Log Message:
security/vault: Update to 0.9.6

DEPRECATIONS/CHANGES:

- The AWS authentication backend now allows binds for inputs as either a
  comma-delimited string or a string array. However, to keep consistency with
  input and output, when reading a role the binds will now be returned as
  string arrays rather than strings.
- In order to prefix-match IAM role and instance profile ARNs in AWS auth
  backend, you now must explicitly opt-in by adding a `*` to the end of the
  ARN. Existing configurations will be upgraded automatically, but when
  writing a new role configuration the updated behavior will be used.

FEATURES:

- Replication Activation Enhancements: When activating a replication
  secondary, a public key can now be fetched first from the target cluster.
  This public key can be provided to the primary when requesting the
  activation token. If provided, the public key will be used to perform a
  Diffie-Hellman key exchange resulting in a shared key that encrypts the
  contents of the activation token. The purpose is to protect against
  accidental disclosure of the contents of the token if unwrapped by the wrong
  party, given that the contents of the token are highly sensitive. If
  accidentally unwrapped, the contents of the token are not usable by the
  unwrapping party. It is important to note that just as a malicious operator
  could unwrap the contents of the token, a malicious operator can pretend to
  be a secondary and complete the Diffie-Hellman exchange on their own; this
  feature provides defense in depth but still requires due diligence around
  replication activation, including multiple eyes on the commands/tokens and
  proper auditing.

IMPROVEMENTS:

- api: Update renewer grace period logic. It no longer is static, but rather
  dynamically calculates one based on the current lease duration after each
  renew.
- auth/approle: Allow array input for bound_cidr_list
- auth/aws: Allow using lists in role bind parameters
- auth/aws: Allow binding by EC2 instance IDs
- auth/aws: Allow non-prefix-matched IAM role and instance profile ARNs
- auth/ldap: Set a very large size limit on queries
- core: Log info notifications of revoked leases for all leases/reasons, not
  just expirations
- physical/couchdb: Removed limit on the listing of items
- secret/pki: Support certificate policies
- secret/pki: Add ability to have CA:true encoded into intermediate CSRs, to
  improve compatibility with some ADFS scenarios
- secret/transit: Allow selecting signature algorithm as well as hash
  algorithm when signing/verifying
- server: Make sure `tls_disable_client_cert` is actually a true value rather
  than just set
- storage/dynamodb: Allow specifying max retries for dynamo client
- storage/gcs: Allow specifying chunk size for transfers, which can reduce
  memory utilization
- sys/capabilities: Add the ability to use multiple paths for capability
  checking

BUG FIXES:

- auth/aws: Fix honoring `max_ttl` when a corresponding role `ttl` is not also
  set
- auth/okta: Fix honoring configured `max_ttl` value
- auth/token: If a periodic token being issued has a period greater than the
  max_lease_ttl configured on the token store mount, truncate it. This matches
  renewal behavior; before it was inconsistent between issuance and renewal.
- cli: Improve error messages around `vault auth help` when there is no CLI
  helper for a particular method