exists already [GH-12473]
    • identity: Fix a panic on arm64 platform when doing identity I/O. [GH-12371]
    • identity: Fix regression preventing startup when aliases were created pre-1.9. [GH-13169]
    • identity: dedup from_entity_ids when merging two entities [GH-10101]
    • identity: disallow creation of role without a key parameter [GH-12208]
    • identity: do not allow a role's token_ttl to be longer than the signing key's verification_ttl [GH-12151]
    • πŸ”€ identity: merge associated entity groups when merging entities [GH-10085]
    • identity: suppress duplicate policies on entities [GH-12812]
    • kmip (enterprise): Fix handling of custom attributes when servicing GetAttributes requests
    • kmip (enterprise): Fix handling of invalid role parameters within various vault api calls
    • kmip (enterprise): Forward KMIP register operations to the active node
    • license: ignore stored terminated license while autoloading is enabled [GH-2104]
    • πŸ— licensing (enterprise): Revert accidental inclusion of the TDE feature from the prem build.
    • 🏁 physical/raft: Fix safeio.Rename error when restoring snapshots on windows [GH-12377]
    • pki: Fix regression preventing email addresses being used as a common name within certificates [GH-12716]
    • πŸ”Œ plugin/couchbase: Fix an issue in which the locking patterns did not allow parallel requests. [GH-13033]
    • πŸ”Œ plugin/snowflake: Fixed bug where plugin would crash on 32 bit systems [GH-12378]
    • ⚑️ raft (enterprise): Fix panic when updating auto-snapshot config
    • replication (enterprise): Fix issue where merkle.flushDirty.num_pages metric is not emitted if number of dirty pages is 0. [GH-2093]
    • replication (enterprise): Fix merkle.saveCheckpoint.num_dirty metric to accurately specify the number of dirty pages in the merkle tree at time of checkpoint creation. [GH-2093]
    • sdk/database: Fix a DeleteUser error message on the gRPC client. [GH-12351]
    • secrets/db: Fix bug where Vault can rotate static role passwords early during start up under certain conditions. [GH-12563]
    • βͺ secrets/gcp: Fixes a potential panic in the service account policy rollback for rolesets. [GH-12379]
    • πŸ‘ secrets/keymgmt (enterprise): Fix support for Azure Managed HSM Key Vault instances. [GH-12934]
    • πŸ”Œ secrets/openldap: Fix bug where Vault can rotate static role passwords early during start up under certain conditions. #28 [GH-12600]
    • secrets/transit: Enforce minimum cache size for transit backend and init cache size on transit backend without restart. [GH-12418]
    • ⚑️ storage/postgres: Update postgres library (github.com/lib/pq) to properly remove terminated TLS connections from the connection pool. [GH-12413]
    • storage/raft (enterprise): Ensure that raft autosnapshot backoff retry duration never hits 0s
    • storage/raft: Detect incomplete raft snapshots in api.RaftSnapshot(), and thereby in vault operator raft snapshot save. [GH-12388]
    • πŸ”Š storage/raft: Fix regression in 1.9.0-rc1 that changed how time is represented in Raft logs; this prevented using a raft db created pre-1.9. [GH-13165]
    • storage/raft: Support addr_type=public_v6 in auto-join [GH-12366]
    • transform (enterprise): Enforce minimum cache size for Transform backend and reset cache size without a restart
    • transform (enterprise): Fix an error where the decode response of an expired token is an empty result rather than an error.
    • πŸ’» ui: Adds pagination to auth methods list view [GH-13054]
    • πŸ’» ui: Fix bug where capabilities check on secret-delete-menu was encoding the forward slashes. [GH-12550]
    • 0️⃣ ui: Fix bug where edit role form on auth method is invalid by default [GH-12646]
    • πŸ’» ui: Fixed api explorer routing bug [GH-12354]
    • πŸ’» ui: Fixed text overflow in flash messages [GH-12357]
    • πŸ’» ui: Fixes issue with the number of PGP Key inputs not matching the key shares number in the initialization form on change [GH-13038]
    • πŸ’» ui: Fixes metrics page when read on counter config not allowed [GH-12348]
    • 🚚 ui: Remove spinner after token renew [GH-12887]
    • 🚚 ui: Removes ability to tune token_type for token auth methods [GH-12904]
    • ⚠ ui: Show day of month instead of day of year in the expiration warning dialog [GH-11984]
    • πŸ’» ui: fix issue where on MaskedInput on auth methods if tab it would clear the value. [GH-12409]
    • πŸ’» ui: fix missing navbar items on login to namespace [GH-12478]
    • ⚑️ ui: update bar chart when model changes [GH-12622]
    • ⚑️ ui: updating database TTL picker help text. [GH-12212]
  • v1.8.12 Changes

    June 10, 2022

    πŸ› BUG FIXES:

    • agent: Redact auto auth token from renew endpoints [GH-15380]
    • πŸ”Š core: Prevent changing file permissions of audit logs when mode 0000 is used. [GH-15759]
    • πŸ›  core: fixed systemd reloading notification [GH-15041]
    • core: pre-calculate namespace specific paths when tainting a route during postUnseal [GH-15067]
    • πŸ”§ storage/raft (enterprise): Auto-snapshot configuration now forbids slashes in file prefixes for all types, and "/" in path prefix for local storage type. Strip leading prefix in path prefix for AWS. Improve error handling/reporting.
    • 0️⃣ transform (enterprise): Fix non-overridable column default value causing tokenization tokens to expire prematurely when using the MySQL storage backend.