Path to this page:
Subject: CVS commit: pkgsrc/security/vault
From: Filip Hajny
Date: 2017-06-13 08:28:38
Message id: 20170613062838.78416FAB3@cvs.NetBSD.org
Log Message:
Update security/vault to 0.7.3.
## 0.7.3 (June 7th, 2017)
SECURITY:
- Cert auth backend now checks validity of individual certificates
- App-ID path salting was skipped in 0.7.1/0.7.2
DEPRECATIONS/CHANGES:
- Step-Down is Forwarded
FEATURES:
- ed25519 Signing/Verification in Transit with Key Derivation
- Key Version Specification for Encryption in Transit
- Replication Primary Discovery (Enterprise)
IMPROVEMENTS:
- api/health: Add Sys().Health()
- audit: Add auth information to requests that error out
- command/auth: Add `-no-store` option that prevents the auth command
from storing the returned token into the configured token helper
- core/forwarding: Request forwarding now heartbeats to prevent unused
connections from being terminated by firewalls or proxies
- plugins/databases: Add MongoDB as an internal database plugin
- storage/dynamodb: Add a method for checking the existence of
children, speeding up deletion operations in the DynamoDB storage backend
- storage/mysql: Add max_parallel parameter to MySQL backend
- secret/databases: Support listing connections
- secret/databases: Support custom renewal statements in Postgres
database plugin
- secret/databases: Use the role name as part of generated credentials
- ui (Enterprise): Transit key and secret browsing UI handle large
lists better
- ui (Enterprise): root tokens are no longer persisted
- ui (Enterprise): support for mounting Database and TOTP secret
backends
BUG FIXES:
- auth/app-id: Fix regression causing loading of salts to be skipped
- auth/aws: Improve EC2 describe instances performance
- auth/aws: Fix lookup of some instance profile ARNs
- auth/aws: Resolve ARNs to internal AWS IDs which makes lookup at
various points (e.g. renewal time) more robust
- auth/aws: Properly honor configured period when using IAM
authentication
- auth/aws: Check that a bound IAM principal is not empty (in the
current state of the role) before requiring it match the previously
authenticated client
- auth/cert: Fix panic on renewal
- auth/cert: Certificate verification for non-CA certs
- core/acl: Prevent race condition when compiling ACLs in some
scenarios
- secret/database: Increase wrapping token TTL; in a loaded scenario
it could be too short
- secret/generic: Allow integers to be set as the value of `ttl` field
as the documentation claims is supported
- secret/ssh: Added host key callback to ssh client config
- storage/s3: Avoid a panic when some bad data is returned
- storage/dynamodb: Fix list functions working improperly on Windows
- storage/file: Don't leak file descriptors in some error cases
- storage/swift: Fix pre-v3 project/tenant name reading
Files: