All Versions
171
Latest Version
Avg Release Cycle
26 days
Latest Release
-

Changelog History
Page 11

  • v1.2.5 Changes

    August 20th, 2020

    πŸ”’ SECURITY:

    • When using the IAM AWS Auth Method, under certain circumstances, values Vault uses to validate identities and roles can be manipulated and bypassed. This vulnerability affects Vault and Vault Enterprise 0.7.1 and newer and is fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1 (CVE-2020-16250) (Discovered by Felix Wilhelm of Google Project Zero)
    • When using the GCP GCE Auth Method, under certain circumstances, values Vault uses to validate GCE VMs can be manipulated and bypassed. This vulnerability affects Vault and Vault Enterprise 0.8.3 and newer and is fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1 (CVE-2020-16251) (Discovered by Felix Wilhelm of Google Project Zero)

    KNOWN ISSUES:

    • πŸ’» OSS binaries of 1.5.1, 1.4.4, 1.3.8, and 1.2.5 were built without the Vault UI. Enterprise binaries are not affected.
    • AWS IAM logins may return an error depending on the headers sent with the request. For more details and a workaround, see the 1.2.5 Upgrade Guide

    πŸ› BUG FIXES:

    • seal: (enterprise) Fix issue causing stored seal and recovery keys to be mistaken as sealwrapped values

  • v1.2.4 Changes

    November 07, 2019

    πŸ”’ SECURITY:

    • In a non-root namespace, revocation of a token scoped to a non-root namespace did not trigger the expected revocation of dynamic secret leases associated with that token. As a result, dynamic secret leases in non-root namespaces may outlive the token that created them. This vulnerability, CVE-2019-18616, affects Vault Enterprise 0.11.0 and newer.
    • Disaster Recovery secondary clusters did not delete already-replicated data after a mount filter has been created on an upstream Performance secondary cluster. As a result, encrypted secrets may remain replicated on a Disaster Recovery secondary cluster after application of a mount filter excluding those secrets from replication. This vulnerability, CVE-2019-18617, affects Vault Enterprise 0.8 and newer.
    • Update version of Go to 1.12.12 to fix Go bug golang.org/issue/34960 which corresponds to CVE-2019-17596.

    πŸ”„ CHANGES:

    • auth/aws: If a custom sts_endpoint is configured, Vault Agent and the CLI should provide the corresponding region via the region parameter (which already existed as a CLI parameter, and has now been added to Agent). The automatic region detection added to the CLI and Agent in 1.2 has been removed.

    πŸ‘Œ IMPROVEMENTS:

    • cli: Ignore existing token during CLI login [GH-7508]
    • core: Log proxy settings from environment on startup [GH-7528]
    • core: Cache whether we've been initialized to reduce load on storage [GH-7549]

    πŸ› BUG FIXES:

    • agent: Fix handling of gzipped responses [GH-7470]
    • cli: Fix panic when pgp keys list is empty [GH-7546]
    • cli: Command timeouts are now always specified solely by the VAULT_CLIENT_TIMEOUT value. [GH-7469]
    • core: add hook for initializing seals for migration [GH-7666]
    • core (enterprise): Migrating from one auto unseal method to another never worked on enterprise, now it does.
    • identity: Add required field response_types_supported to identity token .well-known/openid-configuration response [GH-7533]
    • identity: Fixed nil pointer panic when merging entities [GH-7712]
    • replication (Enterprise): Fix issue causing performance standbys nodes disconnecting when under high loads.
    • secrets/azure: Fix panic that could occur if client retries timeout [GH-7793]
    • secrets/database: Fix bug in combined DB secrets engine that can result in writes to static-roles endpoints timing out [GH-7518]
    • secrets/pki: Improve tidy to continue when value is nil [GH-7589]
    • ui (Enterprise): Allow kv v2 secrets that are gated by Control Groups to be viewed in the UI [GH-7504]

  • v1.2.3 Changes

    September 12, 2019

    πŸ”‹ FEATURES:

    • Oracle Cloud (OCI) Integration: Vault now support using Oracle Cloud for storage, auto unseal, and authentication.

    πŸ‘Œ IMPROVEMENTS:

    • auth/jwt: Groups claim matching now treats a string response as a single element list [GH-63]
    • auth/kubernetes: enable better support for projected tokens API by allowing user to specify issuer [GH-65]
    • auth/pcf: The PCF auth plugin was renamed to the CF auth plugin, maintaining full backwards compatibility [GH-7346]
    • replication: Premium packages now come with unlimited performance standby nodes

    πŸ› BUG FIXES:

    • agent: Allow batch tokens and other non-renewable tokens to be used for agent operations [GH-7441]
    • auth/jwt: Fix an error where newer (v1.2) token_* configuration parameters were not being applied to tokens generated using the OIDC login flow [GH-67]
    • raft: Fix an incorrect JSON tag on leader_ca_cert in the join request [GH-7393]
    • seal/transit: Allow using Vault Agent for transit seal operations [GH-7441]
    • storage/couchdb: Fix a file descriptor leak [GH-7345]
    • ui: Fix a bug where the status menu would disappear when trying to revoke a token [GH-7337]
    • ui: Fix a regression that prevented input of custom items in search-select [GH-7338]
    • ui: Fix an issue with the namespace picker being unable to render nested namespaces named with numbers and sorting of namespaces in the picker [GH-7333]

  • v1.2.2 Changes

    August 15, 2019

    πŸ”„ CHANGES:

    • auth/pcf: The signature format has been updated to use the standard Base64 encoding instead of the URL-safe variant. Signatures created using the previous format will continue to be accepted [PCF-27]
    • core: The http response code returned when an identity token key is not found has been changed from 400 to 404

    πŸ‘Œ IMPROVEMENTS:

    • identity: Remove 512 entity limit for groups [GH-7317]

    πŸ› BUG FIXES:

    • auth/approle: Fix an error where an empty token_type string was not being correctly handled as TokenTypeDefault [GH-7273]
    • auth/radius: Fix panic when logging in [GH-7286]
    • ui: the string-list widget will now honor multiline input [GH-7254]
    • ui: various visual bugs in the KV interface were addressed [GH-7307]
    • ui: fixed incorrect URL to access help in LDAP auth [GH-7299]

  • v1.2.1 Changes

    August 06, 2019

    πŸ› BUG FIXES:

    • agent: Fix a panic on creds pulling in some error conditions in aws and alicloud auth methods [GH-7238]
    • auth/approle: Fix error reading role-id on a role created pre-1.2 [GH-7231]
    • auth/token: Fix sudo check in non-root namespaces on create [GH-7224]
    • core: Fix health checks with perfstandbyok=true returning the wrong status code [GH-7240]
    • ui: The web CLI will now parse input as a shell string, with special characters escaped [GH-7206]
    • ui: The UI will now redirect to a page after authentication [GH-7088]
    • ui (Enterprise): The list of namespaces is now cleared when logging out [GH-7186]

  • v1.2.0 Changes

    July 30, 2019

    πŸ”„ CHANGES:

    • Token store roles use new, common token fields for the values that overlap with other auth backends. period, explicit_max_ttl, and bound_cidrs will continue to work, with priority being given to the token_ prefixed versions of those parameters. They will also be returned when doing a read on the role if they were used to provide values initially; however, in Vault 1.4 if period or explicit_max_ttl is zero they will no longer be returned. (explicit_max_ttl was already not returned if empty.)
    • Due to underlying changes in Go version 1.12 and Go > 1.11.5, Vault is now stricter about what characters it will accept in path names. Whereas before it would filter out unprintable characters (and this could be turned off), control characters and other invalid characters are now rejected within Go's HTTP library before the request is passed to Vault, and this cannot be disabled. To continue using these (e.g. for already-written paths), they must be properly percent-encoded (e.g. \r becomes %0D, \x00 becomes %00, and so on).
    • The user-configured regions on the AWSKMS seal stanza will now be preferred over regions set in the enclosing environment. This is a breaking change.
    • All values in audit logs now are omitted if they are empty. This helps reduce the size of audit log entries by not reproducing keys in each entry that commonly don't contain any value, which can help in cases where audit log entries are above the maximum UDP packet size and others.
    • Both PeriodicFunc and WALRollback functions will be called if both are provided. Previously WALRollback would only be called if PeriodicFunc was not set. See [GH-6717] for details.
    • Vault now uses Go's official dependency management system, Go Modules, to manage dependencies. As a result to both reduce transitive dependencies for API library users and plugin authors, and to work around various conflicts, we have moved various helpers around, mostly under an sdk/ submodule. A couple of functions have also moved from plugin helper code to the api/ submodule. If you are a plugin author, take a look at some of our official plugins and the paths they are importing for guidance.
    • AppRole uses new, common token fields for values that overlap with other auth backends. period and policies will continue to work, with priority being given to the token_ prefixed versions of those parameters. They will also be returned when doing a read on the role if they were used to provide values initially.
    • In AppRole, "default" is no longer automatically added to the policies parameter. This was a no-op since it would always be added anyways by Vault's core; however, this can now be explicitly disabled with the new token_no_default_policy field.
    • In AppRole, bound_cidr_list is no longer returned when reading a role
    • rollback: Rollback will no longer display log messages when it runs; it will only display messages on error.
    • Database plugins will now default to 4 max_open_connections rather than 2.

    πŸ”‹ FEATURES:

    • Integrated Storage: Vault 1.2 includes a tech preview of a new way to manage storage directly within a Vault cluster. This new integrated storage solution is based on the Raft protocol which is also used to back HashiCorp Consul and HashiCorp Nomad.
    • Combined DB credential rotation: Alternative mode for the Combined DB Secret Engine to automatically rotate existing database account credentials and set Vault as the source of truth for credentials.
    • Identity Tokens: Vault's Identity system can now generate OIDC-compliant ID tokens. These customizable tokens allow encapsulating a signed, verifiable snapshot of identity information and metadata. They can be use by other applicationsβ€”even those without Vault authorizationβ€”as a way of establishing identity based on a Vault entity.
    • Pivotal Cloud Foundry plugin: New auth method using Pivotal Cloud Foundry certificates for Vault authentication.
    • ElasticSearch database plugin: New ElasticSearch database plugin issues unique, short-lived ElasticSearch credentials.
    • New UI Features: An HTTP Request Volume Page and new UI for editing LDAP Users and Groups have been added.
    • HA support for Postgres: PostgreSQL versions >= 9.5 may now but used as and HA storage backend.
    • KMIP secrets engine (Enterprise): Allows Vault to operate as a KMIP Server, seamlessly brokering cryptographic operations for traditional infrastructure.
    • Common Token Fields: Auth methods now use common fields for controlling token behavior, making it easier to understand configuration across methods.
    • Vault API explorer: The Vault UI now includes an embedded API explorer where you can browse the endpoints avaliable to you and make requests. To try it out, open the Web CLI and type api.

    πŸ‘Œ IMPROVEMENTS:

    • agent: Allow EC2 nonce to be passed in [GH-6953]
    • agent: Add optional namespace parameter, which sets the default namespace for the auto-auth functionality [GH-6988]
    • agent: Add cert auto-auth method [GH-6652]
    • api: Add support for passing data to delete operations via DeleteWithData [GH-7139]
    • audit/file: Dramatically speed up file operations by changing locking/marshaling order [GH-7024]
    • auth/jwt: A JWKS endpoint may now be configured for signature verification [GH-43]
    • auth/jwt: A new verbose_oidc_logging role parameter has been added to help troubleshoot OIDC configuration [GH-57]
    • auth/jwt: bound_claims will now match received claims that are lists if any element of the list is one of the expected values [GH-50]
    • auth/jwt: Leeways for nbf and exp are now configurable, as is clock skew leeway [GH-53]
    • auth/kubernetes: Allow service names/namespaces to be configured as globs [GH-58]
    • auth/token: Allow the support of the identity system for the token backend via token roles [GH-6267]
    • auth/token: Add a large set of token configuration options to token store roles [GH-6662]
    • cli: path-help now allows -format=json to be specified, which will output OpenAPI [GH-7006]
    • cli: Add support for passing parameters to vault delete operations [GH-7139]
    • cli: Add a log-format CLI flag that can specify either "standard" or "json" for the log format for the vault servercommand. [GH-6840]
    • cli: Add -dev-no-store-token to allow dev servers to not store the generated token at the tokenhelper location [GH-7104]
    • identity: Allow a group alias' canonical ID to be modified
    • namespaces: Namespaces can now be created and deleted from performance replication secondaries
    • plugins: Change the default for max_open_connections for DB plugins to 4 [GH-7093]
    • replication: Client TLS authentication is now supported when enabling or updating a replication secondary
    • secrets/database: Cassandra operations will now cancel on client timeout [GH-6954]
    • secrets/kv: Add optional delete_version_after parameter, which takes a duration and can be set on the mount and/or the metadata for a specific key [GH-7005]
    • storage/postgres: LIST now performs better on large datasets [GH-6546]
    • storage/s3: A new path parameter allows selecting the path within a bucket for Vault data [GH-7157]
    • ui: KV v1 and v2 will now gracefully degrade allowing a write without read workflow in the UI [GH-6570]
    • ui: Many visual improvements with the addition of Toolbars [GH-6626], the restyling of the Confirm Action component [GH-6741], and using a new set of glyphs for our Icon component [GH-6736]
    • ui: Lazy loading parts of the application so that the total initial payload is smaller [GH-6718]
    • ui: Tabbing to auto-complete in filters will first complete a common prefix if there is one [GH-6759]
    • ui: Removing jQuery from the application makes the initial JS payload smaller [GH-6768]

    πŸ› BUG FIXES:

    • audit: Log requests and responses due to invalid wrapping token provided [GH-6541]
    • audit: Fix bug preventing request counter queries from working with auditing enabled [GH-6767
    • auth/aws: AWS Roles are now upgraded and saved to the latest version just after the AWS credential plugin is mounted. [GH-7025]
    • auth/aws: Fix a case where a panic could stem from a malformed assumed-role ARN when parsing this value [GH-6917]
    • auth/aws: Fix an error complaining about a read-only view that could occur during updating of a role when on a performance replication secondary [GH-6926]
    • auth/jwt: Fix a regression introduced in 1.1.1 that disabled checking of client_id for OIDC logins [GH-54]
    • auth/jwt: Fix a panic during OIDC CLI logins that could occur if the Vault server response is empty [GH-55]
    • auth/jwt: Fix issue where OIDC logins might intermittently fail when using performance standbys [GH-61]
    • identity: Fix a case where modifying aliases of an entity could end up moving the entity into the wrong namespace
    • namespaces: Fix a behavior (currently only known to be benign) where we wouldn't delete policies through the official functions before wiping the namespaces on deletion
    • secrets/database: Escape username/password before using in connection URL [GH-7089]
    • secrets/pki: Forward revocation requests to active node when on a performance standby [GH-7173]
    • ui: Fix timestamp on some transit keys [GH-6827]
    • ui: Show Entities and Groups in Side Navigation [GH-7138]
    • ui: Ensure dropdown updates selected item on HTTP Request Metrics page

  • v1.2.0-rc1

    July 25, 2019

  • v1.2.0-beta2

    July 09, 2019

  • v1.2.0-beta1

    June 24, 2019

  • v1.1.5

    July 30, 2019