All Versions
171
Latest Version
Avg Release Cycle
26 days
Latest Release
-
Changelog History
Page 9
Changelog History
Page 9
-
v1.4.1 Changes
April 30, 2020๐ CHANGES:
- auth/aws: The default set of metadata fields added in 1.4.1 has been changed to
account_id
andauth_type
[GH-8783] - storage/raft: Disallow
ha_storage
to be specified ifraft
is set as thestorage
type. [GH-8707]
๐ IMPROVEMENTS:
- ๐ auth/aws: The set of metadata stored during login is now configurable [GH-8783]
- ๐ auth/aws: Improve region selection to avoid errors seen if the account hasn't enabled some newer AWS regions [GH-8679]
- ๐ auth/azure: Enable login from Azure VMs with user-assigned identities [GH-33]
- ๐ auth/gcp: The set of metadata stored during login is now configurable [GH-92]
- ๐ง auth/gcp: The type of alias name used during login is now configurable [GH-95]
- auth/ldap: Improve error messages during LDAP operation failures [GH-8740]
- identity: Add a batch delete API for identity entities [GH-8785]
- ๐ identity: Improve performance of logins when no group updates are needed [GH-8795]
- metrics: Add
vault.identity.num_entities
metric [GH-8816] - secrets/kv: Allow
delete-version-after
to be reset to 0 via the CLI [GH-8635] - secrets/rabbitmq: Improve error handling and reporting [GH-8619]
- ๐ป ui: Provide One Time Password during Operation Token generation process [GH-8630]
๐ BUG FIXES:
- auth/okta: Fix MFA regression (introduced in GH-8143) from 1.4.0 [GH-8807]
- auth/userpass: Fix upgrade value for
token_bound_cidrs
being ignored due to incorrect key provided [GH-8826] - ๐ config/seal: Fix segfault when seal block is removed [GH-8517]
- ๐ core: Fix an issue where users attempting to build Vault could receive Go module checksum errors [GH-8770]
- ๐ core: Fix blocked requests if a SIGHUP is issued during a long-running request has the state lock held.
Also fixes deadlock that can happen if
vault debug
with the config target is ran during this time. [GH-8755] - core: Always rewrite the .vault-token file as part of a
vault login
to ensure permissions and ownership are set correctly [GH-8867] - database/mongodb: Fix context deadline error that may result due to retry attempts on failed commands [GH-8863]
- ๐ฆ http: Fix superflous call messages from the http package on logs caused by missing returns after
respondError
calls [GH-8796] - namespace (enterprise): Fix namespace listing to return
key_info
when a scoping namespace is also provided. - seal/gcpkms: Fix panic that could occur if all seal parameters were provided via environment variables [GH-8840]
- ๐ storage/raft: Fix memory allocation and incorrect metadata tracking issues with snapshots [GH-8793]
- storage/raft: Fix panic that could occur if
disable_clustering
was set to true on Raft storage cluster [GH-8784] - storage/raft: Handle errors returned from the API during snapshot operations [GH-8861]
- sys/wrapping: Allow unwrapping of wrapping tokens which contain nil data [GH-8714]
- auth/aws: The default set of metadata fields added in 1.4.1 has been changed to
-
v1.4 Changes
February 20, 2020๐ CHANGES:
- ๐ง cli: The raft configuration command has been renamed to list-peers to avoid confusion.
๐ FEATURES:
- Kerberos Authentication: Vault now supports Kerberos authentication using a SPNEGO token. Login can be performed using the Vault CLI, API, or agent.
- Kubernetes Service Discovery: A new Kubernetes service discovery feature where, if configured, Vault will tag Vault pods with their current health status. For more, see #8249.
- MongoDB Atlas Secrets: Vault can now generate dynamic credentials for both MongoDB Atlas databases as well as the Atlas programmatic interface.
- OpenLDAP Secrets Engine: We now support password management of existing OpenLDAP user entries. For more, see #8360.
- Redshift Database Secrets Engine: The database secrets engine now supports static and dynamic secrets for the Amazon Web Services (AWS) Redshift service.
- Service Registration Config: A newly introduced
service_registration
configuration stanza, that allows for service registration to be configured separately from the storage backend. For more, see #7887.
๐ IMPROVEMENTS:
- agent: add option to force the use of the auth-auth token, and ignore the Vault token in the request [GH-8101]
- โช api: Restore and fix DNS SRV Lookup [GH-8520]
- audit: HMAC http_raw_body in audit log; this ensures that large authenticated Prometheus metrics responses get replaced with short HMAC values [GH-8130]
- audit: Generate-root, generate-recovery-token, and generate-dr-operation-token requests and responses are now audited. [GH-8301]
- auth/aws: Reduce the number of simultaneous STS client credentials needed [GH-8161]
- ๐ auth/azure: subscription ID, resource group, vm and vmss names are now stored in alias metadata [GH-30]
- ๐ auth/jwt: Additional OIDC callback parameters available for CLI logins [GH-80 & GH-86]
- ๐ง auth/jwt: Bound claims may be optionally configured using globs [GH-89]
- ๐ auth/jwt: Timeout during OIDC CLI login if process doesn't complete within 2 minutes [GH-97]
- ๐ auth/jwt: Add support for the
form_post
response mode [GH-98] - ๐ auth/jwt: add optional client_nonce to authorization flow [GH-104]
- โฌ๏ธ auth/okta: Upgrade okta sdk lib, which should improve handling of groups [GH-8143]
- ๐ aws: Add support for v2 of the instance metadata service (see issue 7924 for all linked PRs)
- core: Separate out service discovery interface from storage interface to allow new types of service discovery not coupled to storage [GH-7887]
- ๐ core: Add support for telemetry option
metrics_prefix
[GH-8340] - core: Entropy Augmentation can now be used with AWS KMS and Vault Transit seals
- core: Allow tls_min_version to be set to TLS 1.3 [GH-8305]
- ๐ง cli: Incorrect TLS configuration will now correctly fail [GH-8025]
- identity: Allow specifying a custom
client_id
for identity tokens [GH-8165] - ๐ metrics/prometheus: improve performance with high volume of metrics updates [GH-8507]
- replication (enterprise): Fix race condition causing clusters with high throughput writes to sometimes fail to enter streaming-wal mode
- replication (enterprise): Secondary clusters can now perform an extra gRPC call to all nodes in a primary cluster in an attempt to resolve the active node's address
- ๐ replication (enterprise): The replication status API now outputs
last_performance_wal
,last_dr_wal
, andconnection_state
values - replication (enterprise): DR secondary clusters can now be recovered by the
replication/dr/secondary/recover
API - replication (enterprise): We now allow for an alternate means to create a Disaster Recovery token, by using a batch token that is created with an ACL that allows for access to one or more of the DR endpoints.
- secrets/database/mongodb: Switched internal MongoDB driver to mongo-driver [GH-8140]
- ๐ secrets/database/mongodb: Add support for x509 client authorization to MongoDB [GH-8329]
- ๐ secrets/database/oracle: Add support for static credential rotation [GH-26]
- ๐ secrets/consul: Add support to specify TLS options per Consul backend [GH-4800]
- ๐ secrets/gcp: Allow specifying the TTL for a service key [GH-54]
- ๐ secrets/gcp: Add support for rotating root keys [GH-53]
- ๐ secrets/gcp: Handle version 3 policies for Resource Manager IAM requests [GH-77]
- ๐ secrets/nomad: Add support to specify TLS options per Nomad backend [GH-8083]
- secrets/ssh: Allowed users can now be templated with identity information [GH-7548]
- ๐ secrets/transit: Adding RSA3072 key support [GH-8151]
- storage/consul: Vault returns now a more descriptive error message when only a client cert or a client key has been provided [GH-4930]
- storage/raft: Nodes in the raft cluster can all be given possible leader addresses for them to continuously try and join one of them, thus automating the process of join to a greater extent [GH-7856]
- storage/raft: Fix a potential deadlock that could occure on leadership transition [GH-8547]
- โช storage/raft: Refresh TLS keyring on snapshot restore [GH-8546]
- storage/etcd: Bumped etcd client API SDK [GH-7931 & GH-4961 & GH-4349 & GH-7582]
- ๐ป ui: Make Transit Key actions more prominent [GH-8304]
- ๐ป ui: Add Core Usage Metrics [GH-8347]
- ๐ป ui: Add refresh Namespace list on the Namespace dropdown, and redesign of Namespace dropdown menu [GH-8442]
- โก๏ธ ui: Update transit actions to codeblocks & automatically encode plaintext unless indicated [GH-8462]
- ๐ป ui: Display the results of transit key actions in a modal window [GH-8462]
- โก๏ธ ui: Transit key version styling updates & ability to copy key from dropdown [GH-8480]
๐ BUG FIXES:
- agent: Fix issue where TLS options are ignored for agent template feature [GH-7889]
- 0๏ธโฃ auth/jwt: Use lower case role names for
default_role
to match therole
case convention [GH-100] - auth/ldap: Fix a bug where the UPNDOMAIN parameter was wrongly used to lookup the group membership of the given user [GH-6325]
- ๐ cli: Support autocompletion for nested mounts [GH-8303]
- cli: Fix CLI namespace autocompletion [GH-8315]
- identity: Fix incorrect caching of identity token JWKS responses [GH-8412]
- metrics/stackdriver: Fix issue that prevents the stackdriver metrics library to create unnecessary stackdriver descriptors [GH-8073]
- ๐ replication: Fix issue causing cubbyholes in namespaces on performance secondaries to not work.
- seal (enterprise): Fix seal migration when transactional seal wrap backend is in use.
- secrets/database/influxdb: Fix potential panic if connection to the InfluxDB database cannot be established [GH-8282]
- 0๏ธโฃ secrets/database/mysql: Ensures default static credential rotation statements are used [GH-8240]
- secrets/database/mysql: Fix inconsistent query parameter names: {{name}} or {{username}} for different queries. Now it allows for either for backwards compatibility [GH-8240]
- secrets/database/postgres: Fix inconsistent query parameter names: {{name}} or {{username}} for different queries. Now it allows for either for backwards compatibility [GH-8240]
- ๐ secrets/pki: Support FQDNs in DNS Name [GH-8288]
- storage/raft: Allow seal migration to be performed on Vault clusters using raft storage [GH-8103]
- telemetry: Prometheus requests on standby nodes will now return an error instead of forwarding the request to the active node [GH-8280]
- ๐ป ui: Fix broken popup menu on the transit secrets list page [GH-8348]
- โก๏ธ ui: Update headless Chrome flag to fix
yarn run test:oss
[GH-8035] - โก๏ธ ui: Update CLI to accept empty strings as param value to reset previously-set values
- ๐ป ui: Fix bug where error states don't clear when moving between action tabs on Transit [GH-8354]
-
v1.4.0-rc1
March 19, 2020 -
v1.4.0-beta1
February 20, 2020 -
v1.3.10 Changes
August 27th, 2020
NOTE:
๐ All security content from 1.5.2, 1.5.1, 1.4.5, 1.4.4, 1.3.9, 1.3.8, 1.2.6, and 1.2.5 has been made fully open source, and the git tags for 1.5.3, 1.4.6, 1.3.10, and 1.2.7 will build correctly for open source users.
๐ BUG FIXES:
- auth/aws: Made header handling for IAM authentication more robust
-
v1.3.9 Changes
August 20th, 2020
NOTE:
๐ป OSS binaries of 1.5.1, 1.4.4, 1.3.8, and 1.2.5 were built without the Vault UI. Enterprise binaries are not affected.
KNOWN ISSUES:
- AWS IAM logins may return an error depending on the headers sent with the request. For more details and a workaround, see the 1.3.9 Upgrade Guide
- ๐ In versions 1.2.6, 1.3.9, 1.4.5, and 1.5.2, enterprise licenses on the HSM build were not incorporated correctly - enterprise customers should use 1.2.6.1, 1.3.9.1, 1.4.5.1, and 1.5.2.1.
-
v1.3.9.1 Changes
August 21st, 2020
Enterprise Only
NOTE:
Includes correct license in the HSM binary.
-
v1.3.8 Changes
August 20th, 2020
๐ SECURITY:
- ๐ When using the IAM AWS Auth Method, under certain circumstances, values Vault uses to validate identities and roles can be manipulated and bypassed. This vulnerability affects Vault and Vault Enterprise 0.7.1 and newer and is fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1 (CVE-2020-16250) (Discovered by Felix Wilhelm of Google Project Zero)
- ๐ When using the GCP GCE Auth Method, under certain circumstances, values Vault uses to validate GCE VMs can be manipulated and bypassed. This vulnerability affects Vault and Vault Enterprise 0.8.3 and newer and is fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1 (CVE-2020-16251) (Discovered by Felix Wilhelm of Google Project Zero)
KNOWN ISSUES:
- ๐ป OSS binaries of 1.5.1, 1.4.4, 1.3.8, and 1.2.5 were built without the Vault UI. Enterprise binaries are not affected.
- AWS IAM logins may return an error depending on the headers sent with the request. For more details and a workaround, see the 1.3.8 Upgrade Guide
-
v1.3.7 Changes
July 2nd, 2020
๐ BUG FIXES:
- seal: (enterprise) Fix issue causing stored seal and recovery keys to be mistaken as sealwrapped values
- ๐ secrets/aws: Fix issue where performance standbys weren't able to generate STS credentials after an IAM access key rotation in AWS and root IAM credential update in Vault [GH-9363]
-
v1.3.6 Changes
May 21, 2020๐ SECURITY:
- ๐ core: proxy environment variables are now redacted before being logged, in case the URLs include a username:password. This vulnerability, CVE-2020-13223, is fixed in 1.3.6 and 1.4.2, but affects 1.4 and 1.4.2, as well as older versions of Vault [GH-9022]
๐ BUG FIXES:
- ๐ auth/aws: Fix token renewal issues caused by the metadata changes in 1.3.5 [GH-8991]
- ๐ replication: Fix mount filter bug that allowed replication filters to hide local mounts on a performance secondary