Vault v1.9.4 Release Notes
-
March 3, 2022
๐ SECURITY:
- ๐ง secrets/pki: Vault and Vault Enterprise (โVaultโ) allowed the PKI secrets engine under certain configurations to issue wildcard certificates to authorized users for a specified domain, even if the PKI role policy attribute allow_subdomains is set to false. This vulnerability, CVE-2022-25243, was fixed in Vault 1.8.9 and 1.9.4.
- ๐ง transform (enterprise): Vault Enterprise (โVaultโ) clusters using the tokenization transform feature can expose the tokenization key through the tokenization key configuration endpoint to authorized operators with read permissions on this endpoint. This vulnerability, CVE-2022-25244, was fixed in Vault Enterprise 1.7.10, 1.8.9, and 1.9.4.
๐ CHANGES:
- secrets/azure: Changes the configuration parameter
use_microsoft_graph_api
to use the Microsoft 0๏ธโฃ Graph API by default. [GH-14130]
๐ IMPROVEMENTS:
- core: Bump Go version to 1.17.7. [GH-14232]
- secrets/pki: Restrict issuance of wildcard certificates via role parameter (
allow_wildcard_certificates
) [GH-14238]
๐ BUG FIXES:
- ๐ Fixed bug where auth method only considers system-identity when multiple identities are available. #50 [GH-14138]
- auth/kubernetes: Properly handle the migration of role storage entries containing an empty
alias_name_source
[GH-13925] - auth/kubernetes: ensure valid entity alias names created for projected volume tokens [GH-14144]
- ๐ identity/oidc: Adds support for port-agnostic validation of loopback IP redirect URIs. [GH-13871]
- ๐ identity/oidc: Fixes inherited group membership when evaluating client assignments [GH-14013]
- ๐ secrets/azure: Fixed bug where Azure environment did not change Graph URL [GH-13973]
- ๐ secrets/azure: Fixes the rotate root
operation for upgraded configurations with a
root_password_ttl
of zero. [GH-14130] - ๐ secrets/gcp: Fixed bug where error was not reported for invalid bindings [GH-13974]
- secrets/openldap: Fix panic from nil logger in backend [GH-14171]
- secrets/pki: Fix issuance of wildcard certificates matching glob patterns [GH-14235]
- storage/raft: Fix issues allowing invalid nodes to become leadership candidates. [GH-13703]
- 0๏ธโฃ ui: Fix default TTL display and set on database role [GH-14224]
- ๐ป ui: Fix incorrect validity message on transit secrets engine [GH-14233]
- ๐ป ui: Fix kv engine access bug [GH-13872]
- ๐ป ui: Fix issue removing raft storage peer via cli not reflected in UI until refresh [GH-13098]
- ๐ป ui: Trigger background token self-renewal if inactive and half of TTL has passed [GH-13950]