Log Message:
Update security/vault to 0.6.5.

FEATURES:

- Okta Authentication: A new Okta authentication backend allows you to use
  Okta usernames and passwords to authenticate to Vault. If provided with an
  appropriate Okta API token, group membership can be queried to assign
  policies; users and groups can be defined locally as well.
- RADIUS Authentication: A new RADIUS authentication backend allows using
  a RADIUS server to authenticate to Vault. Policies can be configured for
  specific users or for any authenticated user.
- Exportable Transit Keys: Keys in `transit` can now be marked as
  `exportable` at creation time. This allows a properly ACL'd user to retrieve
  the associated signing key, encryption key, or HMAC key. The `exportable`
  value is returned on a key policy read and cannot be changed, so if a key is
  marked `exportable` it will always be exportable, and if it is not it will
  never be exportable.
- Batch Transit Operations: `encrypt`, `decrypt` and `rewrap` operations
  in the transit backend now support processing multiple input items in one
  call, returning the output of each item in the response.
- Configurable Audited HTTP Headers: You can now specify headers that you
  want to have included in each audit entry, along with whether each header
  should be HMAC'd or kept plaintext. This can be useful for adding additional
  client or network metadata to the audit logs.
- Transit Backend UI (Enterprise): Vault Enterprise UI now supports the transit
  backend, allowing creation, viewing and editing of named keys as well as using
  those keys to perform supported transit operations directly in the UI.
- Socket Audit Backend A new socket audit backend allows audit logs to be sent
  through TCP, UDP, or UNIX Sockets.

IMPROVEMENTS:

- auth/aws-ec2: Add support for cross-account auth using STS
- auth/aws-ec2: Support issuing periodic tokens
- auth/github: Support listing teams and users
- auth/ldap: Support adding policies to local users directly, in addition to
  local groups
- command/server: Add ability to select and prefer server cipher suites
- core: Add a nonce to unseal operations as a check (useful mostly for
  support, not as a security principle)
- duo: Added ability to supply extra context to Duo pushes
- physical/consul: Add option for setting consistency mode on Consul gets
- physical/etcd: Full v3 API support; code will autodetect which API version
  to use. The v3 code path is significantly less complicated and may be much
  more stable.
- secret/pki: Allow specifying OU entries in generated certificate subjects
- secret mount ui (Enterprise): the secret mount list now shows all mounted
  backends even if the UI cannot browse them. Additional backends can now be
  mounted from the UI as well.

BUG FIXES:

- auth/token: Fix regression in 0.6.4 where using token store roles as a
  blacklist (with only `disallowed_policies` set) would not work in most
  circumstances
- physical/s3: Page responses in client so list doesn't truncate
- secret/cassandra: Stop a connection leak that could occur on active node
  failover
- secret/pki: When using `sign-verbatim`, don't require a role and use the
  CSR's common name