ยซ Changelog History


Vault v1.0.2 Release Notes

Release Date: 2019-01-15 // over 5 years ago

  • ๐Ÿ”’ SECURITY:

    • When creating a child token from a parent with bound_cidrs, the list of CIDRs would not be propagated to the child token, allowing the child token to be used from any address.

    ๐Ÿ”„ CHANGES:

    • secret/aws: Role now returns credential_type instead of credential_types to match role input. If a legacy role that can supply more than one credential type, they will be concatenated with a ,.
    • physical/dynamodb, autoseal/aws: Instead of Vault performing environment variable handling, and overriding static (config file) values if found, we use the default AWS SDK env handling behavior, which also looks for deprecated values. If you were previously providing both config values and environment values, please ensure the config values are unset if you want to use environment values.
    • Namespaces (Enterprise): Providing "root" as the header value for X-Vault-Namespace will perform the request on the root namespace. This is equivalent to providing an empty value. Creating a namespace called "root" in the root namespace is disallowed.

    ๐Ÿ”‹ FEATURES:

    • InfluxDB Database Plugin: Use Vault to dynamically create and manage InfluxDB users

    ๐Ÿ‘Œ IMPROVEMENTS:

    • auth/aws: AWS EC2 authentication can optionally create entity aliases by image ID [GH-5846]
    • autoseal/gcpckms: Reduce the required permissions for the GCPCKMS autounseal [GH-5999]
    • physical/foundationdb: TLS support added. [GH-5800]

    ๐Ÿ› BUG FIXES:

    • api: Fix a couple of places where we were using the LIST HTTP verb (necessary to get the right method into the wrapping lookup function) and not then modifying it to a GET; although this is officially the verb Vault uses for listing and it's fully legal to use custom verbs, since many WAFs and API gateways choke on anything outside of RFC-standardized verbs we fall back to GET [GH-6026]
    • autoseal/aws: Fix reading session tokens when AWS access key/secret key are also provided [GH-5965]
    • command/operator/rekey: Fix help output showing -delete-backup when it should show -backup-delete [GH-5981]
    • core: Fix bound_cidrs not being propagated to child tokens
    • replication: Correctly forward identity entity creation that originates from performance standby nodes (Enterprise)
    • secret/aws: Make input credential_type match the output type (string, not array) [GH-5972]
    • secret/cubbyhole: Properly cleanup cubbyhole after token revocation [GH-6006]
    • secret/pki: Fix reading certificates on windows with the file storage backend [GH-6013]
    • ui (enterprise): properly display perf-standby count on the license page [GH-5971]
    • ui: fix disappearing nested secrets and go to the nearest parent when deleting a secret - [GH-5976]
    • ui: fix error where deleting an item via the context menu would fail if the item name contained dots [GH-6018]
    • ui: allow saving of kv secret after an errored save attempt [GH-6022]
    • ui: fix display of kv-v1 secret containing a key named "keys" [GH-6023]