2021-07-13 13:36:45 by Benny Siegert | Files touched by this commit (132) | |
Log message:
Revbump all Go packages after go116 update
|
2021-06-06 14:19:04 by Benny Siegert | Files touched by this commit (203) | |
Log message:
Revbump all Go packages after go116 update
|
2021-05-30 19:37:53 by Havard Eidnes | Files touched by this commit (2) |
Log message:
Upgrade security/vault to version 1.6.5.
Pkgsrc changes:
* None
Upstream changes:
v1.6.5:
May 20th, 2021
SECURITY:
* Non-Expiring Leases: Vault and Vault Enterprise renewed
nearly-expiring token leases and dynamic secret leases with a
zero-second TTL, causing them to be treated as non-expiring,
and never revoked. This issue affects Vault and Vault Enterprise
versions 0.10.0 through 1.7.1, and is fixed in 1.5.9, 1.6.5,
and 1.7.2 (CVE-2021-32923).
CHANGES:
* agent: Update to use IAM Service Account Credentials endpoint
for signing JWTs when using GCP Auto-Auth method [GH-11473]
* auth/gcp: Update to v0.8.1 to use IAM Service Account Credentials
API for signing JWTs [GH-11498]
BUG FIXES:
* core (enterprise): Fix plugins mounted in namespaces being
unable to use password policies [GH-11596]
* core: correct logic for renewal of leases nearing their expiration
time. [GH-11650]
* secrets/database: Fix marshalling to allow providing numeric
arguments to external database plugins. [GH-11451]
* secrets/database: Fixes issue for V4 database interface where
SetCredentials wasn't falling back to using RotateRootCredentials
if SetCredentials is Unimplemented [GH-11585]
* ui: Fix namespace-bug on login [GH-11182]
v1.6.4:
April 21, 2021
Release vault v1.6.4
v1.6.3
February 25, 2021
SECURITY:
* Limited Unauthenticated License Read: We addressed a security
vulnerability that allowed for the unauthenticated reading of
Vault licenses from DR Secondaries. This vulnerability affects
Vault and Vault Enterprise and is fixed in 1.6.3 (CVE-2021-27668).
CHANGES:
* secrets/mongodbatlas: Move from whitelist to access list API [GH-10966]
IMPROVEMENTS:
* ui: Clarify language on usage metrics page empty state [GH-10951]
BUG FIXES:
* auth/kubernetes: Cancel API calls to TokenReview endpoint when
request context is closed [GH-10930]
* core/identity: Fix deadlock in entity merge endpoint. [GH-10877]
* quotas: Fix duplicate quotas on performance standby nodes. [GH-10855]
* quotas/rate-limit: Fix quotas enforcing old rate limit quota paths [GH-10689]
replication (enterprise): Don't write request count data on DR Secondaries.
* Fixes DR Secondaries becoming out of sync approximately every 30s. [GH-10970]
* secrets/azure (enterprise): Forward service principal credential
creation to the primary cluster if called on a performance
standby or performance secondary. [GH-10902]
|
2021-05-08 17:02:47 by Benny Siegert | Files touched by this commit (216) | |
Log message:
Revbump all Go packages after go116 update
|
2021-03-19 18:37:10 by Benny Siegert | Files touched by this commit (215) | |
Log message:
Revbump all Go packages after go115 update
|
2021-02-01 11:49:11 by Havard Eidnes | Files touched by this commit (2) | |
Log message:
Upgrade security/vault to version 1.6.2:
Pkgsrc changes:
* None
Upstream changes:
v1.6.2
January 29, 2021
SECURITY:
* IP Address Disclosure: We fixed a vulnerability where, under
some error conditions, Vault would return an error message
disclosing internal IP addresses. This vulnerability affects
Vault and Vault Enterprise and is fixed in 1.6.2 (CVE-2021-3024).
* Limited Unauthenticated Remove Peer: As of Vault 1.6, the
remove-peer command on DR secondaries did not require authentication.
This issue impacts the stability of HA architecture, as a bad
actor could remove all standby nodes from a DR secondary. This
issue affects Vault Enterprise 1.6.0 and 1.6.1, and is fixed in
1.6.2 (CVE-2021-3282).
* Mount Path Disclosure: Vault previously returned different HTTP
status codes for existent and non-existent mount paths. This
behavior would allow unauthenticated brute force attacks to
reveal which paths had valid mounts. This issue affects Vault
and Vault Enterprise and is fixed in 1.6.2 (CVE-2020-25594).
CHANGES:
* go: Update go version to 1.15.7 [GH-10730]
FEATURES:
* ui: Adds check for feature flag on application, and updates
namespace toolbar on login if present [GH-10588]
IMPROVEMENTS:
* core (enterprise): "vault status" command works when a namespace
is set. [GH-10725]
* core: reduce memory used by leases [GH-10726]
* storage/raft (enterprise): Listing of peers is now allowed on DR secondary
cluster nodes, as an update operation that takes in DR operation token for
authenticating the request.
BUG FIXES:
* agent: Set namespace for template server in agent. [GH-10757]
* core: Make the response to an unauthenticated request to
sys/internal endpoints consistent regardless of mount existence.
[GH-10650]
* metrics: Protect emitMetrics from panicking during post-seal [GH-10708]
* secrets/gcp: Fix issue with account and iam_policy roleset WALs
not being removed after attempts when GCP project no longer
exists [GH-10759]
* storage/raft (enterprise): Automated snapshots with Azure required
specifying
* azure_blob_environment, which should have had as a default
AZUREPUBLICCLOUD.
* storage/raft (enterprise): Autosnapshots config and storage
weren't excluded from
* performance replication, causing conflicts and errors.
* ui: Fix bug that double encodes secret route when there are
spaces in the path and makes you unable to view the version
history. [GH-10596]
* ui: Fix expected response from feature-flags endpoint [GH-10684]
|
2021-01-23 15:23:16 by Benny Siegert | Files touched by this commit (209) | |
Log message:
Revbump all Go packages after go115 update
|
2021-01-05 12:02:51 by Havard Eidnes | Files touched by this commit (3) | |
Log message:
Upgrade vault to version 1.6.1:
Pkgsrc changes:
* Added a patch to cope with docker client default settings (build
also on NetBSD)
Upstream changes:
1.6.1
=====
December 16, 2020
SECURITY:
* LDAP Auth Method: We addressed an issue where error messages
returned by the LDAP auth methold allowed user enumeration
[GH-10537]. This vulnerability affects Vault OSS and Vault Enterprise
and is fixed in 1.5.6 and 1.6.1 (CVE-2020-35177).
* Sentinel EGP: We've fixed incorrect handling of namespace paths
to prevent users within namespaces from applying Sentinel EGP
policies to paths above their namespace. This vulnerability
affects Vault Enterprise and is fixed in 1.5.6 and 1.6.1
(CVE-2020-35453).
IMPROVEMENTS:
* auth/ldap: Improve consistency in error messages [GH-10537]
* core/metrics: Added "vault operator usage" command. [GH-10365]
* secrets/gcp: Truncate ServiceAccount display names longer than
100 characters. [GH-10558]
BUG FIXES:
* agent: Only set the namespace if the VAULT_NAMESPACE env var
isn't present [GH-10556]
* auth/jwt: Fixes bound_claims validation for provider-specific
group and user info fetching. [GH-10546]
* core (enterprise): Vault EGP policies attached to path * were
not correctly scoped to the namespace.
* core: Avoid deadlocks by ensuring that if grabLockOrStop returns
stopped=true, the lock will not be held. [GH-10456]
* core: Fix client.Clone() to include the address [GH-10077]
* core: Fix rate limit resource quota migration from 1.5.x to
1.6.x by ensuring purgeInterval and staleAge are set appropriately.
[GH-10536]
* core: Make all APIs that report init status consistent, and make
them report initialized=true when a Raft join is in progress.
[GH-10498]
* secrets/database/influxdb: Fix issue where not all errors from
InfluxDB were being handled [GH-10384]
* secrets/database/mysql: Fixes issue where the DisplayName within
generated usernames was the incorrect length [GH-10433]
* secrets/database: Sanitize private_key field when reading database
plugin config [GH-10416]
* secrets/transit: allow for null string to be used for optional
parameters in encrypt and decrypt [GH-10386]
* storage/raft (enterprise): The parameter aws_s3_server_kms_key
was misnamed and didn't work. Renamed to aws_s3_kms_key, and
make it work so that when provided the given key will be used
to encrypt the snapshot using AWS KMS.
* transform (enterprise): Fix bug tokenization handling metadata
on exportable stores
* transform (enterprise): Fix transform configuration not handling
stores parameter on the legacy path
* transform (enterprise): Make expiration timestamps human readable
* transform (enterprise): Return false for invalid tokens on the
validate endpoint rather than returning an HTTP error
* transform (enterprise): Fix bug where tokenization store changes
are persisted but don't take effect
* ui: Fix bug in Transform secret engine when a new role is added
and then removed from a transformation [GH-10417]
* ui: Fix footer URL linking to the correct version changelog.
[GH-10491]
* ui: Fox radio click on secrets and auth list pages. [GH-10586]
1.6.0
=====
November 11th, 2020
NOTE:
Binaries for 32-bit macOS (i.e. the darwin_386 build) will no longer
be published. This target was dropped in the latest version of the
Go compiler.
CHANGES:
* agent: Agent now properly returns a non-zero exit code on error,
such as one due to template rendering failure. Using
error_on_missing_key in the template config will cause agent to
immediately exit on failure. In order to make agent properly
exit due to continuous failure from template rendering errors,
the old behavior of indefinitely restarting the template server
is now changed to exit once the default retry attempt of 12
times (with exponential backoff) gets exhausted. [GH-9670]
* token: Periodic tokens generated by auth methods will have the
period value stored in its token entry. [GH-7885]
* core: New telemetry metrics reporting mount table size and number
of entries [GH-10201]
* go: Updated Go version to 1.15.4 [GH-10366]
FEATURES:
* Couchbase Secrets: Vault can now manage static and dynamic
credentials for Couchbase. [GH-9664]
* Expanded Password Policy Support: Custom password policies are
now supported for all database engines.
* Integrated Storage Auto Snapshots (Enterprise): This feature
enables an operator to schedule snapshots of the integrated
storage backend and ensure those snapshots are persisted elsewhere.
* Integrated Storage Cloud Auto Join: This feature for integrated
storage enables Vault nodes running in the cloud to automatically
discover and join a Vault cluster via operator-supplied metadata.
* Key Management Secrets Engine (Enterprise; Tech Preview): This
new secret engine allows securely distributing and managing keys
to Azure cloud KMS services.
* Seal Migration: With Vault 1.6, we will support migrating from
an auto unseal mechanism to a different mechanism of the same
type. For example, if you were using an AWS KMS key to automatically
unseal, you can now migrate to a different AWS KMS key.
* Tokenization (Enterprise; Tech Preview): Tokenization supports
creating irreversible "tokens" from sensitive data. Tokens can
be used in less secure environments, protecting the original
data.
* Vault Client Count: Vault now counts the number of active entities
(and non-entity tokens) per month and makes this information
available via the "Metrics" section of the UI.
IMPROVEMENTS:
* auth/approle: Role names can now be referenced in templated
policies through the approle.metadata.role_name property [GH-9529]
* auth/aws: Improve logic check on wildcard BoundIamPrincipalARNs
and include role name on error messages on check failure [GH-10036]
* auth/jwt: Add support for fetching groups and user information
from G Suite during authentication. [GH-123]
* auth/jwt: Adding EdDSA (ed25519) to supported algorithms [GH-129]
* auth/jwt: Improve cli authorization error [GH-137]
* auth/jwt: Add OIDC namespace_in_state option [GH-140]
* secrets/transit: fix missing plaintext in bulk decrypt response [GH-9991]
* command/server: Delay informational messages in -dev mode until
logs have settled. [GH-9702]
* command/server: Add environment variable support for disable_mlock.
[GH-9931]
* core/metrics: Add metrics for storage cache [GH_10079]
* core/metrics: Add metrics for leader status [GH 10147]
* physical/azure: Add the ability to use Azure Instance Metadata
Service to set the credentials for Azure Blob storage on the
backend. [GH-10189]
* sdk/framework: Add a time type for API fields. [GH-9911]
* secrets/database: Added support for password policies to all
databases [GH-9641, and more]
* secrets/database/cassandra: Added support for static credential
rotation [GH-10051]
* secrets/database/elasticsearch: Added support for static credential
rotation [GH-19]
* secrets/database/hanadb: Added support for root credential &
static credential rotation [GH-10142]
* secrets/database/hanadb: Default password generation now includes
dashes. Custom statements may need to be updated to include
quotes around the password field [GH-10142]
* secrets/database/influxdb: Added support for static credential
rotation [GH-10118]
* secrets/database/mongodbatlas: Added support for root credential
rotation [GH-14]
* secrets/database/mongodbatlas: Support scopes field in creations
statements for MongoDB Atlas database plugin [GH-15]
* seal/awskms: Add logging during awskms auto-unseal [GH-9794]
* storage/azure: Update SDK library to use azure-storage-blob-go
since previous library has been deprecated. [GH-9577]
* secrets/ad: rotate-root now supports POST requests like other
secret engines [GH-70]
* ui: Add ui functionality for the Transform Secret Engine [GH-9665]
* ui: Pricing metrics dashboard [GH-10049]
BUG FIXES:
* auth/jwt: Fix bug preventing config edit UI from rendering [GH-141]
* cli: Don't open or overwrite a raft snapshot file on an unsuccessful
vault operator raft snapshot [GH-9894]
* core: Implement constant time version of shamir GF(2^8) math [GH-9932]
* core: Fix resource leak in plugin API (plugin-dependent, not
all plugins impacted) [GH-9557]
* core: Fix race involved in enabling certain features via a
license change
* core: Fix error handling in HCL parsing of objects with invalid
syntax [GH-410]
* identity: Check for timeouts in entity API [GH-9925]
* secrets/database: Fix handling of TLS options in mongodb connection
strings [GH-9519]
* secrets/gcp: Ensure that the IAM policy version is appropriately
set after a roleset's bindings have changed. [GH-93]
* ui: Mask LDAP bindpass while typing [GH-10087]
* ui: Update language in promote dr modal flow [GH-10155]
* ui: Update language on replication primary dashboard for clarity
[GH-10205]
* core: Fix bug where updating an existing path quota could
introduce a conflict. [GH-10285]
1.5.6
=====
December 16, 2020
SECURITY:
* LDAP Auth Method: We addressed an issue where error messages
returned by the LDAP auth methold allowed user enumeration
[GH-10537]. This vulnerability affects Vault OSS and Vault
Enterprise and is fixed in 1.5.6 and 1.6.1 (CVE-2020-35177).
* Sentinel EGP: We've fixed incorrect handling of namespace paths
to prevent users within namespaces from applying Sentinel EGP
policies to paths above their namespace. This vulnerability
affects Vault Enterprise and is fixed in 1.5.6 and 1.6.1.
IMPROVEMENTS:
* auth/ldap: Improve consistency in error messages [GH-10537]
BUG FIXES:
* core (enterprise): Vault EGP policies attached to path * were
not correctly scoped to the namespace.
* core: Fix bug where updating an existing path quota could
introduce a conflict [GH-10285]
* core: Fix client.Clone() to include the address [GH-10077]
* quotas (enterprise): Reset cache before loading quotas in the
db during startup
* secrets/transit: allow for null string to be used for optional
parameters in encrypt and decrypt [GH-10386]
1.5.5
=====
October 21, 2020
IMPROVEMENTS:
* auth/aws, core/seal, secret/aws: Set default IMDS timeouts to
match AWS SDK [GH-10133]
BUG FIXES:
* auth/aws: Restrict region selection when in the aws-us-gov
partition to avoid IAM errors [GH-9947]
* core (enterprise): Allow operators to add and remove (Raft)
peers in a DR secondary cluster using Integrated Storage.
* core (enterprise): Add DR operation token to the remove peer
API and CLI command (when DR secondary).
* core (enterprise): Fix deadlock in handling EGP policies
* core (enterprise): Fix extraneous error messages in DR Cluster
* secrets/mysql: Conditionally overwrite TLS parameters for MySQL
secrets engine [GH-9729]
* secrets/ad: Fix bug where password_policy setting was not using
correct key when ad/config was read [GH-71]
* ui: Fix issue with listing roles and methods on the same auth
methods with different names [GH-10122]
1.5.4
=====
September 24th, 2020
SECURITY:
* Batch Token Expiry: We addressed an issue where batch token
leases could outlive their TTL because we were not scheduling
the expiration time correctly. This vulnerability affects Vault
OSS and Vault Enterprise 1.0 and newer and is fixed in 1.4.7
and 1.5.4 (CVE-2020-25816).
IMPROVEMENTS:
* secrets/pki: Handle expiration of a cert not in storage as a
success [GH-9880]
* auth/kubernetes: Add an option to disable defaulting to the
local CA cert and service account JWT when running in a Kubernetes
pod [GH-97]
* secrets/gcp: Add check for 403 during rollback to prevent repeated
deletion calls [GH-97]
* core: Disable usage metrics collection on performance standby
nodes. [GH-9966]
* credential/aws: Added X-Amz-Content-Sha256 as a default STS
request header [GH-10009]
BUG FIXES:
* agent: Fix disable_fast_negotiation not being set on the auth
method when configured by user. [GH-9892]
* core (enterprise): Fix hang when cluster-wide plugin reload
cleanup is slow on unseal
* core (enterprise): Fix an error in cluster-wide plugin reload
cleanup following such a reload
* core: Fix crash when metrics collection encounters zero-length
keys in KV store [GH-9811]
* mfa (enterprise): Fix incorrect handling of PingID responses
that could result in auth requests failing
* replication (enterprise): Improve race condition when using a
newly created token on a performance standby node
* replication (enterprise): Only write failover cluster addresses
if they've changed
* ui: fix bug where dropdown for identity/entity management is not
reflective of actual policy [GH-9958]
|
2020-11-13 20:26:26 by Benny Siegert | Files touched by this commit (202) | |
Log message:
Revbump all Go packages after go115 update
|
2020-11-08 22:59:39 by Benny Siegert | Files touched by this commit (202) | |
Log message:
Revbump all Go packages after Go 1.15 update.
|