This perl module implements JSON Web Token (JWT). The implementation
covers not only JSON Web Signature (JWS), but also JSON Web Encryption
(JWE).
The module implements all algorithms defined in JSON Web Algorithms
(JWA).
This module supports Compact JWS/JWE and Flattened JWS/JWE JSON
serialization, general JSON serialization is not supported yet.
The OWASP Amass Project performs network mapping of attack surfaces and
external asset discovery using open source information gathering and
active reconnaissance techniques.
Pkgsrc changes:
* Added a patch to cope with fromStatT on NetBSD
* Added a patch to cope with docker client default settings (build
also on NetBSD)
Upstream changes:
1.5.3 (August 27th, 2020)
NOTE:
All security content from 1.5.2, 1.5.1, 1.4.5, 1.4.4, 1.3.9, 1.3.8,
1.2.6, and 1.2.5 has been made fully open source, and the git tags for
1.5.3, 1.4.6, 1.3.10, and 1.2.7 will build correctly for open source
users.
BUG FIXES:
* auth/aws: Made header handling for IAM authentication more robust
* secrets/ssh: Fixed a bug with role option for SSH signing algorithm
to allow more than RSA signing
## 1.5.1
CHANGES:
* pki: The tidy operation will now remove revoked certificates if the
parameter `tidy_revoked_certs` is set to `true`. This will result in
certificate entries being immediately removed, as opposed to
awaiting until its NotAfter time. Note that this only affects
certificates that have been already
revoked. [[GH-9609](https://github.com/hashicorp/vault/pull/9609)]
IMPROVEMENTS:
* auth/jwt: Add support for fetching groups and user information from
G Suite during
authentication. [[GH-9574](https://github.com/hashicorp/vault/pull/9574)]
* secrets/openldap: Add "ad" schema that allows the engine to
correctly rotate AD
passwords. [[GH-9740](https://github.com/hashicorp/vault/pull/9740)]
* ui: Wrap TTL option on transit engine export action is updated to a
new component.
[[GH-9632](https://github.com/hashicorp/vault/pull/9632)]
BUG FIXES:
* secrets/gcp: Ensure that the IAM policy version is appropriately set
after a roleset's bindings have
changed. [[GH-9603](https://github.com/hashicorp/vault/pull/9603)]
* replication (enterprise): Fix status API output incorrectly stating
replication is in `idle` state.
* core: Fix panic when printing over-long info fields at startup
[[GH-9681](https://github.com/hashicorp/vault/pull/9681)]
## 1.5.0
### July 21st, 2020
CHANGES:
* storage/raft: The storage configuration now accepts a new
`max_entry_size` config that will limit the total size in bytes of
any entry committed via raft. It defaults to `"1048576"`
(1MiB). [[GH-9027](https://github.com/hashicorp/vault/pull/9027)]
* token: Token creation with custom token ID via `id` will no longer
allow periods (`.`) as part of the input string.
The final generated token value may contain periods, such as the
`s.` prefix for service token
indication. [[GH-8646](https://github.com/hashicorp/vault/pull/8646/files)]
* token: Token renewals will now return token policies within the
`token_policies` , identity policies within `identity_policies`, and
the full policy set within
`policies`. [[GH-8535](https://github.com/hashicorp/vault/pull/8535)]
* cubbyhole: Reject reads and writes to an empty ("")
path. [[GH-8971](https://github.com/hashicorp/vault/pull/8971)]
* core: Remove the addition of newlines to parsed configuration when
using integer/boolean values
[[GH-8928](https://github.com/hashicorp/vault/pull/8928)]
* audit: Token TTL and issue time are now provided in the auth portion
of audit logs. [[GH-9091](https://github.com/hashicorp/vault/pull/9091)]
IMPROVEMENTS:
* audit: Replication status requests are no longer
audited. [[GH-8877](https://github.com/hashicorp/vault/pull/8877)]
* audit: Added mount_type field to requests and
responses. [[GH-9167](https://github.com/hashicorp/vault/pull/9167)]
* auth/aws: Add support for Web Identity credentials
[[GH-7738](https://github.com/hashicorp/vault/pull/7738)]
* auth/jwt: Support users that are members of more than 200 groups on Azure
[[GH-120](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/120)]
* auth/kubernetes: Allow disabling `iss` validation
[[GH-91](https://github.com/hashicorp/vault-plugin-auth-kubernetes/pull/91)]
* core: Add the Go version used to build a Vault binary to the server message
output. [[GH-9078](https://github.com/hashicorp/vault/pull/9078)]
* core: Added Password Policies for user-configurable password generation
[[GH-8637](https://github.com/hashicorp/vault/pull/8637)]
* core: New telemetry metrics covering token counts, token creation, KV
secret counts, lease
creation. [[GH-9239](https://github.com/hashicorp/vault/pull/9239)]
[[GH-9250](https://github.com/hashicorp/vault/pull/9250)]
[[GH-9244](https://github.com/hashicorp/vault/pull/9244)]
[[GH-9052](https://github.com/hashicorp/vault/pull/9052)]
* cli: Support reading TLS parameters from file for the `vault operator raft
join` command. [[GH-9060](https://github.com/hashicorp/vault/pull/9060)]
* plugin: Add SDK method, `Sys.ReloadPlugin`, and CLI command, `vault plugin
reload`, for reloading
plugins. [[GH-8777](https://github.com/hashicorp/vault/pull/8777)]
* plugin (enterprise): Add a scope field to plugin reload, which when global,
reloads the plugin anywhere in a
cluster. [[GH-9347](https://github.com/hashicorp/vault/pull/9347)]
* sdk/framework: Support accepting TypeFloat parameters over the API
[[GH-8923](https://github.com/hashicorp/vault/pull/8923)]
* secrets/aws: Add iam_groups parameter to role create/update
[[GH-8811](https://github.com/hashicorp/vault/pull/8811)]
* secrets/database: Add static role rotation for MongoDB Atlas database
plugin
[[GH-11](https://github.com/hashicorp/vault-plugin-database-mongodbatlas/pull/11)]
* secrets/database: Add static role rotation for MSSQL database plugin
[[GH-9062](https://github.com/hashicorp/vault/pull/9062)]
* secrets/database: Allow InfluxDB to use insecure TLS without cert bundle
[[GH-8778](https://github.com/hashicorp/vault/pull/8778)]
* secrets/gcp: Support BigQuery dataset ACLs in absence of IAM endpoints
[[GH-78](https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/78)]
* secrets/pki: Allow 3072-bit RSA keys
[[GH-8343](https://github.com/hashicorp/vault/pull/8343)]
* secrets/ssh: Add a CA-mode role option to specify signing algorithm
[[GH-9096](https://github.com/hashicorp/vault/pull/9096)]
* secrets/transit: Transit requests that make use of keys now include a new
field `key_version` in their responses
[[GH-8775](https://github.com/hashicorp/vault/pull/8775)]
* secrets/transit: Improving transit batch encrypt and decrypt latencies
[[GH-9100](https://github.com/hashicorp/vault/pull/9100)]
* sentinel: Add a sentinel config section, and "additional_enabled_modules",
a list of Sentinel modules that may be imported in addition to the
defaults.
* ui: Update TTL picker styling on SSH secret engine
[[GH-8891](https://github.com/hashicorp/vault/pull/8891)]
* ui: Only render the JWT input field of the Vault login form on mounts
configured for JWT auth
[[GH-8952](https://github.com/hashicorp/vault/pull/8952)]
* cli: Add a new subcommand, `vault monitor`, for tailing server logs in the
console. [[GH-8477](https://github.com/hashicorp/vault/pull/8477)]
* ui: Add replication dashboards. Improve replication management
workflows. [[GH-8705]](https://github.com/hashicorp/vault/pull/8705).
BUG FIXES:
* agent: Restart template server when it shuts down
[[GH-9200](https://github.com/hashicorp/vault/pull/9200)]
* auth/oci: Fix issue where users of the Oracle Cloud Infrastructure (OCI)
auth method could not authenticate when the plugin backend was mounted at a
non-default path.
[[GH-7](https://github.com/hashicorp/vault-plugin-auth-oci/pull/7)]
* core: Extend replicated cubbyhole fix in 1.4.0 to cover case where a
performance primary is also a DR primary
[[GH-9148](https://github.com/hashicorp/vault/pull/9148)]
* secrets/aws: Fix issue where performance standbys weren't able to generate
STS credentials after an IAM access key rotation in AWS and root IAM
credential update in Vault
[[GH-9186](https://github.com/hashicorp/vault/pull/9186)]
* secrets/database: Fix issue where rotating root database credentials while
Vault's storage backend is unavailable causes Vault to lose access to the
database [[GH-8782](https://github.com/hashicorp/vault/pull/8782)]
* secrets/database: Fix issue that prevents performance standbys from
connecting to databases after a root credential rotation
[[GH-9129](https://github.com/hashicorp/vault/pull/9129)]
* secrets/gcp: Fix issue were updates were not being applied to the
`token_scopes` of a roleset.
[[GH-90](https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/90)]
* secrets/kv: Return the value of delete_version_after when reading
kv/config, even if it is set to the default.
[[GH-42](https://github.com/hashicorp/vault-plugin-secrets-kv/pull/42)]
* ui: Add Toggle component into core addon so it is available in KMIP and
other Ember Engines.
[[GH-8913]](https://github.com/hashicorp/vault/pull/8913)
* ui: Disallow max versions value of large than 9999999999999999 on kv2
secrets engine. [[GH-9242](https://github.com/hashicorp/vault/pull/9242)]
## 1.4.3 (TBD)
IMPROVEMENTS:
* auth/aws: Add support for Web Identity credentials
[[GH-9251](https://github.com/hashicorp/vault/pull/9251)]
* core: Add the Go version used to build a Vault binary to the server message
output. [[GH-9078](https://github.com/hashicorp/vault/pull/9078)]
* secrets/database: Add static role rotation for MongoDB Atlas database
plugin [[GH-9311](https://github.com/hashicorp/vault/pull/9311)]
* ui: Link to the Vault Changelog in the UI footer
[[GH-9216](https://github.com/hashicorp/vault/pull/9216)]
BUG FIXES:
* auth/oci: Fix issue where users of the Oracle Cloud Infrastructure (OCI)
auth method could not authenticate when the plugin backend was mounted at a
non-default path. [[GH-9278](https://github.com/hashicorp/vault/pull/9278)]
* replication: The issue causing cubbyholes in namespaces on performance
secondaries to not work, which was fixed in 1.4.0, was still an issue when
the primary was both a performance primary and DR primary.
* secrets/aws: Fix issue where performance standbys weren't able to generate
STS credentials after an IAM access key rotation in AWS and root IAM
credential update in Vault
[[GH-9207](https://github.com/hashicorp/vault/pull/9207)]
* secrets/database: Fix issue that prevents performance standbys from
connecting to databases after a root credential rotation
[[GH-9208](https://github.com/hashicorp/vault/pull/9208)]
* secrets/gcp: Fix issue were updates were not being applied to the
`token_scopes` of a roleset.
[[GH-9277](https://github.com/hashicorp/vault/pull/9277)]
## 1.4.2 (May 21st, 2020)
SECURITY:
* core: Proxy environment variables are now redacted before being logged, in
case the URLs include a username:password. This vulnerability,
CVE-2020-13223, is fixed in 1.3.6 and 1.4.2, but affects 1.4.0 and 1.4.1,
as well as older versions of Vault
[[GH-9022](https://github.com/hashicorp/vault/pull/9022)]
* secrets/gcp: Fix a regression in 1.4.0 where the system TTLs were being
used instead of the configured backend TTLs for dynamic service
accounts. This vulnerability is CVE-2020-12757.
[[GH-85](https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/85)]
IMPROVEMENTS:
* storage/raft: The storage stanza now accepts `leader_ca_cert_file`,
`leader_client_cert_file`, and `leader_client_key_file` parameters to read
and parse TLS certificate information from paths on disk.
Existing non-path based parameters will continue to work, but their values
will need to be provided as a single-line string with newlines delimited by
`\n`. [[GH-8894](https://github.com/hashicorp/vault/pull/8894)]
* storage/raft: The `vault status` CLI command and the `sys/leader` API now
contain the committed and applied raft indexes.
[[GH-9011](https://github.com/hashicorp/vault/pull/9011)]
BUG FIXES:
* auth/aws: Fix token renewal issues caused by the metadata changes in 1.4.1
[[GH-8991](https://github.com/hashicorp/vault/pull/8991)]
* auth/ldap: Fix 1.4.0 regression that could result in auth failures when
LDAP auth config includes upndomain.
[[GH-9041](https://github.com/hashicorp/vault/pull/9041)]
* secrets/ad: Forward rotation requests from standbys to active clusters
[[GH-66](https://github.com/hashicorp/vault-plugin-secrets-ad/pull/66)]
* secrets/database: Prevent generation of usernames that are not allowed by
the MongoDB Atlas API
[[GH-9](https://github.com/hashicorp/vault-plugin-database-mongodbatlas/pull/9)]
* secrets/database: Return an error if a manual rotation of static account
credentials fails [[GH-9035](https://github.com/hashicorp/vault/pull/9035)]
* secrets/openldap: Forward all rotation requests from standbys to active
clusters [[GH-9028](https://github.com/hashicorp/vault/pull/9028)]
* secrets/transform (enterprise): Fix panic that could occur when accessing
cached template entries, such as a requests that accessed templates
directly or indirectly from a performance standby node.
* serviceregistration: Fix a regression for Consul service registration that
ignored using the listener address as the redirect address unless api_addr
was provided. It now properly uses the same redirect address as the one
used by Vault's Core object.
[[GH-8976](https://github.com/hashicorp/vault/pull/8976)]
* storage/raft: Advertise the configured cluster address to the rest of the
nodes in the raft cluster. This fixes an issue where a node advertising
0.0.0.0 is not using a unique hostname.
[[GH-9008](https://github.com/hashicorp/vault/pull/9008)]
* storage/raft: Fix panic when multiple nodes attempt to join the cluster at
once. [[GH-9008](https://github.com/hashicorp/vault/pull/9008)]
* sys: The path provided in `sys/internal/ui/mounts/:path` is now
namespace-aware. This fixes an issue with `vault kv` subcommands that had
namespaces provided in the path returning permission denied all the time.
[[GH-8962](https://github.com/hashicorp/vault/pull/8962)]
* ui: Fix snowman that appears when namespaces have more than one period
[[GH-8910](https://github.com/hashicorp/vault/pull/8910)]
## 1.4.1 (April 30th, 2020)
CHANGES:
* auth/aws: The default set of metadata fields added in 1.4.1 has been
changed to `account_id` and `auth_type`
[[GH-8783](https://github.com/hashicorp/vault/pull/8783)]
* storage/raft: Disallow `ha_storage` to be specified if `raft` is set as the
`storage` type. [[GH-8707](https://github.com/hashicorp/vault/pull/8707)]
IMPROVEMENTS:
* auth/aws: The set of metadata stored during login is now configurable
[[GH-8783](https://github.com/hashicorp/vault/pull/8783)]
* auth/aws: Improve region selection to avoid errors seen if the account
hasn't enabled some newer AWS regions
[[GH-8679](https://github.com/hashicorp/vault/pull/8679)]
* auth/azure: Enable login from Azure VMs with user-assigned identities
[[GH-33](https://github.com/hashicorp/vault-plugin-auth-azure/pull/33)]
* auth/gcp: The set of metadata stored during login is now configurable
[[GH-92](https://github.com/hashicorp/vault-plugin-auth-gcp/pull/92)]
* auth/gcp: The type of alias name used during login is now configurable
[[GH-95](https://github.com/hashicorp/vault-plugin-auth-gcp/pull/95)]
* auth/ldap: Improve error messages during LDAP operation failures
[[GH-8740](https://github.com/hashicorp/vault/pull/8740)]
* identity: Add a batch delete API for identity entities
[[GH-8785]](https://github.com/hashicorp/vault/pull/8785)
* identity: Improve performance of logins when no group updates are needed
[[GH-8795]](https://github.com/hashicorp/vault/pull/8795)
* metrics: Add `vault.identity.num_entities` metric
[[GH-8816]](https://github.com/hashicorp/vault/pull/8816)
* secrets/kv: Allow `delete-version-after` to be reset to 0 via the CLI
[[GH-8635](https://github.com/hashicorp/vault/pull/8635)]
* secrets/rabbitmq: Improve error handling and reporting
[[GH-8619](https://github.com/hashicorp/vault/pull/8619)]
* ui: Provide One Time Password during Operation Token generation process
[[GH-8630]](https://github.com/hashicorp/vault/pull/8630)
BUG FIXES:
* auth/okta: Fix MFA regression (introduced in
[GH-8143](https://github.com/hashicorp/vault/pull/8143)) from 1.4.0
[[GH-8807](https://github.com/hashicorp/vault/pull/8807)]
* auth/userpass: Fix upgrade value for `token_bound_cidrs` being ignored due
to incorrect key provided
[[GH-8826](https://github.com/hashicorp/vault/pull/8826/files)]
* config/seal: Fix segfault when seal block is removed
[[GH-8517](https://github.com/hashicorp/vault/pull/8517)]
* core: Fix an issue where users attempting to build Vault could receive Go
module checksum errors
[[GH-8770](https://github.com/hashicorp/vault/pull/8770)]
* core: Fix blocked requests if a SIGHUP is issued during a long-running
request has the state lock held.
Also fixes deadlock that can happen if `vault debug` with the config target
is ran during this time.
[[GH-8755](https://github.com/hashicorp/vault/pull/8755)]
* core: Always rewrite the .vault-token file as part of a `vault login` to
ensure permissions and ownership are set correctly
[[GH-8867](https://github.com/hashicorp/vault/pull/8867)]
* database/mongodb: Fix context deadline error that may result due to retry
attempts on failed commands
[[GH-8863](https://github.com/hashicorp/vault/pull/8863)]
* http: Fix superflous call messages from the http package on logs caused by
missing returns after `respondError` calls
[[GH-8796](https://github.com/hashicorp/vault/pull/8796)]
* namespace (enterprise): Fix namespace listing to return `key_info` when a
scoping namespace is also provided.
* seal/gcpkms: Fix panic that could occur if all seal parameters were
provided via environment variables
[[GH-8840](https://github.com/hashicorp/vault/pull/8840)]
* storage/raft: Fix memory allocation and incorrect metadata tracking issues
with snapshots [[GH-8793](https://github.com/hashicorp/vault/pull/8793)]
* storage/raft: Fix panic that could occur if `disable_clustering` was set to
true on Raft storage cluster
[[GH-8784](https://github.com/hashicorp/vault/pull/8784)]
* storage/raft: Handle errors returned from the API during snapshot
operations [[GH-8861](https://github.com/hashicorp/vault/pull/8861)]
* sys/wrapping: Allow unwrapping of wrapping tokens which contain nil data
[[GH-8714](https://github.com/hashicorp/vault/pull/8714)]
## 1.4.0 (April 7th, 2020)
CHANGES:
* cli: The raft configuration command has been renamed to list-peers to avoid
confusion.
FEATURES:
* **Kerberos Authentication**: Vault now supports Kerberos authentication
using a SPNEGO token.
Login can be performed using the Vault CLI, API, or agent.
* **Kubernetes Service Discovery**: A new Kubernetes service discovery
feature where, if configured, Vault will tag Vault pods with their current
health status. For more, see
[#8249](https://github.com/hashicorp/vault/pull/8249).
* **MongoDB Atlas Secrets**: Vault can now generate dynamic credentials for
both MongoDB Atlas databases as well as the [Atlas programmatic
interface]
(https://docs.atlas.mongodb.com/tutorial/manage-programmatic-access/).
* **OpenLDAP Secrets Engine**: We now support password management of existing
OpenLDAP user entries. For more, see [#8360]
(https://github.com/hashicorp/vault/pull/8360/).
* **Redshift Database Secrets Engine**: The database secrets engine now
supports static and dynamic secrets for the Amazon Web Services (AWS)
Redshift service.
* **Service Registration Config**: A newly introduced `service_registration`
configuration stanza, that allows for service registration to be configured
separately from the storage backend. For more, see [#7887]
(https://github.com/hashicorp/vault/pull/7887/).
* **Transform Secrets Engine (Enterprise)**: A new secrets engine that
handles secure data transformation and tokenization against provided input
value.
* **Integrated Storage**: Promoted out of beta and into general availability
for both open-source and enterprise workloads.
IMPROVEMENTS:
* agent: add option to force the use of the auth-auth token, and ignore the
Vault token in the request
[[GH-8101](https://github.com/hashicorp/vault/pull/8101)]
* api: Restore and fix DNS SRV Lookup
[[GH-8520](https://github.com/hashicorp/vault/pull/8520)]
* audit: HMAC http_raw_body in audit log; this ensures that large
authenticated Prometheus metrics responses get replaced with short HMAC
values [[GH-8130](https://github.com/hashicorp/vault/pull/8130)]
* audit: Generate-root, generate-recovery-token, and
generate-dr-operation-token requests and responses are now
audited. [[GH-8301](https://github.com/hashicorp/vault/pull/8301)]
* auth/aws: Reduce the number of simultaneous STS client credentials needed
[[GH-8161](https://github.com/hashicorp/vault/pull/8161)]
* auth/azure: subscription ID, resource group, vm and vmss names are now
stored in alias metadata
[[GH-30](https://github.com/hashicorp/vault-plugin-auth-azure/pull/30)]
* auth/jwt: Additional OIDC callback parameters available for CLI logins
[[GH-80](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/80) &
[GH-86](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/86)]
* auth/jwt: Bound claims may be optionally configured using globs
[[GH-89](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/89)]
* auth/jwt: Timeout during OIDC CLI login if process doesn't complete within
2 minutes
[[GH-97](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/97)]
* auth/jwt: Add support for the `form_post` response mode
[[GH-98](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/98)]
* auth/jwt: add optional client_nonce to authorization flow
[[GH-104](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/104)]
* auth/okta: Upgrade okta sdk lib, which should improve handling of groups
[[GH-8143](https://github.com/hashicorp/vault/pull/8143)]
* aws: Add support for v2 of the instance metadata service (see [issue
7924](https://github.com/hashicorp/vault/issues/7924) for all linked PRs)
* core: Separate out service discovery interface from storage interface to allow
new types of service discovery not coupled to storage
[[GH-7887](https://github.com/hashicorp/vault/pull/7887)]
* core: Add support for telemetry option `metrics_prefix`
[[GH-8340](https://github.com/hashicorp/vault/pull/8340)]
* core: Entropy Augmentation can now be used with AWS KMS and Vault Transit
seals
* core: Allow tls_min_version to be set to TLS 1.3
[[GH-8305](https://github.com/hashicorp/vault/pull/8305)]
* cli: Incorrect TLS configuration will now correctly fail
[[GH-8025](https://github.com/hashicorp/vault/pull/8025)]
* identity: Allow specifying a custom `client_id` for identity tokens
[[GH-8165](https://github.com/hashicorp/vault/pull/8165)]
* metrics/prometheus: improve performance with high volume of metrics updates
[[GH-8507](https://github.com/hashicorp/vault/pull/8507)]
* replication (enterprise): Fix race condition causing clusters with high
throughput writes to sometimes fail to enter streaming-wal mode
* replication (enterprise): Secondary clusters can now perform an extra gRPC
call to all nodes in a primary
cluster in an attempt to resolve the active node's address
* replication (enterprise): The replication status API now outputs
`last_performance_wal`, `last_dr_wal`, and `connection_state` values
* replication (enterprise): DR secondary clusters can now be recovered by the
`replication/dr/secondary/recover` API
* replication (enterprise): We now allow for an alternate means to create a
Disaster Recovery token, by using a batch token that is created with an ACL
that allows for access to one or more of the DR endpoints.
* secrets/database/mongodb: Switched internal MongoDB driver to mongo-driver
[[GH-8140](https://github.com/hashicorp/vault/pull/8140)]
* secrets/database/mongodb: Add support for x509 client authorization to
MongoDB [[GH-8329](https://github.com/hashicorp/vault/pull/8329)]
* secrets/database/oracle: Add support for static credential rotation
[[GH-26](https://github.com/hashicorp/vault-plugin-database-oracle/pull/26)]
* secrets/consul: Add support to specify TLS options per Consul backend
[[GH-4800](https://github.com/hashicorp/vault/pull/4800)]
* secrets/gcp: Allow specifying the TTL for a service key
[[GH-54](https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/54)]
* secrets/gcp: Add support for rotating root keys
[[GH-53](https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/53)]
* secrets/gcp: Handle version 3 policies for Resource Manager IAM requests
[[GH-77](https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/77)
* secrets/nomad: Add support to specify TLS options per Nomad backend
[[GH-8083](https://github.com/hashicorp/vault/pull/8083)]
* secrets/ssh: Allowed users can now be templated with identity information
[[GH-7548](https://github.com/hashicorp/vault/pull/7548)]
* secrets/transit: Adding RSA3072 key support
[[GH-8151](https://github.com/hashicorp/vault/pull/8151)]
* storage/consul: Vault returns now a more descriptive error message when
only a client cert or a client key has been provided
[[GH-4930]](https://github.com/hashicorp/vault/pull/8084)
* storage/raft: Nodes in the raft cluster can all be given possible leader
addresses for them to continuously try and join one of them, thus
automating the process of join to a greater extent
[[GH-7856](https://github.com/hashicorp/vault/pull/7856)]
* storage/raft: Fix a potential deadlock that could occur on leadership
transition [[GH-8547](https://github.com/hashicorp/vault/pull/8547)]
* storage/raft: Refresh TLS keyring on snapshot restore
[[GH-8546](https://github.com/hashicorp/vault/pull/8546)]
* storage/etcd: Bumped etcd client API SDK
[[GH-7931](https://github.com/hashicorp/vault/pull/7931) &
[GH-4961](https://github.com/hashicorp/vault/pull/4961) &
[GH-4349](https://github.com/hashicorp/vault/pull/4349) &
[GH-7582](https://github.com/hashicorp/vault/pull/7582)]
* ui: Make Transit Key actions more prominent
[[GH-8304](https://github.com/hashicorp/vault/pull/8304)]
* ui: Add Core Usage Metrics
[[GH-8347](https://github.com/hashicorp/vault/pull/8347)]
* ui: Add refresh Namespace list on the Namespace dropdown, and redesign of
Namespace dropdown menu
[[GH-8442](https://github.com/hashicorp/vault/pull/8442)]
* ui: Update transit actions to codeblocks & automatically encode plaintext
unless indicated [[GH-8462](https://github.com/hashicorp/vault/pull/8462)]
* ui: Display the results of transit key actions in a modal window
[[GH-8462](https://github.com/hashicorp/vault/pull/8575)]
* ui: Transit key version styling updates & ability to copy key from dropdown
[[GH-8480](https://github.com/hashicorp/vault/pull/8480)]
BUG FIXES:
* agent: Fix issue where TLS options are ignored for agent template feature
[[GH-7889](https://github.com/hashicorp/vault/pull/7889)]
* auth/jwt: Use lower case role names for `default_role` to match the `role`
case convention
[[GH-100](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/100)]
* auth/ldap: Fix a bug where the UPNDOMAIN parameter was wrongly used to
lookup the group membership of the given user
[[GH-6325]](https://github.com/hashicorp/vault/pull/8333)
* cli: Support autocompletion for nested mounts
[[GH-8303](https://github.com/hashicorp/vault/pull/8303)]
* cli: Fix CLI namespace autocompletion
[[GH-8315](https://github.com/hashicorp/vault/pull/8315)]
* identity: Fix incorrect caching of identity token JWKS responses
[[GH-8412](https://github.com/hashicorp/vault/pull/8412)]
* metrics/stackdriver: Fix issue that prevents the stackdriver metrics
library to create unnecessary stackdriver descriptors
[[GH-8073](https://github.com/hashicorp/vault/pull/8073)]
* replication: Fix issue causing cubbyholes in namespaces on performance
secondaries to not work.
* replication (enterprise): Unmounting a dynamic secrets backend could
sometimes lead to replication errors. Change the order of operations to
prevent that.
* seal (enterprise): Fix seal migration when transactional seal wrap backend
is in use.
* secrets/database/influxdb: Fix potential panic if connection to the
InfluxDB database cannot be established
[[GH-8282](https://github.com/hashicorp/vault/pull/8282)]
* secrets/database/mysql: Ensures default static credential rotation
statements are used
[[GH-8240](https://github.com/hashicorp/vault/pull/8240)]
* secrets/database/mysql: Fix inconsistent query parameter names: {{name}} or
{{username}} for different queries. Now it allows for either for backwards
compatibility [[GH-8240](https://github.com/hashicorp/vault/pull/8240)]
* secrets/database/postgres: Fix inconsistent query parameter names: {{name}}
or {{username}} for different queries. Now it allows for either for
backwards compatibility
[[GH-8240](https://github.com/hashicorp/vault/pull/8240)]
* secrets/pki: Support FQDNs in DNS Name
[[GH-8288](https://github.com/hashicorp/vault/pull/8288)]
* storage/raft: Allow seal migration to be performed on Vault clusters using
raft storage [[GH-8103](https://github.com/hashicorp/vault/pull/8103)]
* telemetry: Prometheus requests on standby nodes will now return an error
instead of forwarding the request to the active node
[[GH-8280](https://github.com/hashicorp/vault/pull/8280)]
* ui: Fix broken popup menu on the transit secrets list page
[[GH-8348](https://github.com/hashicorp/vault/pull/8348)]
* ui: Update headless Chrome flag to fix `yarn run test:oss`
[[GH-8035](https://github.com/hashicorp/vault/pull/8035)]
* ui: Update CLI to accept empty strings as param value to reset
previously-set values
* ui: Fix bug where error states don't clear when moving between action tabs
on Transit [[GH-8354](https://github.com/hashicorp/vault/pull/8354)]
## 1.3.6 (May 21st, 2020)
SECURITY:
* core: proxy environment variables are now redacted before being logged, in
case the URLs include a username:password. This vulnerability,
CVE-2020-13223, is fixed in 1.3.6 and 1.4.2, but affects 1.4 and 1.4.1, as
well as older versions of Vault
[[GH-9022](https://github.com/hashicorp/vault/pull/9022)
BUG FIXES:
* auth/aws: Fix token renewal issues caused by the metadata changes in 1.3.5
[[GH-8991](https://github.com/hashicorp/vault/pull/8991)]
* replication: Fix mount filter bug that allowed replication filters to hide
local mounts on a performance secondary
## 1.3.5 (April 28th, 2020)
CHANGES:
* auth/aws: The default set of metadata fields added in 1.3.2 has been
changed to `account_id` and `auth_type`
[[GH-8783](https://github.com/hashicorp/vault/pull/8783)]
IMPROVEMENTS:
* auth/aws: The set of metadata stored during login is now configurable
[[GH-8783](https://github.com/hashicorp/vault/pull/8783)]
## 1.3.4 (March 19th, 2020)
SECURITY:
* A vulnerability was identified in Vault and Vault Enterprise such that,
under certain circumstances, an Entity's Group membership may
inadvertently include Groups the Entity no longer has permissions to. This
vulnerability, CVE-2020-10660, affects Vault and Vault Enterprise versions
0.9.0 and newer, and is fixed in 1.3.4.
[[GH-8606](https://github.com/hashicorp/vault/pull/8606)]
* A vulnerability was identified in Vault Enterprise such that, under certain
circumstances, existing nested-path policies may give access to Namespaces
created after-the-fact. This vulnerability, CVE-2020-10661, affects Vault
Enterprise versions 0.11 and newer, and is fixed in 1.3.4.
## 1.3.3 (March 5th, 2020)
BUG FIXES:
* approle: Fix excessive locking during tidy, which could potentially block
new approle logins for long enough to cause an outage
[[GH-8418](https://github.com/hashicorp/vault/pull/8418)]
* cli: Fix issue where Raft snapshots from standby nodes created an empty
backup file [[GH-8097](https://github.com/hashicorp/vault/pull/8097)]
* identity: Fix incorrect caching of identity token JWKS responses
[[GH-8412](https://github.com/hashicorp/vault/pull/8412)]
* kmip: role read now returns tls_client_ttl
* kmip: fix panic when templateattr not provided in rekey request
* secrets/database/influxdb: Fix potential panic if connection to the
InfluxDB database cannot be established
[[GH-8282](https://github.com/hashicorp/vault/pull/8282)]
* storage/mysql: Fix potential crash when using MySQL as coordination for
high availability [[GH-8300](https://github.com/hashicorp/vault/pull/8300)]
* storage/raft: Fix potential crash when using Raft as coordination for high
availability [[GH-8356](https://github.com/hashicorp/vault/pull/8356)]
* ui: Fix missing License menu item
[[GH-8230](https://github.com/hashicorp/vault/pull/8230)]
* ui: Fix bug where default auth method on login is defaulted to auth method
that is listing-visibility=unauth instead of "other"
[[GH-8218](https://github.com/hashicorp/vault/pull/8218)]
* ui: Fix bug where KMIP details were not shown in the UI Wizard
[[GH-8255](https://github.com/hashicorp/vault/pull/8255)]
* ui: Show Error messages on Auth Configuration page when you hit permission
errors [[GH-8500](https://github.com/hashicorp/vault/pull/8500)]
* ui: Remove duplicate form inputs for the GitHub config
[[GH-8519](https://github.com/hashicorp/vault/pull/8519)]
* ui: Correct HMAC capitalization
[[GH-8528](https://github.com/hashicorp/vault/pull/8528)]
* ui: Fix danger message in DR
[[GH-8555](https://github.com/hashicorp/vault/pull/8555)]
* ui: Fix certificate field for LDAP config
[[GH-8573](https://github.com/hashicorp/vault/pull/8573)]
## 1.3.2 (January 22nd, 2020)
SECURITY:
* When deleting a namespace on Vault Enterprise, in certain circumstances,
the deletion process will fail to revoke dynamic secrets for a mount in
that namespace. This will leave any dynamic secrets in remote systems
alive and will fail to clean them up. This vulnerability, CVE-2020-7220,
affects Vault Enterprise 0.11.0 and newer.
IMPROVEMENTS:
* auth/aws: Add aws metadata to identity alias
[[GH-7985](https://github.com/hashicorp/vault/pull/7985)]
* auth/kubernetes: Allow both names and namespaces to be set to "*"
[[GH-78](https://github.com/hashicorp/vault-plugin-auth-kubernetes/pull/78)]
BUG FIXES:
* auth/azure: Fix Azure compute client to use correct base URL
[[GH-8072](https://github.com/hashicorp/vault/pull/8072)]
* auth/ldap: Fix renewal of tokens without configured policies that are
generated by an LDAP login
[[GH-8072](https://github.com/hashicorp/vault/pull/8072)]
* auth/okta: Fix renewal of tokens without configured policies that are
generated by an Okta login
[[GH-8072](https://github.com/hashicorp/vault/pull/8072)]
* core: Fix seal migration error when attempting to migrate from auto unseal
to shamir [[GH-8172](https://github.com/hashicorp/vault/pull/8172)]
* core: Fix seal migration config issue when migrating from auto unseal to
auto unseal [[GH-8172](https://github.com/hashicorp/vault/pull/8172)]
* plugin: Fix issue where a plugin unwrap request potentially used an expired
token [[GH-8058](https://github.com/hashicorp/vault/pull/8058)]
* replication: Fix issue where a forwarded request from a performance/standby
node could run into a timeout
* secrets/database: Fix issue where a manual static role rotation could
potentially panic [[GH-8098](https://github.com/hashicorp/vault/pull/8098)]
* secrets/database: Fix issue where a manual root credential rotation request
is not forwarded to the primary node
[[GH-8125](https://github.com/hashicorp/vault/pull/8125)]
* secrets/database: Fix issue where a manual static role rotation request is
not forwarded to the primary node
[[GH-8126](https://github.com/hashicorp/vault/pull/8126)]
* secrets/database/mysql: Fix issue where special characters for a MySQL
password were encoded
[[GH-8040](https://github.com/hashicorp/vault/pull/8040)]
* ui: Fix deleting namespaces
[[GH-8132](https://github.com/hashicorp/vault/pull/8132)]
* ui: Fix Error handler on kv-secret edit and kv-secret view pages
[[GH-8133](https://github.com/hashicorp/vault/pull/8133)]
* ui: Fix OIDC callback to check storage
[[GH-7929](https://github.com/hashicorp/vault/pull/7929)].
* ui: Change `.box-radio` height to min-height to prevent overflow issues
[[GH-8065](https://github.com/hashicorp/vault/pull/8065)]
## 1.3.1 (December 18th, 2019)
IMPROVEMENTS:
* agent: Add ability to set `exit-after-auth` via the CLI
[[GH-7920](https://github.com/hashicorp/vault/pull/7920)]
* auth/ldap: Add a `request_timeout` configuration option to prevent
connection requests from hanging
[[GH-7909](https://github.com/hashicorp/vault/pull/7909)]
* auth/kubernetes: Add audience to tokenreview API request for Kube
deployments where issuer is not Kube.
[[GH-74](https://github.com/hashicorp/vault/pull/74)]
* secrets/ad: Add a `request_timeout` configuration option to prevent
connection requests from hanging
[[GH-59](https://github.com/hashicorp/vault-plugin-secrets-ad/pull/59)]
* storage/postgresql: Add support for setting `connection_url` from
enviornment variable `VAULT_PG_CONNECTION_URL`
[[GH-7937](https://github.com/hashicorp/vault/pull/7937)]
* telemetry: Add `enable_hostname_label` option to telemetry stanza
[[GH-7902](https://github.com/hashicorp/vault/pull/7902)]
* telemetry: Add accept header check for prometheus mime type
[[GH-7958](https://github.com/hashicorp/vault/pull/7958)]
BUG FIXES:
* agent: Fix issue where Agent exits before all templates are rendered when
using and `exit_after_auth`
[[GH-7899](https://github.com/hashicorp/vault/pull/7899)]
* auth/aws: Fixes region-related issues when using a custom `sts_endpoint` by
adding a `sts_region` parameter
[[GH-7922](https://github.com/hashicorp/vault/pull/7922)]
* auth/token: Fix panic when getting batch tokens on a performance standby
from a role that does not exist
[[GH-8027](https://github.com/hashicorp/vault/pull/8027)]
* core: Improve warning message for lease TTLs
[[GH-7901](https://github.com/hashicorp/vault/pull/7901)]
* identity: Fix identity token panic during invalidation
[[GH-8043](https://github.com/hashicorp/vault/pull/8043)]
* plugin: Fix a panic that could occur if a mount/auth entry was unable to
mount the plugin backend and a request that required the system view to be
retrieved was made
[[GH-7991](https://github.com/hashicorp/vault/pull/7991)]
* replication: Add `generate-public-key` endpoint to list of allowed
endpoints for existing DR secondaries
* secrets/gcp: Fix panic if bindings aren't provided in roleset
create/update.
[[GH-56](https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/56)]
* secrets/pki: Prevent generating certificate on performance standby when
storing
[[GH-7904](https://github.com/hashicorp/vault/pull/7904)]
* secrets/transit: Prevent restoring keys to new names that are sub paths
[[GH-7998](https://github.com/hashicorp/vault/pull/7998)]
* storage/s3: Fix a bug in configurable S3 paths that was preventing use of
S3 as a source during `operator migrate` operations
[[GH-7966](https://github.com/hashicorp/vault/pull/7966)]
* ui: Ensure secrets with a period in their key can be viewed and copied
[[GH-7926](https://github.com/hashicorp/vault/pull/7926)]
* ui: Fix status menu after demotion
[[GH-7997](https://github.com/hashicorp/vault/pull/7997)]
* ui: Fix select dropdowns in Safari when running Mojave
[[GH-8023](https://github.com/hashicorp/vault/pull/8023)]
## 1.3 (November 14th, 2019)
CHANGES:
* Secondary cluster activation: There has been a change to the way that
activating performance and DR secondary clusters works when using public
keys for encryption of the parameters rather than a wrapping token. This
flow was experimental and never documented. It is now officially supported
and documented but is not backwards compatible with older Vault releases.
* Cluster cipher suites: On its cluster port, Vault will no longer advertise
the full TLS 1.2 cipher suite list by default. Although this port is only
used for Vault-to-Vault communication and would always pick a strong
cipher, it could cause false flags on port scanners and other security
utilities that assumed insecure ciphers were being used. The previous
behavior can be achieved by setting the value of the (undocumented)
`cluster_cipher_suites` config flag to `tls12`.
* API/Agent Renewal behavior: The API now allows multiple options for how it
deals with renewals. The legacy behavior in the Agent/API is for the renewer
(now called the lifetime watcher) to exit on a renew error, leading to a
reauthentication. The new default behavior is for the lifetime watcher to
ignore 5XX errors and simply retry as scheduled, using the existing lease
duration. It is also possible, within custom code, to disable renewals
entirely, which allows the lifetime watcher to simply return when it
believes it is time for your code to renew or reauthenticate.
FEATURES:
* **Vault Debug**: A new top-level subcommand, `debug`, is added that allows
operators to retrieve debugging information related to a particular Vault
node. Operators can use this simple workflow to capture triaging
information, which can then be consumed programmatically or by support and
engineering teams. It has the abilitity to probe for config, host,
metrics, pprof, server status, and replication status.
* **Recovery Mode**: Vault server can be brought up in recovery mode to
resolve outages caused due to data store being in bad state. This is a
privileged mode that allows `sys/raw` API calls to perform surgical
corrections to the data tore. Bad storage state can be caused by
bugs. However, this is usually observed when known (and fixed) bugs are
hit by older versions of Vault.
* **Entropy Augmentation (Enterprise)**: Vault now supports sourcing entropy
from external source for critical security parameters. Currently an HSM
that supports PKCS#11 is the only supported source.
* **Active Directory Secret Check-In/Check-Out**: In the Active Directory
secrets engine, users or applications can check out a service account for
use, and its password will be rotated when it's checked back in.
* **Vault Agent Template**: Vault Agent now supports rendering templates
containing Vault secrets to disk, similar to Consul Template
[[GH-7652](https://github.com/hashicorp/vault/pull/7652)]
* **Transit Key Type Support**: Signing and verification is now supported
with the P-384 (secp384r1) and P-521 (secp521r1) ECDSA curves
[[GH-7551](https://github.com/hashicorp/vault/pull/7551)] and encryption
and decryption is now supported via AES128-GCM96
[[GH-7555](https://github.com/hashicorp/vault/pull/7555)]
* **SSRF Protection for Vault Agent**: Vault Agent has a configuration
option to require a specific header before allowing requests
[[GH-7627](https://github.com/hashicorp/vault/pull/7627)]
* **AWS Auth Method Root Rotation**: The credential used by the AWS auth
method can now be rotated, to ensure that only Vault knows the credentials
it is using [[GH-7131](https://github.com/hashicorp/vault/pull/7131)]
* **New UI Features**: The UI now supports managing users and groups for the
Userpass, Cert, Okta, and Radius auth methods.
* **Shamir with Stored Master Key**: The on disk format for Shamir seals has
changed, allowing for a secondary cluster using Shamir downstream from a
primary cluster using Auto
Unseal. [[GH-7694](https://github.com/hashicorp/vault/pull/7694)]
* **Stackdriver Metrics Sink**: Vault can now send metrics to
[Stackdriver](https://cloud.google.com/stackdriver/). See the
[configuration
documentation](https://www.vaultproject.io/docs/config/index.html) for
details. [[GH-6957](https://github.com/hashicorp/vault/pull/6957)]
* **Filtered Paths Replication (Enterprise)**: Based on the predecessor
Filtered Mount Replication, Filtered Paths Replication allows now
filtering of namespaces in addition to mounts.
* **Token Renewal via Accessor**: Tokens can now be renewed via the accessor
value through the new `auth/token/renew-accessor` endpoint if the caller's
token has permission to access that endpoint.
* **Improved Integrated Storage (Beta)**: Improved raft write performance,
added support for non-voter nodes, along with UI support for: using raft
storage, joining a raft cluster, and downloading and restoring a
snapshot.
IMPROVEMENTS:
* agent: Add ability to set the TLS SNI name used by Agent
[[GH-7519](https://github.com/hashicorp/vault/pull/7519)]
* agent & api: Change default renewer behavior to ignore 5XX errors
[[GH-7733](https://github.com/hashicorp/vault/pull/7733)]
* auth/jwt: The redirect callback host may now be specified for CLI logins
[[GH-71](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/71)]
* auth/jwt: Bound claims may now contain boolean values
[[GH-73](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/73)]
* auth/jwt: CLI logins can now open the browser when running in WSL
[[GH-77](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/77)]
* core: Exit ScanView if context has been cancelled
[[GH-7419](https://github.com/hashicorp/vault/pull/7419)]
* core: re-encrypt barrier and recovery keys if the unseal key is updated
[[GH-7493](https://github.com/hashicorp/vault/pull/7493)]
* core: Don't advertise the full set of TLS 1.2 cipher suites on the cluster
port, even though only strong ciphers were used
[[GH-7487](https://github.com/hashicorp/vault/pull/7487)]
* core (enterprise): Add background seal re-wrap
* core/metrics: Add config parameter to allow unauthenticated sys/metrics
access. [[GH-7550](https://github.com/hashicorp/vault/pull/7550)]
* metrics: Upgrade DataDog library to improve performance
[[GH-7794](https://github.com/hashicorp/vault/pull/7794)]
* replication (enterprise): Write-Ahead-Log entries will not duplicate the
data belonging to the encompassing physical entries of the transaction,
thereby improving the performance and storage capacity.
* replication (enterprise): Added more replication metrics
* replication (enterprise): Reindex process now compares subpages for a more
accurate indexing process.
* replication (enterprise): Reindex API now accepts a new `skip_flush`
parameter indicating all the changes should not be flushed while the tree
is locked.
* secrets/aws: The root config can now be read
[[GH-7245](https://github.com/hashicorp/vault/pull/7245)]
* secrets/database/cassandra: Add ability to skip verfication of connection
[[GH-7614](https://github.com/hashicorp/vault/pull/7614)]
* secrets/gcp: Fix panic during rollback if the roleset has been deleted
[[GH-52](https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/52)]
* storage/azure: Add config parameter to Azure storage backend to allow
specifying the ARM endpoint
[[GH-7567](https://github.com/hashicorp/vault/pull/7567)]
* storage/cassandra: Improve storage efficiency by eliminating unnecessary
copies of value data
[[GH-7199](https://github.com/hashicorp/vault/pull/7199)]
* storage/raft: Improve raft write performance by utilizing FSM Batching
[[GH-7527](https://github.com/hashicorp/vault/pull/7527)]
* storage/raft: Add support for non-voter nodes
[[GH-7634](https://github.com/hashicorp/vault/pull/7634)]
* sys: Add a new `sys/host-info` endpoint for querying information about
the host [[GH-7330](https://github.com/hashicorp/vault/pull/7330)]
* sys: Add a new set of endpoints under `sys/pprof/` that allows profiling
information to be extracted
[[GH-7473](https://github.com/hashicorp/vault/pull/7473)]
* sys: Add endpoint that counts the total number of active identity entities
[[GH-7541](https://github.com/hashicorp/vault/pull/7541)]
* sys: `sys/seal-status` now has a `storage_type` field denoting what type
of storage the cluster is configured to use
* sys: Add a new `sys/internal/counters/tokens` endpoint, that counts the
total number of active service token accessors in the shared token
storage.
[[GH-7541](https://github.com/hashicorp/vault/pull/7541)]
* sys/config: Add a new endpoint under `sys/config/state/sanitized` that
returns the configuration state of the server. It excludes config values
from `storage`, `ha_storage`, and `seal` stanzas and some values
from `telemetry` due to potential sensitive entries in those fields.
* ui: when using raft storage, you can now join a raft cluster, download a
snapshot, and restore a snapshot from the UI
[[GH-7410](https://github.com/hashicorp/vault/pull/7410)]
* ui: clarify when secret version is deleted in the secret version history
dropdown [[GH-7714](https://github.com/hashicorp/vault/pull/7714)]
BUG FIXES:
* agent: Fix a data race on the token value for inmemsink
[[GH-7707](https://github.com/hashicorp/vault/pull/7707)]
* api: Fix Go API using lease revocation via URL instead of body
[[GH-7777](https://github.com/hashicorp/vault/pull/7777)]
* api: Allow setting a function to control retry behavior
[[GH-7331](https://github.com/hashicorp/vault/pull/7331)]
* auth/gcp: Fix a bug where region information in instance groups names could
cause an authorization attempt to fail
[[GH-74](https://github.com/hashicorp/vault-plugin-auth-gcp/pull/74)]
* cli: Fix a bug where a token of an unknown format (e.g. in ~/.vault-token)
could cause confusing error messages during `vault login`
[[GH-7508](https://github.com/hashicorp/vault/pull/7508)]
* cli: Fix a bug where the `namespace list` command with JSON formatting
always returned an empty object
[[GH-7705](https://github.com/hashicorp/vault/pull/7705)]
* cli: Command timeouts are now always specified solely by the
`VAULT_CLIENT_TIMEOUT`
value. [[GH-7469](https://github.com/hashicorp/vault/pull/7469)]
* core: Don't allow registering a non-root zero TTL token lease. This is
purely defense in depth as the lease would be revoked immediately anyways,
but there's no real reason to allow registration.
[[GH-7524](https://github.com/hashicorp/vault/pull/7524)]
* identity (enterprise): Fixed identity case sensitive loading in secondary
cluster [[GH-7327](https://github.com/hashicorp/vault/pull/7327)]
* identity: Ensure only replication primary stores the identity case
sensitivity state
[[GH-7820](https://github.com/hashicorp/vault/pull/7820)]
* raft: Fixed VAULT_CLUSTER_ADDR env being ignored at startup
[[GH-7619](https://github.com/hashicorp/vault/pull/7619)]
* secrets/pki: Don't allow duplicate SAN names in issued certs
[[GH-7605](https://github.com/hashicorp/vault/pull/7605)]
* sys/health: Pay attention to the values provided for `standbyok` and
`perfstandbyok` rather than simply using their presence as a key to flip on
that behavior [[GH-7323](https://github.com/hashicorp/vault/pull/7323)]
* ui: using the `wrapped_token` query param will work with `redirect_to` and
will automatically log in as intended
[[GH-7398](https://github.com/hashicorp/vault/pull/7398)]
* ui: fix an error when initializing from the UI using PGP keys
[[GH-7542](https://github.com/hashicorp/vault/pull/7542)]
* ui: show all active kv v2 secret versions even when `delete_version_after`
is configured [[GH-7685](https://github.com/hashicorp/vault/pull/7685)]
* ui: Ensure that items in the top navigation link to pages that users have
access to [[GH-7590](https://github.com/hashicorp/vault/pull/7590)]
## 1.2.4 (November 7th, 2019)
SECURITY:
* In a non-root namespace, revocation of a token scoped to a non-root
namespace did not trigger the expected revocation of dynamic secret leases
associated with that token. As a result, dynamic secret leases in non-root
namespaces may outlive the token that created them. This vulnerability,
CVE-2019-18616, affects Vault Enterprise 0.11.0 and newer.
* Disaster Recovery secondary clusters did not delete already-replicated data
after a mount filter has been created on an upstream Performance secondary
cluster. As a result, encrypted secrets may remain replicated on a Disaster
Recovery secondary cluster after application of a mount filter excluding
those secrets from replication. This vulnerability, CVE-2019-18617, affects
Vault Enterprise 0.8 and newer.
* Update version of Go to 1.12.12 to fix Go bug golang.org/issue/34960 which
corresponds to CVE-2019-17596.
CHANGES:
* auth/aws: If a custom `sts_endpoint` is configured, Vault Agent and the
CLI should provide the corresponding region via the `region` parameter
(which already existed as a CLI parameter, and has now been added to
Agent). The automatic region detection added to the CLI and Agent in 1.2
has been removed.
IMPROVEMENTS:
* cli: Ignore existing token during CLI login
[[GH-7508](https://github.com/hashicorp/vault/pull/7508)]
* core: Log proxy settings from environment on startup
[[GH-7528](https://github.com/hashicorp/vault/pull/7528)]
* core: Cache whether we've been initialized to reduce load on storage
[[GH-7549](https://github.com/hashicorp/vault/pull/7549)]
BUG FIXES:
* agent: Fix handling of gzipped responses
[[GH-7470](https://github.com/hashicorp/vault/pull/7470)]
* cli: Fix panic when pgp keys list is empty
[[GH-7546](https://github.com/hashicorp/vault/pull/7546)]
* cli: Command timeouts are now always specified solely by the
`VAULT_CLIENT_TIMEOUT`
value. [[GH-7469](https://github.com/hashicorp/vault/pull/7469)]
* core: add hook for initializing seals for migration
[[GH-7666](https://github.com/hashicorp/vault/pull/7666)]
* core (enterprise): Migrating from one auto unseal method to another never
worked on enterprise, now it does.
* identity: Add required field `response_types_supported` to identity token
`.well-known/openid-configuration` response
[[GH-7533](https://github.com/hashicorp/vault/pull/7533)]
* identity: Fixed nil pointer panic when merging entities
[[GH-7712](https://github.com/hashicorp/vault/pull/7712)]
* replication (Enterprise): Fix issue causing performance standbys nodes
disconnecting when under high loads.
* secrets/azure: Fix panic that could occur if client retries timeout
[[GH-7793](https://github.com/hashicorp/vault/pull/7793)]
* secrets/database: Fix bug in combined DB secrets engine that can result in
writes to static-roles endpoints timing out
[[GH-7518](https://github.com/hashicorp/vault/pull/7518)]
* secrets/pki: Improve tidy to continue when value is nil
[[GH-7589](https://github.com/hashicorp/vault/pull/7589)]
* ui (Enterprise): Allow kv v2 secrets that are gated by Control Groups to
be viewed in the UI
[[GH-7504](https://github.com/hashicorp/vault/pull/7504)]
0.23.21 (stable)
* proxy: Do not assign duplicate slot IDs [PR#282]
* common: Get program name based on executable path if possible [PR#307]
* anchor: Exit with non-zero code, if any error occurs [PR#304]
* Build and test fixes [PR#283, PR#290, PR#291, PR#292, PR#296, PR#299, PR#305, PR#306, PR#309, PR#311]
0.23.20 (stable)
* Revert "Fix RPC when length-s are 0" changes [PR#276]
0.23.19 (stable)
* common: add Russian PKCS#11 extensions to pkcs11x.h header [PR#255]
* Add simple bash completion for provided commands [PR#258]
* Unbreak list matching in enable-in and disable-in [PR#262]
* Fix RPC when length-s are 0 [PR#259]
* rpc: Add vsock transport support [PR#270]
* trust: Support CKA_NSS_{SERVER,EMAIL}_DISTRUST_AFTER [PR#265]
* Build fixes [PR#271, PR#272, PR#273, ...]
0.23.18 (stable)
* rpc: Allow empty CK_DATE value [PR#253]
* build: Meson fixes [PR#245]
* build: Adjust feature parity between meson and autotools [PR#247]
0.23.17 (stable)
* common: Fix uClibc-ng compilation [PR#237]
* trust: do not allow daylight to invalidate date validation [PR#236]
* build: Port to meson build system [PR#231, PR#234]
* rpc: On UNIX wait on condition variable instead of FD if header is for a different thread [PR#232]
* doc: Add 'server' command in help [PR#229]
* Build and test fixes [PR#230]
0.23.16 (stable)
* proxy: Support C_WaitForSlotEvent() if CKF_DONT_BLOCK is specified [PR#225]
* conf: Ignore user configuration if the program is running as root [PR#226]
* proxy: Refresh slot list on every C_GetSlotList call [PR#224]
* modules: Fix index used in call to p11_dict_remove() [PR#219]
* Fix Win32 p11_dl_error crash [PR#218]
* modules: check gl.modules before iterates on it when freeing [PR#217]
* trust: Ignore unreadable content in anchors [PR#215]
* extract-jks: Prefer _p11_extract_jks_timestamp to SOURCE_DATE_EPOCH [PR#213]
Noteworthy changes in version 1.39
----------------------------------
* On Windows gpgrt_fopen, gpgrt_chdir, and gpgrt_mkdir now handle
UTF-8 names.
* Make timeout of gpgrt_poll work correctly on Windows if no file
descriptors are active.
* New function gpgrt_fcancel as alternative to gpgrt_close. This
function avoid flushing out buffered data and also tries to delete
a newly created file.
* Changes to ease cross-building.
* "gpg-error --lib-version" works again.
* Interface changes relative to the 1.38 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
gpgrt_fcancel NEW.
2.7.2:
[Bug] Fix incorrectly swapped order of p and q numbers when loading OpenSSH-format RSA private keys. At minimum this should address a slowdown when using such keys, and it also means Paramiko works with Cryptography 3.1 and above (which complains strenuously when this problem appears). Thanks to Alex Gaynor for the patch.
[Bug]: Fix incorrect string formatting causing unhelpful error message annotation when using Kerberos/GSSAPI. (Thanks, newer version of flake8!)
[Support] Remove leading whitespace from OpenSSH RSA test suite static key fixture, to conform better to spec. Credit: Alex Gaynor.
[Support] Add missing test suite fixtures directory to MANIFEST.in, reinstating the ability to run Paramiko’s tests from an sdist tarball. Thanks to Sandro Tosi for reporting the issue and to Blazej Michalik for the PR.
[Support]: Update our CI to catch issues with sdist generation, installation and testing.
Changes:
3.6.15
------
** libgnutls: Fixed "no_renegotiation" alert handling at incorrect timing.
The server sending a "no_renegotiation" alert in an unexpected timing,
followed by an invalid second handshake was able to cause a TLS 1.3 client to
crash via a null-pointer dereference. The crash happens in the application's
error handling path, where the gnutls_deinit function is called after
detecting a handshake failure (#1071). [GNUTLS-SA-2020-09-04, CVSS: medium]
** libgnutls: If FIPS self-tests are failed, gnutls_fips140_mode_enabled() now
indicates that with a false return value (!1306).
** libgnutls: Under FIPS mode, the generated ECDH/DH public keys are checked
accordingly to SP800-56A rev 3 (!1295, !1299).
** libgnutls: gnutls_x509_crt_export2() now returns 0 upon success, rather than
the size of the internal base64 blob (#1025). The new behavior aligns to the
existing documentation.
** libgnutls: Certificate verification failue due to OCSP must-stapling is not
honered is now correctly marked with the GNUTLS_CERT_INVALID flag
(!1317). The new behavior aligns to the existing documentation.
** libgnutls: The audit log message for weak hashes is no longer printed twice
(!1301).
** libgnutls: Fixed version negotiation when TLS 1.3 is enabled and TLS 1.2 is
disabled in the priority string. Previously, even when TLS 1.2 is explicitly
disabled with "-VERS-TLS1.2", the server still offered TLS 1.2 if TLS 1.3 is
enabled (#1054).
** API and ABI modifications:
No changes since last version.
0.79 Apr 29, 2020
- Don't clobber $? in disconnect (bug report by Slaven Rezic,
#rt129350).
- Silence spurious warnings being generated in _set_error (bug
report by Jaroslav Reindl, #rt132449).
- Error handling in _master_check method was broken.
- Fix documentation error (patch by Martin Barth)
**** 1.17 Jun 26, 2020
Recognise BIND private key accessed via symbolic link.
**** 1.16 May 11, 2020
Improve testing of verify() functions.
Rework code in Digest.pm
SEC.xs code reduction.
**** 1.15 February 3, 2020
Provide access to OpenSSL message digest implementations.
**** 1.14 October 14, 2019
Improve exception capture in test scripts.
Support more efficient algorithm mapping in Net::DNS.
**** 1.13 May 6, 2019
Tweaks to resolve compilation errors with BoringSSL.
0.27 2020-02-09 Mike McCauley
- Patch from Jacob Farkas via RT to allow building under on Alpine Linux
under Docker on armv7l, and possibly others
0.28 2020-03-14 Mike McCauley
- Patch from Heikki Vatiainen:
- File descriptor leak introduced in release 0.25 where check for open
connection was added to TacacsPlus::close() before calling tacpluslib's
deinit_tac_session()
- File descriptor leak in tacpluslib's init_tac_session where close()
was not called for the newly created socket if, for example, destination
host was unreachable
- Port and Timeout TacacsPlus::new() parameters were documented
incorrectly. The are not passed within array references.
gpgsplit has been installed by gnupg(1) since 2002. gpgsplit has also
been in tools/ within gnupg-2, but upstream recently moved it from
noinst_PROGRAMS to bin_PROGRAMS without noting this in NEWS.
Because gnugp2 is normal and gnupg remains for special cases, simply
drop gpgsplit from gnupg; we have no intent to save people from
installing gnupg2 -- only to continue to allow them to use the old gpg
binary for special uses.
Fixes a criticial vulnerability: https://dev.gnupg.org/T5050
Noteworthy changes in version 2.2.22
====================================
* gpg: Change the default key algorithm to rsa3072.
* gpg: Add regular expression support for Trust Signatures on all
platforms. [#4843]
* gpg: Fix regression in 2.2.21 with non-default --passphrase-repeat
option. [#4991]
* gpg: Ignore --personal-digest-prefs for ECDSA keys. [#5021]
* gpgsm: Make rsaPSS a de-vs compliant scheme.
* gpgsm: Show also the SHA256 fingerprint in key listings.
* gpgsm: Do not require a default keyring for --gpgconf-list. [#4867]
* gpg-agent: Default to extended key format and record the creation
time of keys. Add new option --disable-extended-key-format.
* gpg-agent: Support the WAYLAND_DISPLAY envvar. [#5016]
* gpg-agent: Allow using --gpgconf-list even if HOME does not
exist. [#4866]
* gpg-agent: Make the Pinentry work even if the envvar TERM is set
to the empty string. [#4137]
* scdaemon: Add a workaround for Gnuk tokens <= 2.15 which wrongly
incremented the error counter when using the "verify" command of
"gpg --edit-key" with only the signature key being present.
* dirmngr: Better handle systems with disabled IPv6. [#4977]
* gpgpslit: Install tool. It was not installed in the past to avoid
conflicts with the version installed by GnuPG 1.4. [#5023]
* gpgtar: Handle Unicode file names on Windows correctly (requires
libgpg-error 1.39). [#4083]
* gpgtar: Make --files-from and --null work as documented. [#5027]
* Build the Windows installer with the new Ntbtls 0.2.0 so that TLS
connections succeed for servers demanding GCM.
Release-info: https://dev.gnupg.org/T5030
Noteworthy changes in version 2.2.23
====================================
* gpg: Fix AEAD preference list overflow. [#5050]
* gpg: Fix a possible segv in the key cleaning code.
* gpgsm: Fix a minor RFC2253 parser bug. [#5037]
* scdaemon: Fix a PIN verify failure on certain OpenPGP card
implementations. Regression in 2.2.22. [#5039]
* po: Fix bug in the Hungarian translation. Updates for the Czech,
Polish, and Ukrainian translations.
Release-info: https://dev.gnupg.org/T5045
= mbed TLS 2.24.0 branch released 2020-09-01
API changes
* In the PSA API, rename the types of elliptic curve and Diffie-Hellman
group families to psa_ecc_family_t and psa_dh_family_t, in line with the
PSA Crypto API specification version 1.0.0.
Rename associated macros as well:
PSA_ECC_CURVE_xxx renamed to PSA_ECC_FAMILY_xxx
PSA_DH_GROUP_xxx renamed to PSA_DH_FAMILY_xxx
PSA_KEY_TYPE_GET_CURVE renamed to to PSA_KEY_TYPE_ECC_GET_FAMILY
PSA_KEY_TYPE_GET_GROUP renamed to PSA_KEY_TYPE_DH_GET_FAMILY
Default behavior changes
* Stop storing persistent information about externally stored keys created
through PSA Crypto with a volatile lifetime. Reported in #3288 and
contributed by Steven Cooreman in #3382.
Features
* The new function mbedtls_ecp_write_key() exports private ECC keys back to
a byte buffer. It is the inverse of the existing mbedtls_ecp_read_key().
* Support building on e2k (Elbrus) architecture: correctly enable
-Wformat-signedness, and fix the code that causes signed-one-bit-field
and sign-compare warnings. Contributed by makise-homura (Igor Molchanov)
<akemi_homura@kurisa.ch>.
Security
* Fix a vulnerability in the verification of X.509 certificates when
matching the expected common name (the cn argument of
mbedtls_x509_crt_verify()) with the actual certificate name: when the
subjecAltName extension is present, the expected name was compared to any
name in that extension regardless of its type. This means that an
attacker could for example impersonate a 4-bytes or 16-byte domain by
getting a certificate for the corresponding IPv4 or IPv6 (this would
require the attacker to control that IP address, though). Similar attacks
using other subjectAltName name types might be possible. Found and
reported by kFYatek in #3498.
* When checking X.509 CRLs, a certificate was only considered as revoked if
its revocationDate was in the past according to the local clock if
available. In particular, on builds without MBEDTLS_HAVE_TIME_DATE,
certificates were never considered as revoked. On builds with
MBEDTLS_HAVE_TIME_DATE, an attacker able to control the local clock (for
example, an untrusted OS attacking a secure enclave) could prevent
revocation of certificates via CRLs. Fixed by no longer checking the
revocationDate field, in accordance with RFC 5280. Reported by
yuemonangong in #3340. Reported independently and fixed by
Raoul Strackx and Jethro Beekman in #3433.
* In (D)TLS record decryption, when using a CBC ciphersuites without the
Encrypt-then-Mac extension, use constant code flow memory access patterns
to extract and check the MAC. This is an improvement to the existing
countermeasure against Lucky 13 attacks. The previous countermeasure was
effective against network-based attackers, but less so against local
attackers. The new countermeasure defends against local attackers, even
if they have access to fine-grained measurements. In particular, this
fixes a local Lucky 13 cache attack found and reported by Tuba Yavuz,
Farhaan Fowze, Ken (Yihan) Bai, Grant Hernandez, and Kevin Butler
(University of Florida) and Dave Tian (Purdue University).
* Fix side channel in RSA private key operations and static (finite-field)
Diffie-Hellman. An adversary with precise enough timing and memory access
information (typically an untrusted operating system attacking a secure
enclave) could bypass an existing counter-measure (base blinding) and
potentially fully recover the private key.
* Fix a 1-byte buffer overread in mbedtls_x509_crl_parse_der().
Credit to OSS-Fuzz for detecting the problem and to Philippe Antoine
for pinpointing the problematic code.
* Zeroising of plaintext buffers in mbedtls_ssl_read() to erase unused
application data from memory. Reported in #689 by
Johan Uppman Bruce of Sectra.
Bugfix
* Library files installed after a CMake build no longer have execute
permission.
* Use local labels in mbedtls_padlock_has_support() to fix an invalid symbol
redefinition if the function is inlined.
Reported in #3451 and fix contributed in #3452 by okhowang.
* Fix the endianness of Curve25519 keys imported/exported through the PSA
APIs. psa_import_key and psa_export_key will now correctly expect/output
Montgomery keys in little-endian as defined by RFC7748. Contributed by
Steven Cooreman in #3425.
* Fix build errors when the only enabled elliptic curves are Montgomery
curves. Raised by signpainter in #941 and by Taiki-San in #1412. This
also fixes missing declarations reported by Steven Cooreman in #1147.
* Fix self-test failure when the only enabled short Weierstrass elliptic
curve is secp192k1. Fixes#2017.
* PSA key import will now correctly import a Curve25519/Curve448 public key
instead of erroring out. Contributed by Steven Cooreman in #3492.
* Use arc4random_buf on NetBSD instead of rand implementation with cyclical
lower bits. Fix contributed in #3540.
* Fix a memory leak in mbedtls_md_setup() when using HMAC under low memory
conditions. Reported and fix suggested by Guido Vranken in #3486.
* Fix bug in redirection of unit test outputs on platforms where stdout is
defined as a macro. First reported in #2311 and fix contributed in #3528.
Changes
* Only pass -Wformat-signedness to versions of GCC that support it. Reported
in #3478 and fix contributed in #3479 by okhowang.
* Reduce the stack consumption of mbedtls_x509write_csr_der() which
previously could lead to stack overflow on constrained devices.
Contributed by Doru Gucea and Simon Leet in #3464.
* Undefine the ASSERT macro before defining it locally, in case it is defined
in a platform header. Contributed by Abdelatif Guettouche in #3557.
* Update copyright notices to use Linux Foundation guidance. As a result,
the copyright of contributors other than Arm is now acknowledged, and the
years of publishing are no longer tracked in the source files. This also
eliminates the need for the lines declaring the files to be part of
MbedTLS. Fixes#3457.
* Add the command line parameter key_pwd to the ssl_client2 and ssl_server2
example applications which allows to provide a password for the key file
specified through the existing key_file argument. This allows the use of
these applications with password-protected key files. Analogously but for
ssl_server2 only, add the command line parameter key_pwd2 which allows to
set a password for the key file provided through the existing key_file2
argument.
No changelog provided by upstream, main changes since 1.4.7 based on commit
messages: add support for generic phpass (Wordpress, Drupal, PHPBB3), bug fixes.
* pkgsrc change: switch dependency from net/bind914 to net/bind916.
zkt 1.1.4 -- 9. May 2016
* misc Hint to mailinglist removed from README file
* bug pathname wasn't initialized in any case (dist_and_reload() in nscomm.c
Thanks Jeremy C. Reed
* bug move $(LIBS) at the end of the ggc link line in Makefile.in
* misc Exitcode of external command is now visible in log messages
stderr of each external command is redirected to stdin
* bug Fixed some potential memory leaks in ncparse.c dki.c zfparse.c
and zkt-soaserial.c (mostly a missing fclose() on error conditions).
Thanks to Jeremy C. Reed
* misc README file changed to Markdown syntax
* bug running zkt-keyman -3 didn't change anything on the key database
so a zkt-signer run afterwards didn't see anything to do.
Now the timestamp of the dnskey.db will be reset to a value less
than the timestamp of the (new) key signing key.
Thanks to Sven Strickroth for finding this.
* func New binary zkt-delegate added
Because it depends on the ldns library, it is located in
a separate directory and use a different Makefile
* func New Compile time option "--enable-ds-tracking" added.
Now dig is used on KSK rollover to check if the DS record
is announced in the parent zone.
Thanks to Sven Strickroth providing the patch.
zkt 1.1.3 -- 21. Nov 2014
* func New Config Parameter DependFiles added.
Contains a (comma separated) list of files which are
included into the ZoneFile. The timestamps of this files
are checked additional to the timestamp of the ZoneFile.
Based on a suggestion from Sven Strickroth
* misc Makefile changed to build tar file out of git repository
* misc Minimum supported BIND version is now 9.8
* bug Fixed bug in BIND version parsing (9.10.1 was parsed as 910
which is similar to 9.1.0)
Version 9.10.1 is parsed now as 091001
* misc Remove flag to request large exponent when creating keys
(BIND always creates keys with large exponents since BIND 9.5.0)
* misc Project moved to github
Thanks to Jakob Schlyter for doing the initial stuff
Major changes in 4.1
--------------------
Version 4.0 was the last version to support Python 2 and 3.4. Version 4.1 is compatible with Python 3.5+ only.
(newer changes not found)
Python-RSA is a pure-Python RSA implementation. It supports encryption
and decryption, signing and verifying signatures, and key generation
according to PKCS#1 version 1.5. It can be used as a Python library
as well as on the commandline.
This package contains the last version supported by Python 2.x.
I was confused about which SUBST was not ok, and had removed two, when
only one was troubled.
This is probably still not quite right, but zoneminder needs an update
of multiple major versions anyway.
Thanks to rillig@ for review and hints.
