v1.8.0-rc1

Release vault v1.8.0-rc1

v1.7.3

Release vault v1.7.3

v1.7.2

1.7.2

May 20th, 2021

SECURITY:

• Non-Expiring Leases: Vault and Vault Enterprise renewed nearly-expiring token
  leases and dynamic secret leases with a zero-second TTL, causing them to be
  treated as non-expiring, and never revoked. This issue affects Vault and Vault
  Enterprise versions 0.10.0 through 1.7.1, and is fixed in 1.5.9, 1.6.5, and
  1.7.2 (CVE-2021-32923).

CHANGES:

• agent: Update to use IAM Service Account Credentials endpoint for signing JWTs
  when using GCP Auto-Auth method [GH-11473]
• auth/gcp: Update to v0.9.1 to use IAM Service Account Credentials API for
  signing JWTs [GH-11494]

IMPROVEMENTS:

• api, agent: LifetimeWatcher now does more retries when renewal failures occur. This also impacts Agent auto-auth and leases managed via Agent caching. [GH-11445]
• auth/aws: Underlying error included in validation failure message. [GH-11638]
• http: Add optional HTTP response headers for hostname and raft node ID [GH-11289]
• secrets/aws: add ability to provide a role session name when generating STS credentials [GH-11345]
• secrets/database/mongodb: Add ability to customize SocketTimeout, ConnectTimeout, and ServerSelectionTimeout [GH-11600]
• secrets/database/mongodb: Increased throughput by allowing for multiple request threads to simultaneously update users in MongoDB [GH-11600]

BUG FIXES:

• agent/cert: Fix issue where the API client on agent was not honoring certificate
  information from the auto-auth config map on renewals or retries. [GH-11576]
• agent: Fixed agent templating to use configured tls servername values [GH-11288]
• core (enterprise): Fix plugins mounted in namespaces being unable to use password policies [GH-11596]
• core: correct logic for renewal of leases nearing their expiration time. [GH-11650]
• identity: Use correct mount accessor when refreshing external group memberships. [GH-11506]
• replication: Fix panic trying to update walState during identity group invalidation. [GH-1865]
• secrets/database: Fix marshalling to allow providing numeric arguments to external database plugins. [GH-11451]
• secrets/database: Fixed minor race condition when rotate-root is called [GH-11600]
• secrets/database: Fixes issue for V4 database interface where SetCredentials wasn't falling back to using RotateRootCredentials if SetCredentials is Unimplemented [GH-11585]
• secrets/keymgmt (enterprise): Fixes audit logging for the read key response.
• storage/raft: Support cluster address change for nodes in a cluster managed by autopilot [GH-11247]
• ui: Fix entity group membership and metadata not showing [GH-11641]
• ui: Fix text link URL on database roles list [GH-11597]

v1.6.5

1.6.5

May 20th, 2021

SECURITY:

• Non-Expiring Leases: Vault and Vault Enterprise renewed nearly-expiring token
  leases and dynamic secret leases with a zero-second TTL, causing them to be
  treated as non-expiring, and never revoked. This issue affects Vault and Vault
  Enterprise versions 0.10.0 through 1.7.1, and is fixed in 1.5.9, 1.6.5, and
  1.7.2 (CVE-2021-32923).

CHANGES:

• agent: Update to use IAM Service Account Credentials endpoint for signing JWTs
  when using GCP Auto-Auth method [GH-11473]
• auth/gcp: Update to v0.8.1 to use IAM Service Account Credentials API for
  signing JWTs [GH-11498]

BUG FIXES:

• core (enterprise): Fix plugins mounted in namespaces being unable to use password policies [GH-11596]
• core: correct logic for renewal of leases nearing their expiration time. [GH-11650]
• secrets/database: Fix marshalling to allow providing numeric arguments to external database plugins. [GH-11451]
• secrets/database: Fixes issue for V4 database interface where SetCredentials wasn't falling back to using RotateRootCredentials if SetCredentials is Unimplemented [GH-11585]
• ui: Fix namespace-bug on login [GH-11182]

v1.5.9

1.5.9

May 20th, 2021

SECURITY:

• Non-Expiring Leases: Vault and Vault Enterprise renewed nearly-expiring token
  leases and dynamic secret leases with a zero-second TTL, causing them to be
  treated as non-expiring, and never revoked. This issue affects Vault and Vault
  Enterprise versions 0.10.0 through 1.7.1, and is fixed in 1.5.9, 1.6.5, and
  1.7.2 (CVE-2021-32923).

CHANGES:

• agent: Update to use IAM Service Account Credentials endpoint for signing JWTs
  when using GCP Auto-Auth method [GH-11473]
• auth/gcp: Update to v0.7.2 to use IAM Service Account Credentials API for
  signing JWTs [GH-11499]

BUG FIXES:

• core: correct logic for renewal of leases nearing their expiration time. [GH-11650]

v1.7.1

Release vault 1.7.1

v1.6.4

Release vault v1.6.4

v1.5.8

Release vault v1.5.8

v1.7.0

1.7.0

24 March 2021

CHANGES:

• go: Update go version to 1.15.8 [GH-11060]

FEATURES:

• Aerospike Storage Backend: Add support for using Aerospike as a storage backend [GH-10131]
• agent: Support for persisting the agent cache to disk [GH-10938]
• auth/jwt: Adds max_age role parameter and auth_time claim validation. [GH-10919]
• kmip (enterprise): Use entropy augmentation to generate kmip certificates
• sdk: Private key generation in the certutil package now allows custom io.Readers to be used. [GH-10653]
• secrets/aws: add IAM tagging support for iam_user roles [GH-10953]
• secrets/database/cassandra: Add ability to customize dynamic usernames [GH-10906]
• secrets/database/couchbase: Add ability to customize dynamic usernames [GH-10995]
• secrets/database/mongodb: Add ability to customize dynamic usernames [GH-10858]
• secrets/database/mssql: Add ability to customize dynamic usernames [GH-10767]
• secrets/database/mysql: Add ability to customize dynamic usernames [GH-10834]
• secrets/database/postgresql: Add ability to customize dynamic usernames [GH-10766]
• secrets/openldap: Added dynamic roles to OpenLDAP similar to the combined database engine [GH-10996]
• secrets/terraform: New secret engine for managing Terraform Cloud API tokens [GH-10931]
• ui: Adds check for feature flag on application, and updates namespace toolbar on login if present [GH-10588]
• ui: Adds the wizard to the Database Secret Engine [GH-10982]
• ui: Database secrets engine, supporting MongoDB only [GH-10655]

IMPROVEMENTS:

• agent: Add template-retry stanza to agent config. [GH-10644]
• agent: Agent can now run as a Windows service. [GH-10231]
• agent: Better concurrent request handling on identical requests proxied through Agent. [GH-10705]
• agent: Route templating server through cache when persistent cache is enabled. [GH-10927]
• agent: change auto-auth to preload an existing token on start [GH-10850]
• auth/ldap: Improve consistency in error messages [GH-10537]
• auth/okta: Adds support for Okta Verify TOTP MFA. [GH-10942]
• changelog: Add dependencies listed in dependencies/2-25-21 [GH-11015]
• command/debug: Now collects logs (at level trace) as a periodic output. [GH-10609]
• core (enterprise): "vault status" command works when a namespace is set. [GH-10725]
• core (enterprise): Update Trial Enterprise license from 30 minutes to 6 hours
• core/metrics: Added "vault operator usage" command. [GH-10365]
• core/metrics: New telemetry metrics reporting lease expirations by time interval and namespace [GH-10375]
• core: Added active since timestamp to the status output of active nodes. [GH-10489]
• core: Check audit device with a test message before adding it. [GH-10520]
• core: Track barrier encryption count and automatically rotate after a large number of operations or on a schedule [GH-10744]
• core: add metrics for active entity count [GH-10514]
• core: add partial month client count api [GH-11022]
• core: dev mode listener allows unauthenticated sys/metrics requests [GH-10992]
• core: reduce memory used by leases [GH-10726]
• secrets/gcp: Truncate ServiceAccount display names longer than 100 characters. [GH-10558]
• storage/raft (enterprise): Listing of peers is now allowed on DR secondary
  cluster nodes, as an update operation that takes in DR operation token for
  authenticating the request.
• ui: Clarify language on usage metrics page empty state [GH-10951]
• ui: Customize MongoDB input fields on Database Secrets Engine [GH-10949]
• ui: Upgrade Ember-cli from 3.8 to 3.22. [GH-9972]
• ui: Upgrade Storybook from 5.3.19 to 6.1.17. [GH-10904]
• ui: Upgrade date-fns from 1.3.0 to 2.16.1. [GH-10848]
• ui: Upgrade dependencies to resolve potential JS vulnerabilities [GH-10677]
• ui: better errors on Database secrets engine role create [GH-10980]

BUG FIXES:

• agent: Only set the namespace if the VAULT_NAMESPACE env var isn't present [GH-10556]
• agent: Set TokenParent correctly in the Index to be cached. [GH-10833]
• agent: Set namespace for template server in agent. [GH-10757]
• api/sys/config/ui: Fixes issue where multiple UI custom header values are ignored and only the first given value is used [GH-10490]
• api: Fixes CORS API methods that were outdated and invalid [GH-10444]
• auth/jwt: Fixes bound_claims validation for provider-specific group and user info fetching. [GH-10546]
• auth/jwt: Fixes an issue where JWT verification keys weren't updated after a jwks_url change. [GH-10919]
• auth/jwt: Fixes an issue where jwt_supported_algs were not being validated for JWT auth using
  jwks_url and jwt_validation_pubkeys. [GH-10919]
• auth/oci: Fixes alias name to use the role name, and not the literal string name [GH-10] [GH-10952]
• consul-template: Update consul-template vendor version and associated dependencies to master,
  pulling in hashicorp/consul-template#1447 [GH-10756]
• core (enterprise): Limit entropy augmentation during token generation to root tokens. [GH-10487]
• core (enterprise): Vault EGP policies attached to path * were not correctly scoped to the namespace.
• core/identity: Fix deadlock in entity merge endpoint. [GH-10877]
• core: Avoid deadlocks by ensuring that if grabLockOrStop returns stopped=true, the lock will not be held. [GH-10456]
• core: Avoid disclosing IP addresses in the errors of unauthenticated requests [GH-10579]
• core: Fix client.Clone() to include the address [GH-10077]
• core: Fix duplicate quotas on performance standby nodes. [GH-10855]
• core: Fix rate limit resource quota migration from 1.5.x to 1.6.x by ensuring purgeInterval and
  staleAge are set appropriately. [GH-10536]
• core: Make all APIs that report init status consistent, and make them report
  initialized=true when a Raft join is in progress. [GH-10498]
• core: Make the response to an unauthenticated request to sys/internal endpoints consistent regardless of mount existence. [GH-10650]
• core: Turn off case sensitivity for allowed entity alias check during token create operation. [GH-10743]
• http: change max_request_size to be unlimited when the config value is less than 0 [GH-10072]
• license: Fix license caching issue that prevents new licenses to get picked up by the license manager [GH-10424]
• metrics: Protect emitMetrics from panicking during post-seal [GH-10708]
• quotas/rate-limit: Fix quotas enforcing old rate limit quota paths [GH-10689]
• replication (enterprise): Fix bug with not starting merkle sync while requests are in progress
• secrets/data...

v1.7.0-rc2

Release vault v1.7.0-rc2