Skip to content

v1.6.5

Compare
Choose a tag to compare
@hc-github-team-secure-vault-core hc-github-team-secure-vault-core released this 21 May 20:30
01ca3c4

1.6.5

May 20th, 2021

SECURITY:

  • Non-Expiring Leases: Vault and Vault Enterprise renewed nearly-expiring token
    leases and dynamic secret leases with a zero-second TTL, causing them to be
    treated as non-expiring, and never revoked. This issue affects Vault and Vault
    Enterprise versions 0.10.0 through 1.7.1, and is fixed in 1.5.9, 1.6.5, and
    1.7.2 (CVE-2021-32923).

CHANGES:

  • agent: Update to use IAM Service Account Credentials endpoint for signing JWTs
    when using GCP Auto-Auth method [GH-11473]
  • auth/gcp: Update to v0.8.1 to use IAM Service Account Credentials API for
    signing JWTs [GH-11498]

BUG FIXES:

  • core (enterprise): Fix plugins mounted in namespaces being unable to use password policies [GH-11596]
  • core: correct logic for renewal of leases nearing their expiration time. [GH-11650]
  • secrets/database: Fix marshalling to allow providing numeric arguments to external database plugins. [GH-11451]
  • secrets/database: Fixes issue for V4 database interface where SetCredentials wasn't falling back to using RotateRootCredentials if SetCredentials is Unimplemented [GH-11585]
  • ui: Fix namespace-bug on login [GH-11182]