All Versions
83
Latest Version
Avg Release Cycle
26 days
Latest Release
14 days ago

Changelog History
Page 1

  • v1.4.2

    May 21, 2020

    πŸ”’ SECURITY:

    • πŸ›  core: Proxy environment variables are now redacted before being logged, in case the URLs include a username:password. This vulnerability, CVE-2020-13223, is fixed in 1.3.6 and 1.4.2, but affects 1.4.0 and 1.4.1, as well as older versions of Vault [GH-9022]
    • πŸ”§ secrets/gcp: Fix a regression in 1.4.0 where the system TTLs were being used instead of the configured backend TTLs for dynamic service accounts. This vulnerability is CVE-2020-12757. [GH-85]

    πŸ‘Œ IMPROVEMENTS:

    • storage/raft: The storage stanza now accepts leader_ca_cert_file, leader_client_cert_file, and leader_client_key_file parameters to read and parse TLS certificate information from paths on disk. Existing non-path based parameters will continue to work, but their values will need to be provided as a single-line string with newlines delimited by \n. [GH-8894]
    • storage/raft: The vault status CLI command and the sys/leader API now contain the committed and applied raft indexes. [GH-9011]

    πŸ› BUG FIXES:

    • πŸ“‡ auth/aws: Fix token renewal issues caused by the metadata changes in 1.4.1 [GH-8991]
    • auth/ldap: Fix 1.4.0 regression that could result in auth failures when LDAP auth config includes upndomain. [GH-9041]
    • πŸ”Œ secrets/ad: Forward rotation requests from standbys to active clusters [GH-66]
    • πŸ”Œ secrets/database: Prevent generation of usernames that are not allowed by the MongoDB Atlas API [GH-9]
    • secrets/database: Return an error if a manual rotation of static account credentials fails [GH-9035]
    • secrets/openldap: Forward all rotation requests from standbys to active clusters [GH-9028]
    • secrets/transform (enterprise): Fix panic that could occur when accessing cached template entries, such as a requests that accessed templates directly or indirectly from a performance standby node.
    • serviceregistration: Fix a regression for Consul service registration that ignored using the listener address as the redirect address unless api_addr was provided. It now properly uses the same redirect address as the one used by Vault's Core object. [GH-8976]
    • πŸ”§ storage/raft: Advertise the configured cluster address to the rest of the nodes in the raft cluster. This fixes an issue where a node advertising 0.0.0.0 is not using a unique hostname. [GH-9008]
    • storage/raft: Fix panic when multiple nodes attempt to join the cluster at once. [GH-9008]
    • πŸ’» sys: The path provided in sys/internal/ui/mounts/:path is now namespace-aware. This fixes an issue with vault kv subcommands that had namespaces provided in the path returning permission denied all the time. [GH-8962]
    • πŸ’» ui: Fix snowman that appears when namespaces have more than one period [GH-8910]
  • v1.4.1

    April 30, 2020

    πŸ”„ CHANGES:

    • auth/aws: The default set of metadata fields added in 1.4.1 has been changed to account_id and auth_type [GH-8783]
    • storage/raft: Disallow ha_storage to be specified if raft is set as the storage type. [GH-8707]

    πŸ‘Œ IMPROVEMENTS:

    • πŸ“‡ auth/aws: The set of metadata stored during login is now configurable [GH-8783]
    • πŸ‘€ auth/aws: Improve region selection to avoid errors seen if the account hasn't enabled some newer AWS regions [GH-8679]
    • πŸ”Œ auth/azure: Enable login from Azure VMs with user-assigned identities [GH-33]
    • πŸ“‡ auth/gcp: The set of metadata stored during login is now configurable [GH-92]
    • πŸ”§ auth/gcp: The type of alias name used during login is now configurable [GH-95]
    • auth/ldap: Improve error messages during LDAP operation failures [GH-8740]
    • identity: Add a batch delete API for identity entities [GH-8785]
    • 🐎 identity: Improve performance of logins when no group updates are needed [GH-8795]
    • metrics: Add vault.identity.num_entities metric [GH-8816]
    • secrets/kv: Allow delete-version-after to be reset to 0 via the CLI [GH-8635]
    • secrets/rabbitmq: Improve error handling and reporting [GH-8619]
    • πŸ’» ui: Provide One Time Password during Operation Token generation process [GH-8630]

    πŸ› BUG FIXES:

    • auth/okta: Fix MFA regression (introduced in GH-8143) from 1.4.0 [GH-8807]
    • auth/userpass: Fix upgrade value for token_bound_cidrs being ignored due to incorrect key provided [GH-8826]
    • 🚚 config/seal: Fix segfault when seal block is removed [GH-8517]
    • πŸ— core: Fix an issue where users attempting to build Vault could receive Go module checksum errors [GH-8770]
    • πŸ”’ core: Fix blocked requests if a SIGHUP is issued during a long-running request has the state lock held. Also fixes deadlock that can happen if vault debug with the config target is ran during this time. [GH-8755]
    • core: Always rewrite the .vault-token file as part of a vault login to ensure permissions and ownership are set correctly [GH-8867]
    • database/mongodb: Fix context deadline error that may result due to retry attempts on failed commands [GH-8863]
    • πŸ“¦ http: Fix superflous call messages from the http package on logs caused by missing returns after respondError calls [GH-8796]
    • namespace (enterprise): Fix namespace listing to return key_info when a scoping namespace is also provided.
    • seal/gcpkms: Fix panic that could occur if all seal parameters were provided via environment variables [GH-8840]
    • πŸ“‡ storage/raft: Fix memory allocation and incorrect metadata tracking issues with snapshots [GH-8793]
    • storage/raft: Fix panic that could occur if disable_clustering was set to true on Raft storage cluster [GH-8784]
    • storage/raft: Handle errors returned from the API during snapshot operations [GH-8861]
    • sys/wrapping: Allow unwrapping of wrapping tokens which contain nil data [GH-8714]
  • v1.4

    February 20, 2020

    πŸ”„ CHANGES:

    • πŸ”§ cli: The raft configuration command has been renamed to list-peers to avoid confusion.

    πŸ”‹ FEATURES:

    • Kerberos Authentication: Vault now supports Kerberos authentication using a SPNEGO token. Login can be performed using the Vault CLI, API, or agent.
    • Kubernetes Service Discovery: A new Kubernetes service discovery feature where, if configured, Vault will tag Vault pods with their current health status. For more, see #8249.
    • MongoDB Atlas Secrets: Vault can now generate dynamic credentials for both MongoDB Atlas databases as well as the Atlas programmatic interface.
    • OpenLDAP Secrets Engine: We now support password management of existing OpenLDAP user entries. For more, see #8360.
    • Redshift Database Secrets Engine: The database secrets engine now supports static and dynamic secrets for the Amazon Web Services (AWS) Redshift service.
    • Service Registration Config: A newly introduced service_registration configuration stanza, that allows for service registration to be configured separately from the storage backend. For more, see #7887.

    πŸ‘Œ IMPROVEMENTS:

    • agent: add option to force the use of the auth-auth token, and ignore the Vault token in the request [GH-8101]
    • βͺ api: Restore and fix DNS SRV Lookup [GH-8520]
    • audit: HMAC http_raw_body in audit log; this ensures that large authenticated Prometheus metrics responses get replaced with short HMAC values [GH-8130]
    • audit: Generate-root, generate-recovery-token, and generate-dr-operation-token requests and responses are now audited. [GH-8301]
    • auth/aws: Reduce the number of simultaneous STS client credentials needed [GH-8161]
    • πŸ“‡ auth/azure: subscription ID, resource group, vm and vmss names are now stored in alias metadata [GH-30]
    • πŸ”Œ auth/jwt: Additional OIDC callback parameters available for CLI logins [GH-80 & GH-86]
    • πŸ”§ auth/jwt: Bound claims may be optionally configured using globs [GH-89]
    • πŸ”Œ auth/jwt: Timeout during OIDC CLI login if process doesn't complete within 2 minutes [GH-97]
    • πŸ”Œ auth/jwt: Add support for the form_post response mode [GH-98]
    • πŸ”Œ auth/jwt: add optional client_nonce to authorization flow [GH-104]
    • ⬆️ auth/okta: Upgrade okta sdk lib, which should improve handling of groups [GH-8143]
    • πŸ“‡ aws: Add support for v2 of the instance metadata service (see issue 7924 for all linked PRs)
    • core: Separate out service discovery interface from storage interface to allow new types of service discovery not coupled to storage [GH-7887]
    • πŸ‘ core: Add support for telemetry option metrics_prefix [GH-8340]
    • core: Entropy Augmentation can now be used with AWS KMS and Vault Transit seals
    • core: Allow tls_min_version to be set to TLS 1.3 [GH-8305]
    • πŸ”§ cli: Incorrect TLS configuration will now correctly fail [GH-8025]
    • identity: Allow specifying a custom client_id for identity tokens [GH-8165]
    • 🐎 metrics/prometheus: improve performance with high volume of metrics updates [GH-8507]
    • replication (enterprise): Fix race condition causing clusters with high throughput writes to sometimes fail to enter streaming-wal mode
    • replication (enterprise): Secondary clusters can now perform an extra gRPC call to all nodes in a primary cluster in an attempt to resolve the active node's address
    • 🐎 replication (enterprise): The replication status API now outputs last_performance_wal, last_dr_wal, and connection_state values
    • replication (enterprise): DR secondary clusters can now be recovered by the replication/dr/secondary/recover API
    • replication (enterprise): We now allow for an alternate means to create a Disaster Recovery token, by using a batch token that is created with an ACL that allows for access to one or more of the DR endpoints.
    • secrets/database/mongodb: Switched internal MongoDB driver to mongo-driver [GH-8140]
    • πŸ‘ secrets/database/mongodb: Add support for x509 client authorization to MongoDB [GH-8329]
    • πŸ”Œ secrets/database/oracle: Add support for static credential rotation [GH-26]
    • πŸ‘ secrets/consul: Add support to specify TLS options per Consul backend [GH-4800]
    • πŸ”Œ secrets/gcp: Allow specifying the TTL for a service key [GH-54]
    • πŸ”Œ secrets/gcp: Add support for rotating root keys [GH-53]
    • πŸ”Œ secrets/gcp: Handle version 3 policies for Resource Manager IAM requests [GH-77]
    • πŸ‘ secrets/nomad: Add support to specify TLS options per Nomad backend [GH-8083]
    • secrets/ssh: Allowed users can now be templated with identity information [GH-7548]
    • πŸ‘ secrets/transit: Adding RSA3072 key support [GH-8151]
    • storage/consul: Vault returns now a more descriptive error message when only a client cert or a client key has been provided [GH-4930]
    • storage/raft: Nodes in the raft cluster can all be given possible leader addresses for them to continuously try and join one of them, thus automating the process of join to a greater extent [GH-7856]
    • storage/raft: Fix a potential deadlock that could occure on leadership transition [GH-8547]
    • βͺ storage/raft: Refresh TLS keyring on snapshot restore [GH-8546]
    • storage/etcd: Bumped etcd client API SDK [GH-7931 & GH-4961 & GH-4349 & GH-7582]
    • πŸ’» ui: Make Transit Key actions more prominent [GH-8304]
    • πŸ’» ui: Add Core Usage Metrics [GH-8347]
    • πŸ’» ui: Add refresh Namespace list on the Namespace dropdown, and redesign of Namespace dropdown menu [GH-8442]
    • ⚑️ ui: Update transit actions to codeblocks & automatically encode plaintext unless indicated [GH-8462]
    • πŸ’» ui: Display the results of transit key actions in a modal window [GH-8462]
    • ⚑️ ui: Transit key version styling updates & ability to copy key from dropdown [GH-8480]

    πŸ› BUG FIXES:

    • agent: Fix issue where TLS options are ignored for agent template feature [GH-7889]
    • 0️⃣ auth/jwt: Use lower case role names for default_role to match the role case convention [GH-100]
    • auth/ldap: Fix a bug where the UPNDOMAIN parameter was wrongly used to lookup the group membership of the given user [GH-6325]
    • πŸ‘ cli: Support autocompletion for nested mounts [GH-8303]
    • cli: Fix CLI namespace autocompletion [GH-8315]
    • identity: Fix incorrect caching of identity token JWKS responses [GH-8412]
    • metrics/stackdriver: Fix issue that prevents the stackdriver metrics library to create unnecessary stackdriver descriptors [GH-8073]
    • 🐎 replication: Fix issue causing cubbyholes in namespaces on performance secondaries to not work.
    • seal (enterprise): Fix seal migration when transactional seal wrap backend is in use.
    • secrets/database/influxdb: Fix potential panic if connection to the InfluxDB database cannot be established [GH-8282]
    • 0️⃣ secrets/database/mysql: Ensures default static credential rotation statements are used [GH-8240]
    • secrets/database/mysql: Fix inconsistent query parameter names: {{name}} or {{username}} for different queries. Now it allows for either for backwards compatibility [GH-8240]
    • secrets/database/postgres: Fix inconsistent query parameter names: {{name}} or {{username}} for different queries. Now it allows for either for backwards compatibility [GH-8240]
    • πŸ‘ secrets/pki: Support FQDNs in DNS Name [GH-8288]
    • storage/raft: Allow seal migration to be performed on Vault clusters using raft storage [GH-8103]
    • telemetry: Prometheus requests on standby nodes will now return an error instead of forwarding the request to the active node [GH-8280]
    • πŸ’» ui: Fix broken popup menu on the transit secrets list page [GH-8348]
    • ⚑️ ui: Update headless Chrome flag to fix yarn run test:oss [GH-8035]
    • ⚑️ ui: Update CLI to accept empty strings as param value to reset previously-set values
    • πŸ’» ui: Fix bug where error states don't clear when moving between action tabs on Transit [GH-8354]
  • v1.4.0-rc1

    March 19, 2020
  • v1.4.0-beta1

    February 20, 2020
  • v1.3.6

    May 21, 2020

    πŸ”’ SECURITY:

    • πŸ›  core: proxy environment variables are now redacted before being logged, in case the URLs include a username:password. This vulnerability, CVE-2020-13223, is fixed in 1.3.6 and 1.4.2, but affects 1.4 and 1.4.2, as well as older versions of Vault [GH-9022]

    πŸ› BUG FIXES:

    • πŸ“‡ auth/aws: Fix token renewal issues caused by the metadata changes in 1.3.5 [GH-8991]
    • 🐎 replication: Fix mount filter bug that allowed replication filters to hide local mounts on a performance secondary
  • v1.3.5

    April 28, 2020

    πŸ”„ CHANGES:

    • auth/aws: The default set of metadata fields added in 1.3.2 has been changed to account_id and auth_type [GH-8783]

    πŸ‘Œ IMPROVEMENTS:

    • πŸ“‡ auth/aws: The set of metadata stored during login is now configurable [GH-8783]
  • v1.3.4

    March 19, 2020

    πŸ”’ SECURITY:

    • πŸ›  A vulnerability was identified in Vault and Vault Enterprise such that, under certain circumstances, an Entity's Group membership may inadvertently include Groups the Entity no longer has permissions to. This vulnerability, CVE-2020-10660, affects Vault and Vault Enterprise versions 0.9.0 and newer, and is fixed in 1.3.4. [GH-8606]
    • πŸ›  A vulnerability was identified in Vault Enterprise such that, under certain circumstances, existing nested-path policies may give access to Namespaces created after-the-fact. This vulnerability, CVE-2020-10661, affects Vault Enterprise versions 0.11 and newer, and is fixed in 1.3.4.
  • v1.3.3

    March 05, 2020

    πŸ› BUG FIXES:

    • approle: Fix excessive locking during tidy, which could potentially block new approle logins for long enough to cause an outage [GH-8418]
    • cli: Fix issue where Raft snapshots from standby nodes created an empty backup file [GH-8097]
    • identity: Fix incorrect caching of identity token JWKS responses [GH-8412]
    • kmip: role read now returns tls_client_ttl
    • kmip: fix panic when templateattr not provided in rekey request
    • secrets/database/influxdb: Fix potential panic if connection to the InfluxDB database cannot be established [GH-8282]
    • storage/mysql: Fix potential crash when using MySQL as coordination for high availability [GH-8300]
    • storage/raft: Fix potential crash when using Raft as coordination for high availability [GH-8356]
    • πŸ’» ui: Fix missing License menu item [GH-8230]
    • 0️⃣ ui: Fix bug where default auth method on login is defaulted to auth method that is listing-visibility=unauth instead of β€œother” [GH-8218]
    • πŸ’» ui: Fix bug where KMIP details were not shown in the UI Wizard [GH-8255]
    • πŸ”§ ui: Show Error messages on Auth Configuration page when you hit permission errors [GH-8500]
    • 🚚 ui: Remove duplicate form inputs for the GitHub config [GH-8519]
    • πŸ’» ui: Correct HMAC capitalization [GH-8528]
    • πŸ’» ui: Fix danger message in DR [GH-8555]
    • πŸ’» ui: Fix certificate field for LDAP config [GH-8573]
  • v1.3.2

    January 22, 2020

    πŸ”’ SECURITY:

    • When deleting a namespace on Vault Enterprise, in certain circumstances, the deletion process will fail to revoke dynamic secrets for a mount in that namespace. This will leave any dynamic secrets in remote systems alive and will fail to clean them up. This vulnerability, CVE-2020-7220, affects Vault Enterprise 0.11.0 and newer.

    πŸ‘Œ IMPROVEMENTS:

    • auth/aws: Add aws metadata to identity alias [GH-7985]
    • auth/kubernetes: Allow both names and namespaces to be set to "*" [GH-78]

    πŸ› BUG FIXES:

    • auth/azure: Fix Azure compute client to use correct base URL [GH-8072]
    • πŸ”§ auth/ldap: Fix renewal of tokens without configured policies that are generated by an LDAP login [GH-8072]
    • πŸ”§ auth/okta: Fix renewal of tokens without configured policies that are generated by an Okta login [GH-8072]
    • core: Fix seal migration error when attempting to migrate from auto unseal to shamir [GH-8172]
    • core: Fix seal migration config issue when migrating from auto unseal to auto unseal [GH-8172]
    • πŸ”Œ plugin: Fix issue where a plugin unwrap request potentially used an expired token [GH-8058]
    • 🐎 replication: Fix issue where a forwarded request from a performance/standby node could run into a timeout
    • secrets/database: Fix issue where a manual static role rotation could potentially panic [GH-8098]
    • secrets/database: Fix issue where a manual root credential rotation request is not forwarded to the primary node [GH-8125]
    • secrets/database: Fix issue where a manual static role rotation request is not forwarded to the primary node [GH-8126]
    • secrets/database/mysql: Fix issue where special characters for a MySQL password were encoded [GH-8040]
    • πŸ’» ui: Fix deleting namespaces [GH-8132]
    • πŸ’» ui: Fix Error handler on kv-secret edit and kv-secret view pages [GH-8133]
    • πŸ’» ui: Fix OIDC callback to check storage [GH-7929].
    • πŸ’» ui: Change .box-radio height to min-height to prevent overflow issues [GH-8065]