Vault v1.4.2 Release Notes

Release Date: 2020-05-21 // 14 days ago
  • 🔒 SECURITY:

    • 🛠 core: Proxy environment variables are now redacted before being logged, in case the URLs include a username:password. This vulnerability, CVE-2020-13223, is fixed in 1.3.6 and 1.4.2, but affects 1.4.0 and 1.4.1, as well as older versions of Vault [GH-9022]
    • 🔧 secrets/gcp: Fix a regression in 1.4.0 where the system TTLs were being used instead of the configured backend TTLs for dynamic service accounts. This vulnerability is CVE-2020-12757. [GH-85]

    👌 IMPROVEMENTS:

    • storage/raft: The storage stanza now accepts leader_ca_cert_file, leader_client_cert_file, and leader_client_key_file parameters to read and parse TLS certificate information from paths on disk. Existing non-path based parameters will continue to work, but their values will need to be provided as a single-line string with newlines delimited by \n. [GH-8894]
    • storage/raft: The vault status CLI command and the sys/leader API now contain the committed and applied raft indexes. [GH-9011]

    🐛 BUG FIXES:

    • 📇 auth/aws: Fix token renewal issues caused by the metadata changes in 1.4.1 [GH-8991]
    • auth/ldap: Fix 1.4.0 regression that could result in auth failures when LDAP auth config includes upndomain. [GH-9041]
    • 🔌 secrets/ad: Forward rotation requests from standbys to active clusters [GH-66]
    • 🔌 secrets/database: Prevent generation of usernames that are not allowed by the MongoDB Atlas API [GH-9]
    • secrets/database: Return an error if a manual rotation of static account credentials fails [GH-9035]
    • secrets/openldap: Forward all rotation requests from standbys to active clusters [GH-9028]
    • secrets/transform (enterprise): Fix panic that could occur when accessing cached template entries, such as a requests that accessed templates directly or indirectly from a performance standby node.
    • serviceregistration: Fix a regression for Consul service registration that ignored using the listener address as the redirect address unless api_addr was provided. It now properly uses the same redirect address as the one used by Vault's Core object. [GH-8976]
    • 🔧 storage/raft: Advertise the configured cluster address to the rest of the nodes in the raft cluster. This fixes an issue where a node advertising 0.0.0.0 is not using a unique hostname. [GH-9008]
    • storage/raft: Fix panic when multiple nodes attempt to join the cluster at once. [GH-9008]
    • 💻 sys: The path provided in sys/internal/ui/mounts/:path is now namespace-aware. This fixes an issue with vault kv subcommands that had namespaces provided in the path returning permission denied all the time. [GH-8962]
    • 💻 ui: Fix snowman that appears when namespaces have more than one period [GH-8910]

Previous changes from v1.4.1

  • 🔄 CHANGES:

    • auth/aws: The default set of metadata fields added in 1.4.1 has been changed to account_id and auth_type [GH-8783]
    • storage/raft: Disallow ha_storage to be specified if raft is set as the storage type. [GH-8707]

    👌 IMPROVEMENTS:

    • 📇 auth/aws: The set of metadata stored during login is now configurable [GH-8783]
    • 👀 auth/aws: Improve region selection to avoid errors seen if the account hasn't enabled some newer AWS regions [GH-8679]
    • 🔌 auth/azure: Enable login from Azure VMs with user-assigned identities [GH-33]
    • 📇 auth/gcp: The set of metadata stored during login is now configurable [GH-92]
    • 🔧 auth/gcp: The type of alias name used during login is now configurable [GH-95]
    • auth/ldap: Improve error messages during LDAP operation failures [GH-8740]
    • identity: Add a batch delete API for identity entities [GH-8785]
    • 🐎 identity: Improve performance of logins when no group updates are needed [GH-8795]
    • metrics: Add vault.identity.num_entities metric [GH-8816]
    • secrets/kv: Allow delete-version-after to be reset to 0 via the CLI [GH-8635]
    • secrets/rabbitmq: Improve error handling and reporting [GH-8619]
    • 💻 ui: Provide One Time Password during Operation Token generation process [GH-8630]

    🐛 BUG FIXES:

    • auth/okta: Fix MFA regression (introduced in GH-8143) from 1.4.0 [GH-8807]
    • auth/userpass: Fix upgrade value for token_bound_cidrs being ignored due to incorrect key provided [GH-8826]
    • 🚚 config/seal: Fix segfault when seal block is removed [GH-8517]
    • 🏗 core: Fix an issue where users attempting to build Vault could receive Go module checksum errors [GH-8770]
    • 🔒 core: Fix blocked requests if a SIGHUP is issued during a long-running request has the state lock held. Also fixes deadlock that can happen if vault debug with the config target is ran during this time. [GH-8755]
    • core: Always rewrite the .vault-token file as part of a vault login to ensure permissions and ownership are set correctly [GH-8867]
    • database/mongodb: Fix context deadline error that may result due to retry attempts on failed commands [GH-8863]
    • 📦 http: Fix superflous call messages from the http package on logs caused by missing returns after respondError calls [GH-8796]
    • namespace (enterprise): Fix namespace listing to return key_info when a scoping namespace is also provided.
    • seal/gcpkms: Fix panic that could occur if all seal parameters were provided via environment variables [GH-8840]
    • 📇 storage/raft: Fix memory allocation and incorrect metadata tracking issues with snapshots [GH-8793]
    • storage/raft: Fix panic that could occur if disable_clustering was set to true on Raft storage cluster [GH-8784]
    • storage/raft: Handle errors returned from the API during snapshot operations [GH-8861]
    • sys/wrapping: Allow unwrapping of wrapping tokens which contain nil data [GH-8714]