Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
1.7.0
24 March 2021
CHANGES:
* aws/auth: AWS Auth concepts and endpoints that use the "whitelist" and
"blacklist" terms have been updated to more inclusive
language (e.g. /auth/aws/identity-whitelist has been updated
to/auth/aws/identity-accesslist). The old and new endpoints are aliases,
sharing the same underlying data. The legacy endpoint names are considered
deprecated and will be removed in a future release (not before Vault
1.9). The complete list of endpoint changes is available in the AWS Auth
API docs.
* go: Update Go version to 1.15.10 [GH-11114] [GH-11173]
FEATURES:
* Aerospike Storage Backend: Add support for using Aerospike as a storage
backend [GH-10131]
* Autopilot for Integrated Storage: A set of features has been added to
allow for automatic operator-friendly management of Vault servers. This is
only applicable when integrated storage is in use.
* Dead Server Cleanup: Dead servers will periodically be cleaned up and
removed from the Raft peer set, to prevent them from interfering with the
quorum size and leader elections.
* Server Health Checking: An API has been added to track the state of
servers, including their health.
* New Server Stabilization: When a new server is added to the cluster,
there will be a waiting period where it must be healthy and stable for a
certain amount of time before being promoted to a full, voting member.
* Tokenization Secrets Engine (Enterprise): The Tokenization Secrets Engine
is now generally available. We have added support for MySQL, key rotation,
and snapshot/restore.
* agent: Support for persisting the agent cache to disk [GH-10938]
* auth/jwt: Adds max_age role parameter and auth_time claim
validation. [GH-10919]
* core (enterprise): X-Vault-Index and related headers can be used by
clients to manage eventual consistency.
* kmip (enterprise): Use entropy augmentation to generate kmip certificates
* sdk: Private key generation in the certutil package now allows custom
io.Readers to be used. [GH-10653]
* secrets/aws: add IAM tagging support for iam_user roles [GH-10953]
* secrets/database/cassandra: Add ability to customize dynamic usernames
[GH-10906]
* secrets/database/couchbase: Add ability to customize dynamic usernames
[GH-10995]
* secrets/database/mongodb: Add ability to customize dynamic usernames
[GH-10858]
* secrets/database/mssql: Add ability to customize dynamic usernames
[GH-10767]
* secrets/database/mysql: Add ability to customize dynamic usernames
[GH-10834]
* secrets/database/postgresql: Add ability to customize dynamic usernames
[GH-10766]
* secrets/db/snowflake: Added support for Snowflake to the Database Secret
Engine [GH-10603]
* secrets/keymgmt (enterprise): Adds beta support for distributing and
managing keys in AWS KMS.
* secrets/keymgmt (enterprise): Adds general availability for distributing
and managing keys in Azure Key Vault.
* secrets/openldap: Added dynamic roles to OpenLDAP similar to the combined
database engine [GH-10996]
* secrets/terraform: New secret engine for managing Terraform Cloud API
tokens [GH-10931]
* ui: Adds check for feature flag on application, and updates namespace
toolbar on login if present [GH-10588]
* ui: Adds the wizard to the Database Secret Engine [GH-10982]
* ui: Database secrets engine, supporting MongoDB only [GH-10655]
IMPROVEMENTS:
* agent: Add template-retry stanza to agent config. [GH-10644]
* agent: Agent can now run as a Windows service. [GH-10231]
* agent: Better concurrent request handling on identical requests proxied
through Agent. [GH-10705]
* agent: Route templating server through cache when persistent cache is
enabled. [GH-10927]
* agent: change auto-auth to preload an existing token on start [GH-10850]
* auth/ldap: Improve consistency in error messages [GH-10537]
* auth/okta: Adds support for Okta Verify TOTP MFA. [GH-10942]
* changelog: Add dependencies listed in dependencies/2-25-21 [GH-11015]
* command/debug: Now collects logs (at level trace) as a periodic
output. [GH-10609]
* core (enterprise): "vault status" command works when a namespace is
set. [GH-10725]
* core (enterprise): Update Trial Enterprise license from 30 minutes to 6
hours
* core/metrics: Added "vault operator usage" command. [GH-10365]
* core/metrics: New telemetry metrics reporting lease expirations by time
interval and namespace [GH-10375]
* core: Added active since timestamp to the status output of active
nodes. [GH-10489]
* core: Check audit device with a test message before adding it. [GH-10520]
* core: Track barrier encryption count and automatically rotate after a
large number of operations or on a schedule [GH-10774]
* core: add metrics for active entity count [GH-10514]
* core: add partial month client count api [GH-11022]
* core: dev mode listener allows unauthenticated sys/metrics requests
[GH-10992]
* core: reduce memory used by leases [GH-10726]
* secrets/gcp: Truncate ServiceAccount display names longer than 100
characters. [GH-10558]
* storage/raft (enterprise): Listing of peers is now allowed on DR
secondary cluster nodes, as an update operation that takes in DR operation
token for authenticating the request.
* transform (enterprise): Improve FPE transformation performance
* transform (enterprise): Use transactions with batch tokenization
operations for improved performance
* ui: Clarify language on usage metrics page empty state [GH-10951]
* ui: Customize MongoDB input fields on Database Secrets Engine [GH-10949]
* ui: Upgrade Ember-cli from 3.8 to 3.22. [GH-9972]
* ui: Upgrade Storybook from 5.3.19 to 6.1.17. [GH-10904]
* ui: Upgrade date-fns from 1.3.0 to 2.16.1. [GH-10848]
* ui: Upgrade dependencies to resolve potential JS vulnerabilities
[GH-10677]
* ui: better errors on Database secrets engine role create [GH-10980]
BUG FIXES:
* agent: Only set the namespace if the VAULT_NAMESPACE env var isn't
present [GH-10556]
* agent: Set TokenParent correctly in the Index to be cached. [GH-10833]
* agent: Set namespace for template server in agent. [GH-10757]
* api/sys/config/ui: Fixes issue where multiple UI custom header values are
ignored and only the first given value is used [GH-10490]
* api: Fixes CORS API methods that were outdated and invalid [GH-10444]
* auth/jwt: Fixes bound_claims validation for provider-specific group and
user info fetching. [GH-10546]
* auth/jwt: Fixes an issue where JWT verification keys weren't updated
after a jwks_url change. [GH-10919]
* auth/jwt: Fixes an issue where jwt_supported_algs were not being
validated for JWT auth using jwks_url and
jwt_validation_pubkeys. [GH-10919]
* auth/oci: Fixes alias name to use the role name, and not the literal
string name [GH-10] [GH-10952]
* consul-template: Update consul-template vendor version and associated
dependencies to master, pulling in
hashicorp/consul-template#1447 [GH-10756]
* core (enterprise): Limit entropy augmentation during token generation to
root tokens. [GH-10487]
* core (enterprise): Vault EGP policies attached to path * were not
correctly scoped to the namespace.
* core/identity: Fix deadlock in entity merge endpoint. [GH-10877]
* core: Avoid deadlocks by ensuring that if grabLockOrStop returns
stopped=true, the lock will not be held. [GH-10456]
* core: Avoid disclosing IP addresses in the errors of unauthenticated
requests [GH-10579]
* core: Fix client.Clone() to include the address [GH-10077]
* core: Fix duplicate quotas on performance standby nodes. [GH-10855]
* core: Fix rate limit resource quota migration from 1.5.x to 1.6.x by
ensuring purgeInterval and staleAge are set appropriately. [GH-10536]
* core: Make all APIs that report init status consistent, and make them
report initialized=true when a Raft join is in progress. [GH-10498]
* core: Make the response to an unauthenticated request to sys/internal
endpoints consistent regardless of mount existence. [GH-10650]
* core: Turn off case sensitivity for allowed entity alias check during
token create operation. [GH-10743]
* http: change max_request_size to be unlimited when the config value is
less than 0 [GH-10072]
* license: Fix license caching issue that prevents new licenses to get
picked up by the license manager [GH-10424]
* metrics: Protect emitMetrics from panicking during post-seal [GH-10708]
* quotas/rate-limit: Fix quotas enforcing old rate limit quota paths
[GH-10689]
* replication (enterprise): Fix bug with not starting merkle sync while
requests are in progress
* secrets/database/influxdb: Fix issue where not all errors from InfluxDB
were being handled [GH-10384]
* secrets/database/mysql: Fixes issue where the DisplayName within
generated usernames was the incorrect length [GH-10433]
* secrets/database: Sanitize private_key field when reading database plugin
config [GH-10416]
* secrets/gcp: Fix issue with account and iam_policy roleset WALs not being
removed after attempts when GCP project no longer exists [GH-10759]
* secrets/transit: allow for null string to be used for optional parameters
in encrypt and decrypt [GH-10386]
* serviceregistration: Fix race during shutdown of Consul service
registration. [GH-10901]
* storage/raft (enterprise): Automated snapshots with Azure required
specifying azure_blob_environment, which should have had as a default
AZUREPUBLICCLOUD.
* storage/raft (enterprise): Reading a non-existent auto snapshot config
now returns 404.
* storage/raft (enterprise): The parameter aws_s3_server_kms_key was
misnamed and didn't work. Renamed to aws_s3_kms_key, and make it work so
that when provided the given key will be used to encrypt the snapshot using
AWS KMS.
* transform (enterprise): Fix bug tokenization handling metadata on
exportable stores
* transform (enterprise): Fix bug where tokenization store changes are
persisted but don't take effect
* transform (enterprise): Fix transform configuration not handling stores
parameter on the legacy path
* transform (enterprise): Make expiration timestamps human readable
* transform (enterprise): Return false for invalid tokens on the validate
endpoint rather than returning an HTTP error
* ui: Add role from database connection automatically populates the
database for new role [GH-11119]
* ui: Fix bug in Transform secret engine when a new role is added and then
removed from a transformation [GH-10417]
* ui: Fix bug that double encodes secret route when there are spaces in the
path and makes you unable to view the version history. [GH-10596]
* ui: Fix expected response from feature-flags endpoint [GH-10684]
* ui: Fix footer URL linking to the correct version changelog. [GH-10491]
DEPRECATIONS:
* aws/auth: AWS Auth endpoints that use the "whitelist" and "blacklist"
terms have been deprecated. Refer to the CHANGES section for additional
details.
1.6.3
February 25, 2021
SECURITY:
* Limited Unauthenticated License Metadata Read: We addressed a security
vulnerability that allowed for the unauthenticated reading of Vault license
metadata from DR Secondaries. This vulnerability affects Vault Enterprise
and is fixed in 1.6.3 (CVE-2021-27668).
CHANGES:
* secrets/mongodbatlas: Move from whitelist to access list API [GH-10966]
IMPROVEMENTS:
* ui: Clarify language on usage metrics page empty state [GH-10951]
BUG FIXES:
* auth/kubernetes: Cancel API calls to TokenReview endpoint when request
context is closed [GH-10930]
* core/identity: Fix deadlock in entity merge endpoint. [GH-10877]
* quotas: Fix duplicate quotas on performance standby nodes. [GH-10855]
* quotas/rate-limit: Fix quotas enforcing old rate limit quota paths
[GH-10689]
* replication (enterprise): Don't write request count data on DR
Secondaries. Fixes DR Secondaries becoming out of sync approximately every
30s. [GH-10970]
* secrets/azure (enterprise): Forward service principal credential creation
to the primary cluster if called on a performance standby or performance
secondary. [GH-10902]
1.6.2
January 29, 2021
SECURITY:
* IP Address Disclosure: We fixed a vulnerability where, under some error
conditions, Vault would return an error message disclosing internal IP
addresses. This vulnerability affects Vault and Vault Enterprise and is
fixed in 1.6.2 (CVE-2021-3024).
* Limited Unauthenticated Remove Peer: As of Vault 1.6, the remove-peer
command on DR secondaries did not require authentication. This issue
impacts the stability of HA architecture, as a bad actor could remove all
standby nodes from a DR secondary. This issue affects Vault Enterprise
1.6.0 and 1.6.1, and is fixed in 1.6.2 (CVE-2021-3282).
* Mount Path Disclosure: Vault previously returned different HTTP status
codes for existent and non-existent mount paths. This behavior would allow
unauthenticated brute force attacks to reveal which paths had valid
mounts. This issue affects Vault and Vault Enterprise and is fixed in
1.6.2 (CVE-2020-25594).
CHANGES:
* go: Update go version to 1.15.7 [GH-10730]
FEATURES:
* ui: Adds check for feature flag on application, and updates namespace
toolbar on login if present [GH-10588]
IMPROVEMENTS:
* core (enterprise): "vault status" command works when a namespace is
set. [GH-10725]
* core: reduce memory used by leases [GH-10726]
* storage/raft (enterprise): Listing of peers is now allowed on DR
secondary cluster nodes, as an update operation that takes in DR operation
token for authenticating the request.
* core: allow setting tls_servername for raft retry/auto-join [GH-10698]
BUG FIXES:
* agent: Set namespace for template server in agent. [GH-10757]
* core: Make the response to an unauthenticated request to sys/internal
endpoints consistent regardless of mount existence. [GH-10650]
* metrics: Protect emitMetrics from panicking during post-seal [GH-10708]
* secrets/gcp: Fix issue with account and iam_policy roleset WALs not being
removed after attempts when GCP project no longer exists [GH-10759]
* storage/raft (enterprise): Automated snapshots with Azure required
specifying azure_blob_environment, which should have had as a default
AZUREPUBLICCLOUD.
* storage/raft (enterprise): Autosnapshots config and storage weren't
excluded from performance replication, causing conflicts and errors.
* ui: Fix bug that double encodes secret route when there are spaces in the
path and makes you unable to view the version history. [GH-10596]
* ui: Fix expected response from feature-flags endpoint [GH-10684]- Loading branch information
