SECURITY:
The PKI Secrets Engine tidy functionality may cause Vault to exclude revoked-but-unexpired certificates from the Vault CRL. This vulnerability affects Vault and Vault Enterprise 1.5.1 and newer and was fixed in versions 1.5.8, 1.6.4, and 1.7.1. (CVE-2021-27668)
The Cassandra Database and Storage backends were not correctly verifying TLS certificates. This issue affects all versions of Vault and Vault Enterprise and was fixed in versions 1.6.4, and 1.7.1. (CVE-2021-27400)
CHANGES:
go: Update to Go 1.15.11 [GH-11395]
IMPROVEMENTS:
auth/jwt: Adds ability to directly provide service account JSON in G Suite provider config. [GH-11388]
core: Add tls_max_version listener config option. [GH-11226]
core: Add metrics for standby node forwarding. [GH-11366]
core: allow arbitrary length stack traces upon receiving SIGUSR2 (was 32MB) [GH-11364]
storage/raft: Support autopilot for HA only raft storage. [GH-11260]
BUG FIXES:
core: Fix cleanup of storage entries from cubbyholes within namespaces. [GH-11408]
core: Fix goroutine leak when updating rate limit quota [GH-11371]
core: Fix storage entry leak when revoking leases created with non-orphan batch tokens. [GH-11377]
core: requests forwarded by standby weren't always timed out. [GH-11322]
pki: Only remove revoked entry for certificates during tidy if they are past their NotAfter value [GH-11367]
replication: Fix: mounts created within a namespace that was part of an Allow filtering rule would not appear on performance secondary if created after rule was defined. [GH-1807]
replication: Perf standby nodes on newly enabled DR secondary sometimes couldn't connect to active node with TLS errors. [GH-1823]
secrets/database/cassandra: Fixed issue where hostnames were not being validated when using TLS [GH-11365]
secrets/database/cassandra: Updated default statement for password rotation to allow for special characters. This applies to root and static credentials. [GH-11262]
storage/dynamodb: Handle throttled batch write requests by retrying, without which writes could be lost. [GH-10181]
storage/raft: leader_tls_servername wasn't used unless leader_ca_cert_file and/or mTLS were configured. [GH-11252]
ui: Add root rotation statements support to appropriate database secret engine plugins [GH-11404]
ui: Fix bug where the UI does not recognize version 2 KV until refresh, and fix [object Object] error message [GH-11258]
ui: Fix footer URL linking to the correct version changelog. [GH-11283]
ui: Fix namespace-bug on login [GH-11182]
ui: Fix status menu no showing on login [GH-11213]
ui: fix issue where select-one option was not showing in secrets database role creation [GH-11294]
1.7.0
24 March 2021
CHANGES:
agent: Failed auto-auth attempts are now throttled by an exponential backoff instead of the ~2 second retry delay. The maximum backoff may be configured with the new max_backoff parameter, which defaults to 5 minutes. [GH-10964]
aws/auth: AWS Auth concepts and endpoints that use the "whitelist" and "blacklist" terms have been updated to more inclusive language (e.g. /auth/aws/identity-whitelist has been updated to/auth/aws/identity-accesslist). The old and new endpoints are aliases, sharing the same underlying data. The legacy endpoint names are considered deprecated and will be removed in a future release (not before Vault 1.9). The complete list of endpoint changes is available in the AWS Auth API docs.
go: Update Go version to 1.15.10 [GH-11114] [GH-11173]
FEATURES:
Aerospike Storage Backend: Add support for using Aerospike as a storage backend [GH-10131]
Autopilot for Integrated Storage: A set of features has been added to allow for automatic operator-friendly management of Vault servers. This is only applicable when integrated storage is in use.
Dead Server Cleanup: Dead servers will periodically be cleaned up and removed from the Raft peer set, to prevent them from interfering with the quorum size and leader elections.
Server Health Checking: An API has been added to track the state of servers, including their health.
New Server Stabilization: When a new server is added to the cluster, there will be a waiting period where it must be healthy and stable for a certain amount of time before being promoted to a full, voting member.
Tokenization Secrets Engine (Enterprise): The Tokenization Secrets Engine is now generally available. We have added support for MySQL, key rotation, and snapshot/restore.
agent: Support for persisting the agent cache to disk [GH-10938]
auth/jwt: Adds max_age role parameter and auth_time claim validation. [GH-10919]
core (enterprise): X-Vault-Index and related headers can be used by clients to manage eventual consistency.
kmip (enterprise): Use entropy augmentation to generate kmip certificates
sdk: Private key generation in the certutil package now allows custom io.Readers to be used. [GH-10653]
secrets/aws: add IAM tagging support for iam_user roles [GH-10953]
secrets/database/cassandra: Add ability to customize dynamic usernames [GH-10906]
secrets/database/couchbase: Add ability to customize dynamic usernames [GH-10995]
secrets/database/mongodb: Add ability to customize dynamic usernames [GH-10858]
secrets/database/mssql: Add ability to customize dynamic usernames [GH-10767]
secrets/database/mysql: Add ability to customize dynamic usernames [GH-10834]
secrets/database/postgresql: Add ability to customize dynamic usernames [GH-10766]
secrets/db/snowflake: Added support for Snowflake to the Database Secret Engine [GH-10603]
secrets/keymgmt (enterprise): Adds beta support for distributing and managing keys in AWS KMS.
secrets/keymgmt (enterprise): Adds general availability for distributing and managing keys in Azure Key Vault.
secrets/openldap: Added dynamic roles to OpenLDAP similar to the combined database engine [GH-10996]
secrets/terraform: New secret engine for managing Terraform Cloud API tokens [GH-10931]
ui: Adds check for feature flag on application, and updates namespace toolbar on login if present [GH-10588]
ui: Adds the wizard to the Database Secret Engine [GH-10982]
ui: Database secrets engine, supporting MongoDB only [GH-10655]
IMPROVEMENTS:
agent: Add a vault.retry stanza that allows specifying number of retries on failure; this applies both to templating and proxied requests. [GH-11113]
agent: Agent can now run as a Windows service. [GH-10231]
agent: Better concurrent request handling on identical requests proxied through Agent. [GH-10705]
agent: Route templating server through cache when persistent cache is enabled. [GH-10927]
agent: change auto-auth to preload an existing token on start [GH-10850]
auth/approle: Secrets ID generation endpoint now returns secret_id_ttl as part of its response. [GH-10826]
auth/ldap: Improve consistency in error messages [GH-10537]
auth/okta: Adds support for Okta Verify TOTP MFA. [GH-10942]
changelog: Add dependencies listed in dependencies/2-25-21 [GH-11015]
command/debug: Now collects logs (at level trace) as a periodic output. [GH-10609]
core (enterprise): "vault status" command works when a namespace is set. [GH-10725]
core (enterprise): Update Trial Enterprise license from 30 minutes to 6 hours
core/metrics: Added "vault operator usage" command. [GH-10365]
core/metrics: New telemetry metrics reporting lease expirations by time interval and namespace [GH-10375]
core: Added active since timestamp to the status output of active nodes. [GH-10489]
core: Check audit device with a test message before adding it. [GH-10520]
core: Track barrier encryption count and automatically rotate after a large number of operations or on a schedule [GH-10774]
core: add metrics for active entity count [GH-10514]
core: add partial month client count api [GH-11022]
core: dev mode listener allows unauthenticated sys/metrics requests [GH-10992]
core: reduce memory used by leases [GH-10726]
secrets/gcp: Truncate ServiceAccount display names longer than 100 characters. [GH-10558]
storage/raft (enterprise): Listing of peers is now allowed on DR secondary cluster nodes, as an update operation that takes in DR operation token for authenticating the request.
transform (enterprise): Improve FPE transformation performance
transform (enterprise): Use transactions with batch tokenization operations for improved performance
ui: Clarify language on usage metrics page empty state [GH-10951]
ui: Customize MongoDB input fields on Database Secrets Engine [GH-10949]
ui: Upgrade Ember-cli from 3.8 to 3.22. [GH-9972]
ui: Upgrade Storybook from 5.3.19 to 6.1.17. [GH-10904]
ui: Upgrade date-fns from 1.3.0 to 2.16.1. [GH-10848]
ui: Upgrade dependencies to resolve potential JS vulnerabilities [GH-10677]
ui: better errors on Database secrets engine role create [GH-10980]
BUG FIXES:
agent: Only set the namespace if the VAULT_NAMESPACE env var isn't present [GH-10556]
agent: Set TokenParent correctly in the Index to be cached. [GH-10833]
agent: Set namespace for template server in agent. [GH-10757]
api/sys/config/ui: Fixes issue where multiple UI custom header values are ignored and only the first given value is used [GH-10490]
api: Fixes CORS API methods that were outdated and invalid [GH-10444]
auth/jwt: Fixes bound_claims validation for provider-specific group and user info fetching. [GH-10546]
auth/jwt: Fixes an issue where JWT verification keys weren't updated after a jwks_url change. [GH-10919]
auth/jwt: Fixes an issue where jwt_supported_algs were not being validated for JWT auth using jwks_url and jwt_validation_pubkeys. [GH-10919]
auth/oci: Fixes alias name to use the role name, and not the literal string name [GH-10] [GH-10952]
consul-template: Update consul-template vendor version and associated dependencies to master, pulling in https://github.com/hashicorp/consul-template/pull/1447 [GH-10756]
core (enterprise): Limit entropy augmentation during token generation to root tokens. [GH-10487]
core (enterprise): Vault EGP policies attached to path * were not correctly scoped to the namespace.
core/identity: Fix deadlock in entity merge endpoint. [GH-10877]
core: Avoid disclosing IP addresses in the errors of unauthenticated requests [GH-10579]
core: Fix client.Clone() to include the address [GH-10077]
core: Fix duplicate quotas on performance standby nodes. [GH-10855]
core: Fix rate limit resource quota migration from 1.5.x to 1.6.x by ensuring purgeInterval and staleAge are set appropriately. [GH-10536]
core: Make all APIs that report init status consistent, and make them report initialized=true when a Raft join is in progress. [GH-10498]
core: Make the response to an unauthenticated request to sys/internal endpoints consistent regardless of mount existence. [GH-10650]
core: Turn off case sensitivity for allowed entity alias check during token create operation. [GH-10743]
http: change max_request_size to be unlimited when the config value is less than 0 [GH-10072]
license: Fix license caching issue that prevents new licenses to get picked up by the license manager [GH-10424]
metrics: Protect emitMetrics from panicking during post-seal [GH-10708]
quotas/rate-limit: Fix quotas enforcing old rate limit quota paths [GH-10689]
replication (enterprise): Fix bug with not starting merkle sync while requests are in progress
secrets/database/influxdb: Fix issue where not all errors from InfluxDB were being handled [GH-10384]
secrets/database/mysql: Fixes issue where the DisplayName within generated usernames was the incorrect length [GH-10433]
secrets/database: Sanitize private_key field when reading database plugin config [GH-10416]
secrets/gcp: Fix issue with account and iam_policy roleset WALs not being removed after attempts when GCP project no longer exists [GH-10759]
secrets/transit: allow for null string to be used for optional parameters in encrypt and decrypt [GH-10386]
serviceregistration: Fix race during shutdown of Consul service registration. [GH-10901]
storage/raft (enterprise): Automated snapshots with Azure required specifying azure_blob_environment, which should have had as a default AZUREPUBLICCLOUD.
storage/raft (enterprise): Reading a non-existent auto snapshot config now returns 404.
storage/raft (enterprise): The parameter aws_s3_server_kms_key was misnamed and didn't work. Renamed to aws_s3_kms_key, and make it work so that when provided the given key will be used to encrypt the snapshot using AWS KMS.
transform (enterprise): Fix bug tokenization handling metadata on exportable stores
transform (enterprise): Fix bug where tokenization store changes are persisted but don't take effect
transform (enterprise): Fix transform configuration not handling stores parameter on the legacy path
transform (enterprise): Make expiration timestamps human readable
transform (enterprise): Return false for invalid tokens on the validate endpoint rather than returning an HTTP error
ui: Add role from database connection automatically populates the database for new role [GH-11119]
ui: Fix bug in Transform secret engine when a new role is added and then removed from a transformation [GH-10417]
ui: Fix bug that double encodes secret route when there are spaces in the path and makes you unable to view the version history. [GH-10596]
ui: Fix expected response from feature-flags endpoint [GH-10684]
ui: Fix footer URL linking to the correct version changelog. [GH-10491]
DEPRECATIONS:
aws/auth: AWS Auth endpoints that use the "whitelist" and "blacklist" terms have been deprecated. Refer to the CHANGES section for additional details.
1.6.4
21 April 2021
SECURITY:
The PKI Secrets Engine tidy functionality may cause Vault to exclude revoked-but-unexpired certificates from the Vault CRL. This vulnerability affects Vault and Vault Enterprise 1.5.1 and newer and was fixed in versions 1.5.8, 1.6.4, and 1.7.1. (CVE-2021-27668)
The Cassandra Database and Storage backends were not correctly verifying TLS certificates. This issue affects all versions of Vault and Vault Enterprise and was fixed in versions 1.6.4, and 1.7.1. (CVE-2021-27400)
CHANGES:
go: Update to Go 1.15.11 [GH-11396]
IMPROVEMENTS:
command/debug: Now collects logs (at level trace) as a periodic output. [GH-10609]
core: Add tls_max_version listener config option. [GH-11226]
core: allow arbitrary length stack traces upon receiving SIGUSR2 (was 32MB) [GH-11364]
BUG FIXES:
core: Fix cleanup of storage entries from cubbyholes within namespaces. [GH-11408]
core: Fix goroutine leak when updating rate limit quota [GH-11371]
core: Fix storage entry leak when revoking leases created with non-orphan batch tokens. [GH-11377]
pki: Only remove revoked entry for certificates during tidy if they are past their NotAfter value [GH-11367]
pki: Preserve ordering of all DN attribute values when issuing certificates [GH-11259]
replication: Fix: mounts created within a namespace that was part of an Allow filtering rule would not appear on performance secondary if created after rule was defined. [GH-1807]
secrets/database/cassandra: Fixed issue where hostnames were not being validated when using TLS [GH-11365]
storage/raft: leader_tls_servername wasn't used unless leader_ca_cert_file and/or mTLS were configured. [GH-11252]
1.6.3
February 25, 2021
SECURITY:
Limited Unauthenticated License Metadata Read: We addressed a security vulnerability that allowed for the unauthenticated reading of Vault license metadata from DR Secondaries. This vulnerability affects Vault Enterprise and is fixed in 1.6.3 (CVE-2021-27668).
CHANGES:
secrets/mongodbatlas: Move from whitelist to access list API [GH-10966]
IMPROVEMENTS:
ui: Clarify language on usage metrics page empty state [GH-10951]
BUG FIXES:
auth/kubernetes: Cancel API calls to TokenReview endpoint when request context is closed [GH-10930]
core/identity: Fix deadlock in entity merge endpoint. [GH-10877]
quotas: Fix duplicate quotas on performance standby nodes. [GH-10855]
quotas/rate-limit: Fix quotas enforcing old rate limit quota paths [GH-10689]
replication (enterprise): Don't write request count data on DR Secondaries. Fixes DR Secondaries becoming out of sync approximately every 30s. [GH-10970]
secrets/azure (enterprise): Forward service principal credential creation to the primary cluster if called on a performance standby or performance secondary. [GH-10902]
www.myqnap.org