Vault v1.5.4 Release Notes

  • September 24th, 2020

    ๐Ÿ”’ SECURITY:

    • โฑ Batch Token Expiry: We addressed an issue where batch token leases could outlive their TTL because we were not scheduling the expiration time correctly. This vulnerability affects Vault OSS and Vault Enterprise 1.0 and newer and is fixed in 1.4.7 and 1.5.4 (CVE-2020-25816).

    ๐Ÿ‘Œ IMPROVEMENTS:

    • secrets/pki: Handle expiration of a cert not in storage as a success [GH-9880]
    • 0๏ธโƒฃ auth/kubernetes: Add an option to disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod [GH-97]
    • โช secrets/gcp: Add check for 403 during rollback to prevent repeated deletion calls [GH-97]
    • ๐ŸŽ core: Disable usage metrics collection on performance standby nodes. [GH-9966]
    • 0๏ธโƒฃ credential/aws: Added X-Amz-Content-Sha256 as a default STS request header [GH-10009]

    ๐Ÿ› BUG FIXES:

    • agent: Fix disable_fast_negotiation not being set on the auth method when configured by user. [GH-9892]
    • ๐Ÿ”Œ core (enterprise): Fix hang when cluster-wide plugin reload cleanup is slow on unseal
    • ๐Ÿ”Œ core (enterprise): Fix an error in cluster-wide plugin reload cleanup following such a reload
    • core: Fix crash when metrics collection encounters zero-length keys in KV store [GH-9811]
    • mfa (enterprise): Fix incorrect handling of PingID responses that could result in auth requests failing
    • ๐ŸŽ replication (enterprise): Improve race condition when using a newly created token on a performance standby node
    • replication (enterprise): Only write failover cluster addresses if they've changed
    • ๐Ÿ’ป ui: fix bug where dropdown for identity/entity management is not reflective of actual policy [GH-9958]