Changelog updates for 1.7.1/1.6.4/1.5.8 (#11426)
This commit is contained in:
Jim Kalafut
GitHub
parent
7ee6acf780
commit
6b968b402b
103
CHANGELOG.md
103
CHANGELOG.md
|
|
@ -1,5 +1,49 @@
|
|||
## 1.8.0 (Unreleased)
|
||||
|
||||
## 1.7.1
|
||||
### 21 April 2021
|
||||
|
||||
SECURITY:
|
||||
|
||||
* The PKI Secrets Engine tidy functionality may cause Vault to exclude revoked-but-unexpired certificates from the
|
||||
Vault CRL. This vulnerability affects Vault and Vault Enterprise 1.5.1 and newer and was fixed in versions
|
||||
1.5.8, 1.6.4, and 1.7.1. (CVE-2021-27668)
|
||||
* The Cassandra Database and Storage backends were not correctly verifying TLS certificates. This issue affects all
|
||||
versions of Vault and Vault Enterprise and was fixed in versions 1.6.4, and 1.7.1. (CVE-2021-27400)
|
||||
|
||||
CHANGES:
|
||||
|
||||
* go: Update to Go 1.15.11 [[GH-11395](https://github.com/hashicorp/vault/pull/11395)]
|
||||
|
||||
IMPROVEMENTS:
|
||||
|
||||
* auth/jwt: Adds ability to directly provide service account JSON in G Suite provider config. [[GH-11388](https://github.com/hashicorp/vault/pull/11388)]
|
||||
* core: Add tls_max_version listener config option. [[GH-11226](https://github.com/hashicorp/vault/pull/11226)]
|
||||
* core: Add metrics for standby node forwarding. [[GH-11366](https://github.com/hashicorp/vault/pull/11366)]
|
||||
* core: allow arbitrary length stack traces upon receiving SIGUSR2 (was 32MB) [[GH-11364](https://github.com/hashicorp/vault/pull/11364)]
|
||||
|
||||
BUG FIXES:
|
||||
|
||||
* core: Fix cleanup of storage entries from cubbyholes within namespaces. [[GH-11408](https://github.com/hashicorp/vault/pull/11408)]
|
||||
* core: Fix goroutine leak when updating rate limit quota [[GH-11371](https://github.com/hashicorp/vault/pull/11371)]
|
||||
* core: Fix storage entry leak when revoking leases created with non-orphan batch tokens. [[GH-11377](https://github.com/hashicorp/vault/pull/11377)]
|
||||
* core: requests forwarded by standby weren't always timed out. [[GH-11322](https://github.com/hashicorp/vault/pull/11322)]
|
||||
* pki: Only remove revoked entry for certificates during tidy if they are past their NotAfter value [[GH-11367](https://github.com/hashicorp/vault/pull/11367)]
|
||||
* replication: Fix: mounts created within a namespace that was part of an Allow
|
||||
filtering rule would not appear on performance secondary if created after rule
|
||||
was defined. [[GH-1807](https://github.com/hashicorp/vault/pull/1807)]
|
||||
* replication: Perf standby nodes on newly enabled DR secondary sometimes couldn't connect to active node with TLS errors. [[GH-1823](https://github.com/hashicorp/vault/pull/1823)]
|
||||
* secrets/database/cassandra: Fixed issue where hostnames were not being validated when using TLS [[GH-11365](https://github.com/hashicorp/vault/pull/11365)]
|
||||
* secrets/database/cassandra: Updated default statement for password rotation to allow for special characters. This applies to root and static credentials. [[GH-11262](https://github.com/hashicorp/vault/pull/11262)]
|
||||
* storage/dynamodb: Handle throttled batch write requests by retrying, without which writes could be lost. [[GH-10181](https://github.com/hashicorp/vault/pull/10181)]
|
||||
* storage/raft: leader_tls_servername wasn't used unless leader_ca_cert_file and/or mTLS were configured. [[GH-11252](https://github.com/hashicorp/vault/pull/11252)]
|
||||
* ui: Add root rotation statements support to appropriate database secret engine plugins [[GH-11404](https://github.com/hashicorp/vault/pull/11404)]
|
||||
* ui: Fix bug where the UI does not recognize version 2 KV until refresh, and fix [object Object] error message [[GH-11258](https://github.com/hashicorp/vault/pull/11258)]
|
||||
* ui: Fix footer URL linking to the correct version changelog. [[GH-11283](https://github.com/hashicorp/vault/pull/11283)]
|
||||
* ui: Fix namespace-bug on login [[GH-11182](https://github.com/hashicorp/vault/pull/11182)]
|
||||
* ui: Fix status menu no showing on login [[GH-11213](https://github.com/hashicorp/vault/pull/11213)]
|
||||
* ui: fix issue where select-one option was not showing in secrets database role creation [[GH-11294](https://github.com/hashicorp/vault/pull/11294)]
|
||||
|
||||
## 1.7.0
|
||||
### 24 March 2021
|
||||
|
||||
|
|
@ -139,6 +183,40 @@ the given key will be used to encrypt the snapshot using AWS KMS.
|
|||
DEPRECATIONS:
|
||||
* aws/auth: AWS Auth endpoints that use the "whitelist" and "blacklist" terms have been deprecated.
|
||||
Refer to the CHANGES section for additional details.
|
||||
|
||||
## 1.6.4
|
||||
### 21 April 2021
|
||||
|
||||
SECURITY:
|
||||
|
||||
* The PKI Secrets Engine tidy functionality may cause Vault to exclude revoked-but-unexpired certificates from the
|
||||
Vault CRL. This vulnerability affects Vault and Vault Enterprise 1.5.1 and newer and was fixed in versions
|
||||
1.5.8, 1.6.4, and 1.7.1. (CVE-2021-27668)
|
||||
* The Cassandra Database and Storage backends were not correctly verifying TLS certificates. This issue affects all
|
||||
versions of Vault and Vault Enterprise and was fixed in versions 1.6.4, and 1.7.1. (CVE-2021-27400)
|
||||
|
||||
CHANGES:
|
||||
|
||||
* go: Update to Go 1.15.11 [[GH-11396](https://github.com/hashicorp/vault/pull/11396)]
|
||||
|
||||
IMPROVEMENTS:
|
||||
|
||||
* command/debug: Now collects logs (at level `trace`) as a periodic output. [[GH-10609](https://github.com/hashicorp/vault/pull/10609)]
|
||||
* core: Add tls_max_version listener config option. [[GH-11226](https://github.com/hashicorp/vault/pull/11226)]
|
||||
* core: allow arbitrary length stack traces upon receiving SIGUSR2 (was 32MB) [[GH-11364](https://github.com/hashicorp/vault/pull/11364)]
|
||||
|
||||
BUG FIXES:
|
||||
|
||||
* core: Fix cleanup of storage entries from cubbyholes within namespaces. [[GH-11408](https://github.com/hashicorp/vault/pull/11408)]
|
||||
* core: Fix goroutine leak when updating rate limit quota [[GH-11371](https://github.com/hashicorp/vault/pull/11371)]
|
||||
* core: Fix storage entry leak when revoking leases created with non-orphan batch tokens. [[GH-11377](https://github.com/hashicorp/vault/pull/11377)]
|
||||
* pki: Only remove revoked entry for certificates during tidy if they are past their NotAfter value [[GH-11367](https://github.com/hashicorp/vault/pull/11367)]
|
||||
* replication: Fix: mounts created within a namespace that was part of an Allow
|
||||
filtering rule would not appear on performance secondary if created after rule
|
||||
was defined. [[GH-1807](https://github.com/hashicorp/vault/pull/1807)]
|
||||
* secrets/database/cassandra: Fixed issue where hostnames were not being validated when using TLS [[GH-11365](https://github.com/hashicorp/vault/pull/11365)]
|
||||
* storage/raft: leader_tls_servername wasn't used unless leader_ca_cert_file and/or mTLS were configured. [[GH-11252](https://github.com/hashicorp/vault/pull/11252)]
|
||||
|
||||
|
||||
## 1.6.3
|
||||
### February 25, 2021
|
||||
|
|
@ -335,6 +413,29 @@ BUG FIXES:
|
|||
* ui: Update language on replication primary dashboard for clarity [[GH-10205](https://github.com/hashicorp/vault/pull/10217)]
|
||||
* core: Fix bug where updating an existing path quota could introduce a conflict. [[GH-10285](https://github.com/hashicorp/vault/pull/10285)]
|
||||
|
||||
## 1.5.8
|
||||
### 21 April 2021
|
||||
|
||||
SECURITY:
|
||||
|
||||
* The PKI Secrets Engine tidy functionality may cause Vault to exclude revoked-but-unexpired certificates from the
|
||||
Vault CRL. This vulnerability affects Vault and Vault Enterprise 1.5.1 and newer and was fixed in versions
|
||||
1.5.8, 1.6.4, and 1.7.1. (CVE-2021-27668)
|
||||
|
||||
CHANGES:
|
||||
|
||||
* go: Update to Go 1.14.15 [[GH-11397](https://github.com/hashicorp/vault/pull/11397)]
|
||||
|
||||
IMPROVEMENTS:
|
||||
|
||||
* core: Add tls_max_version listener config option. [[GH-11226](https://github.com/hashicorp/vault/pull/11226)]
|
||||
|
||||
BUG FIXES:
|
||||
|
||||
* core/identity: Fix deadlock in entity merge endpoint. [[GH-10877](https://github.com/hashicorp/vault/pull/10877)]
|
||||
* core: Fix cleanup of storage entries from cubbyholes within namespaces. [[GH-11408](https://github.com/hashicorp/vault/pull/11408)]
|
||||
* pki: Only remove revoked entry for certificates during tidy if they are past their NotAfter value [[GH-11367](https://github.com/hashicorp/vault/pull/11367)]
|
||||
|
||||
## 1.5.7
|
||||
### January 29, 2021
|
||||
|
||||
|
|
@ -366,7 +467,7 @@ BUG FIXES:
|
|||
SECURITY:
|
||||
|
||||
* LDAP Auth Method: We addressed an issue where error messages returned by the
|
||||
LDAP auth methold allowed user enumeration [[GH-10537](https://github.com/hashicorp/vault/pull/10537)]. This vulnerability affects Vault OSS and Vault
|
||||
LDAP auth method allowed user enumeration [[GH-10537](https://github.com/hashicorp/vault/pull/10537)]. This vulnerability affects Vault OSS and Vault
|
||||
Enterprise and is fixed in 1.5.6 and 1.6.1 (CVE-2020-35177).
|
||||
* Sentinel EGP: We've fixed incorrect handling of namespace paths to prevent
|
||||
users within namespaces from applying Sentinel EGP policies to paths above
|
||||
|
|
|
|||
Loading…
Reference in New Issue