All Versions
171
Latest Version
Avg Release Cycle
26 days
Latest Release
-

Changelog History
Page 9

  • v1.4.1 Changes

    April 30, 2020

    ๐Ÿ”„ CHANGES:

    • auth/aws: The default set of metadata fields added in 1.4.1 has been changed to account_id and auth_type [GH-8783]
    • storage/raft: Disallow ha_storage to be specified if raft is set as the storage type. [GH-8707]

    ๐Ÿ‘Œ IMPROVEMENTS:

    • ๐Ÿ“‡ auth/aws: The set of metadata stored during login is now configurable [GH-8783]
    • ๐Ÿ‘€ auth/aws: Improve region selection to avoid errors seen if the account hasn't enabled some newer AWS regions [GH-8679]
    • ๐Ÿ”Œ auth/azure: Enable login from Azure VMs with user-assigned identities [GH-33]
    • ๐Ÿ“‡ auth/gcp: The set of metadata stored during login is now configurable [GH-92]
    • ๐Ÿ”ง auth/gcp: The type of alias name used during login is now configurable [GH-95]
    • auth/ldap: Improve error messages during LDAP operation failures [GH-8740]
    • identity: Add a batch delete API for identity entities [GH-8785]
    • ๐ŸŽ identity: Improve performance of logins when no group updates are needed [GH-8795]
    • metrics: Add vault.identity.num_entities metric [GH-8816]
    • secrets/kv: Allow delete-version-after to be reset to 0 via the CLI [GH-8635]
    • secrets/rabbitmq: Improve error handling and reporting [GH-8619]
    • ๐Ÿ’ป ui: Provide One Time Password during Operation Token generation process [GH-8630]

    ๐Ÿ› BUG FIXES:

    • auth/okta: Fix MFA regression (introduced in GH-8143) from 1.4.0 [GH-8807]
    • auth/userpass: Fix upgrade value for token_bound_cidrs being ignored due to incorrect key provided [GH-8826]
    • ๐Ÿšš config/seal: Fix segfault when seal block is removed [GH-8517]
    • ๐Ÿ— core: Fix an issue where users attempting to build Vault could receive Go module checksum errors [GH-8770]
    • ๐Ÿ”’ core: Fix blocked requests if a SIGHUP is issued during a long-running request has the state lock held. Also fixes deadlock that can happen if vault debug with the config target is ran during this time. [GH-8755]
    • core: Always rewrite the .vault-token file as part of a vault login to ensure permissions and ownership are set correctly [GH-8867]
    • database/mongodb: Fix context deadline error that may result due to retry attempts on failed commands [GH-8863]
    • ๐Ÿ“ฆ http: Fix superflous call messages from the http package on logs caused by missing returns after respondError calls [GH-8796]
    • namespace (enterprise): Fix namespace listing to return key_info when a scoping namespace is also provided.
    • seal/gcpkms: Fix panic that could occur if all seal parameters were provided via environment variables [GH-8840]
    • ๐Ÿ“‡ storage/raft: Fix memory allocation and incorrect metadata tracking issues with snapshots [GH-8793]
    • storage/raft: Fix panic that could occur if disable_clustering was set to true on Raft storage cluster [GH-8784]
    • storage/raft: Handle errors returned from the API during snapshot operations [GH-8861]
    • sys/wrapping: Allow unwrapping of wrapping tokens which contain nil data [GH-8714]

  • v1.4 Changes

    February 20, 2020

    ๐Ÿ”„ CHANGES:

    • ๐Ÿ”ง cli: The raft configuration command has been renamed to list-peers to avoid confusion.

    ๐Ÿ”‹ FEATURES:

    • Kerberos Authentication: Vault now supports Kerberos authentication using a SPNEGO token. Login can be performed using the Vault CLI, API, or agent.
    • Kubernetes Service Discovery: A new Kubernetes service discovery feature where, if configured, Vault will tag Vault pods with their current health status. For more, see #8249.
    • MongoDB Atlas Secrets: Vault can now generate dynamic credentials for both MongoDB Atlas databases as well as the Atlas programmatic interface.
    • OpenLDAP Secrets Engine: We now support password management of existing OpenLDAP user entries. For more, see #8360.
    • Redshift Database Secrets Engine: The database secrets engine now supports static and dynamic secrets for the Amazon Web Services (AWS) Redshift service.
    • Service Registration Config: A newly introduced service_registration configuration stanza, that allows for service registration to be configured separately from the storage backend. For more, see #7887.

    ๐Ÿ‘Œ IMPROVEMENTS:

    • agent: add option to force the use of the auth-auth token, and ignore the Vault token in the request [GH-8101]
    • โช api: Restore and fix DNS SRV Lookup [GH-8520]
    • audit: HMAC http_raw_body in audit log; this ensures that large authenticated Prometheus metrics responses get replaced with short HMAC values [GH-8130]
    • audit: Generate-root, generate-recovery-token, and generate-dr-operation-token requests and responses are now audited. [GH-8301]
    • auth/aws: Reduce the number of simultaneous STS client credentials needed [GH-8161]
    • ๐Ÿ“‡ auth/azure: subscription ID, resource group, vm and vmss names are now stored in alias metadata [GH-30]
    • ๐Ÿ”Œ auth/jwt: Additional OIDC callback parameters available for CLI logins [GH-80 & GH-86]
    • ๐Ÿ”ง auth/jwt: Bound claims may be optionally configured using globs [GH-89]
    • ๐Ÿ”Œ auth/jwt: Timeout during OIDC CLI login if process doesn't complete within 2 minutes [GH-97]
    • ๐Ÿ”Œ auth/jwt: Add support for the form_post response mode [GH-98]
    • ๐Ÿ”Œ auth/jwt: add optional client_nonce to authorization flow [GH-104]
    • โฌ†๏ธ auth/okta: Upgrade okta sdk lib, which should improve handling of groups [GH-8143]
    • ๐Ÿ“‡ aws: Add support for v2 of the instance metadata service (see issue 7924 for all linked PRs)
    • core: Separate out service discovery interface from storage interface to allow new types of service discovery not coupled to storage [GH-7887]
    • ๐Ÿ‘ core: Add support for telemetry option metrics_prefix [GH-8340]
    • core: Entropy Augmentation can now be used with AWS KMS and Vault Transit seals
    • core: Allow tls_min_version to be set to TLS 1.3 [GH-8305]
    • ๐Ÿ”ง cli: Incorrect TLS configuration will now correctly fail [GH-8025]
    • identity: Allow specifying a custom client_id for identity tokens [GH-8165]
    • ๐ŸŽ metrics/prometheus: improve performance with high volume of metrics updates [GH-8507]
    • replication (enterprise): Fix race condition causing clusters with high throughput writes to sometimes fail to enter streaming-wal mode
    • replication (enterprise): Secondary clusters can now perform an extra gRPC call to all nodes in a primary cluster in an attempt to resolve the active node's address
    • ๐ŸŽ replication (enterprise): The replication status API now outputs last_performance_wal, last_dr_wal, and connection_state values
    • replication (enterprise): DR secondary clusters can now be recovered by the replication/dr/secondary/recover API
    • replication (enterprise): We now allow for an alternate means to create a Disaster Recovery token, by using a batch token that is created with an ACL that allows for access to one or more of the DR endpoints.
    • secrets/database/mongodb: Switched internal MongoDB driver to mongo-driver [GH-8140]
    • ๐Ÿ‘ secrets/database/mongodb: Add support for x509 client authorization to MongoDB [GH-8329]
    • ๐Ÿ”Œ secrets/database/oracle: Add support for static credential rotation [GH-26]
    • ๐Ÿ‘ secrets/consul: Add support to specify TLS options per Consul backend [GH-4800]
    • ๐Ÿ”Œ secrets/gcp: Allow specifying the TTL for a service key [GH-54]
    • ๐Ÿ”Œ secrets/gcp: Add support for rotating root keys [GH-53]
    • ๐Ÿ”Œ secrets/gcp: Handle version 3 policies for Resource Manager IAM requests [GH-77]
    • ๐Ÿ‘ secrets/nomad: Add support to specify TLS options per Nomad backend [GH-8083]
    • secrets/ssh: Allowed users can now be templated with identity information [GH-7548]
    • ๐Ÿ‘ secrets/transit: Adding RSA3072 key support [GH-8151]
    • storage/consul: Vault returns now a more descriptive error message when only a client cert or a client key has been provided [GH-4930]
    • storage/raft: Nodes in the raft cluster can all be given possible leader addresses for them to continuously try and join one of them, thus automating the process of join to a greater extent [GH-7856]
    • storage/raft: Fix a potential deadlock that could occure on leadership transition [GH-8547]
    • โช storage/raft: Refresh TLS keyring on snapshot restore [GH-8546]
    • storage/etcd: Bumped etcd client API SDK [GH-7931 & GH-4961 & GH-4349 & GH-7582]
    • ๐Ÿ’ป ui: Make Transit Key actions more prominent [GH-8304]
    • ๐Ÿ’ป ui: Add Core Usage Metrics [GH-8347]
    • ๐Ÿ’ป ui: Add refresh Namespace list on the Namespace dropdown, and redesign of Namespace dropdown menu [GH-8442]
    • โšก๏ธ ui: Update transit actions to codeblocks & automatically encode plaintext unless indicated [GH-8462]
    • ๐Ÿ’ป ui: Display the results of transit key actions in a modal window [GH-8462]
    • โšก๏ธ ui: Transit key version styling updates & ability to copy key from dropdown [GH-8480]

    ๐Ÿ› BUG FIXES:

    • agent: Fix issue where TLS options are ignored for agent template feature [GH-7889]
    • 0๏ธโƒฃ auth/jwt: Use lower case role names for default_role to match the role case convention [GH-100]
    • auth/ldap: Fix a bug where the UPNDOMAIN parameter was wrongly used to lookup the group membership of the given user [GH-6325]
    • ๐Ÿ‘ cli: Support autocompletion for nested mounts [GH-8303]
    • cli: Fix CLI namespace autocompletion [GH-8315]
    • identity: Fix incorrect caching of identity token JWKS responses [GH-8412]
    • metrics/stackdriver: Fix issue that prevents the stackdriver metrics library to create unnecessary stackdriver descriptors [GH-8073]
    • ๐ŸŽ replication: Fix issue causing cubbyholes in namespaces on performance secondaries to not work.
    • seal (enterprise): Fix seal migration when transactional seal wrap backend is in use.
    • secrets/database/influxdb: Fix potential panic if connection to the InfluxDB database cannot be established [GH-8282]
    • 0๏ธโƒฃ secrets/database/mysql: Ensures default static credential rotation statements are used [GH-8240]
    • secrets/database/mysql: Fix inconsistent query parameter names: {{name}} or {{username}} for different queries. Now it allows for either for backwards compatibility [GH-8240]
    • secrets/database/postgres: Fix inconsistent query parameter names: {{name}} or {{username}} for different queries. Now it allows for either for backwards compatibility [GH-8240]
    • ๐Ÿ‘ secrets/pki: Support FQDNs in DNS Name [GH-8288]
    • storage/raft: Allow seal migration to be performed on Vault clusters using raft storage [GH-8103]
    • telemetry: Prometheus requests on standby nodes will now return an error instead of forwarding the request to the active node [GH-8280]
    • ๐Ÿ’ป ui: Fix broken popup menu on the transit secrets list page [GH-8348]
    • โšก๏ธ ui: Update headless Chrome flag to fix yarn run test:oss [GH-8035]
    • โšก๏ธ ui: Update CLI to accept empty strings as param value to reset previously-set values
    • ๐Ÿ’ป ui: Fix bug where error states don't clear when moving between action tabs on Transit [GH-8354]

  • v1.4.0-rc1

    March 19, 2020

  • v1.4.0-beta1

    February 20, 2020

  • v1.3.10 Changes

    August 27th, 2020

    NOTE:

    ๐Ÿ”’ All security content from 1.5.2, 1.5.1, 1.4.5, 1.4.4, 1.3.9, 1.3.8, 1.2.6, and 1.2.5 has been made fully open source, and the git tags for 1.5.3, 1.4.6, 1.3.10, and 1.2.7 will build correctly for open source users.

    ๐Ÿ› BUG FIXES:

    • auth/aws: Made header handling for IAM authentication more robust

  • v1.3.9 Changes

    August 20th, 2020

    NOTE:

    ๐Ÿ’ป OSS binaries of 1.5.1, 1.4.4, 1.3.8, and 1.2.5 were built without the Vault UI. Enterprise binaries are not affected.

    KNOWN ISSUES:

    • AWS IAM logins may return an error depending on the headers sent with the request. For more details and a workaround, see the 1.3.9 Upgrade Guide
    • ๐Ÿ— In versions 1.2.6, 1.3.9, 1.4.5, and 1.5.2, enterprise licenses on the HSM build were not incorporated correctly - enterprise customers should use 1.2.6.1, 1.3.9.1, 1.4.5.1, and 1.5.2.1.

  • v1.3.9.1 Changes

    August 21st, 2020

    Enterprise Only

    NOTE:

    Includes correct license in the HSM binary.

  • v1.3.8 Changes

    August 20th, 2020

    ๐Ÿ”’ SECURITY:

    • ๐Ÿ›  When using the IAM AWS Auth Method, under certain circumstances, values Vault uses to validate identities and roles can be manipulated and bypassed. This vulnerability affects Vault and Vault Enterprise 0.7.1 and newer and is fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1 (CVE-2020-16250) (Discovered by Felix Wilhelm of Google Project Zero)
    • ๐Ÿ›  When using the GCP GCE Auth Method, under certain circumstances, values Vault uses to validate GCE VMs can be manipulated and bypassed. This vulnerability affects Vault and Vault Enterprise 0.8.3 and newer and is fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1 (CVE-2020-16251) (Discovered by Felix Wilhelm of Google Project Zero)

    KNOWN ISSUES:

    • ๐Ÿ’ป OSS binaries of 1.5.1, 1.4.4, 1.3.8, and 1.2.5 were built without the Vault UI. Enterprise binaries are not affected.
    • AWS IAM logins may return an error depending on the headers sent with the request. For more details and a workaround, see the 1.3.8 Upgrade Guide

  • v1.3.7 Changes

    July 2nd, 2020

    ๐Ÿ› BUG FIXES:

    • seal: (enterprise) Fix issue causing stored seal and recovery keys to be mistaken as sealwrapped values
    • ๐ŸŽ secrets/aws: Fix issue where performance standbys weren't able to generate STS credentials after an IAM access key rotation in AWS and root IAM credential update in Vault [GH-9363]

  • v1.3.6 Changes

    May 21, 2020

    ๐Ÿ”’ SECURITY:

    • ๐Ÿ›  core: proxy environment variables are now redacted before being logged, in case the URLs include a username:password. This vulnerability, CVE-2020-13223, is fixed in 1.3.6 and 1.4.2, but affects 1.4 and 1.4.2, as well as older versions of Vault [GH-9022]

    ๐Ÿ› BUG FIXES:

    • ๐Ÿ“‡ auth/aws: Fix token renewal issues caused by the metadata changes in 1.3.5 [GH-8991]
    • ๐ŸŽ replication: Fix mount filter bug that allowed replication filters to hide local mounts on a performance secondary