ยซ Changelog History


Vault v1.2.4 Release Notes

Release Date: 2019-11-07 // over 4 years ago

  • ๐Ÿ”’ SECURITY:

    • In a non-root namespace, revocation of a token scoped to a non-root namespace did not trigger the expected revocation of dynamic secret leases associated with that token. As a result, dynamic secret leases in non-root namespaces may outlive the token that created them. This vulnerability, CVE-2019-18616, affects Vault Enterprise 0.11.0 and newer.
    • Disaster Recovery secondary clusters did not delete already-replicated data after a mount filter has been created on an upstream Performance secondary cluster. As a result, encrypted secrets may remain replicated on a Disaster Recovery secondary cluster after application of a mount filter excluding those secrets from replication. This vulnerability, CVE-2019-18617, affects Vault Enterprise 0.8 and newer.
    • Update version of Go to 1.12.12 to fix Go bug golang.org/issue/34960 which corresponds to CVE-2019-17596.

    ๐Ÿ”„ CHANGES:

    • auth/aws: If a custom sts_endpoint is configured, Vault Agent and the CLI should provide the corresponding region via the region parameter (which already existed as a CLI parameter, and has now been added to Agent). The automatic region detection added to the CLI and Agent in 1.2 has been removed.

    ๐Ÿ‘Œ IMPROVEMENTS:

    • cli: Ignore existing token during CLI login [GH-7508]
    • core: Log proxy settings from environment on startup [GH-7528]
    • core: Cache whether we've been initialized to reduce load on storage [GH-7549]

    ๐Ÿ› BUG FIXES:

    • agent: Fix handling of gzipped responses [GH-7470]
    • cli: Fix panic when pgp keys list is empty [GH-7546]
    • cli: Command timeouts are now always specified solely by the VAULT_CLIENT_TIMEOUT value. [GH-7469]
    • core: add hook for initializing seals for migration [GH-7666]
    • core (enterprise): Migrating from one auto unseal method to another never worked on enterprise, now it does.
    • identity: Add required field response_types_supported to identity token .well-known/openid-configuration response [GH-7533]
    • identity: Fixed nil pointer panic when merging entities [GH-7712]
    • replication (Enterprise): Fix issue causing performance standbys nodes disconnecting when under high loads.
    • secrets/azure: Fix panic that could occur if client retries timeout [GH-7793]
    • secrets/database: Fix bug in combined DB secrets engine that can result in writes to static-roles endpoints timing out [GH-7518]
    • secrets/pki: Improve tidy to continue when value is nil [GH-7589]
    • ui (Enterprise): Allow kv v2 secrets that are gated by Control Groups to be viewed in the UI [GH-7504]