v1.6.6

1.6.6

26 August 2021

SECURITY:

• UI Secret Caching: The Vault UI erroneously cached and exposed user-viewed secrets between authenticated sessions in a single shared browser, if the browser window / tab was not refreshed or closed between logout and a subsequent login. This vulnerability, CVE-2021-38554, was fixed in Vault 1.8.0 and will be addressed in pending 1.7.4 / 1.6.6 releases.

CHANGES:

• go: Update go version to 1.15.15 [GH-12423]

IMPROVEMENTS:

• db/cassandra: Added tls_server_name to specify server name for TLS validation [GH-11820]

BUG FIXES:

• physical/raft: Fix safeio.Rename error when restoring snapshots on windows [GH-12377]
• secret: fix the bug where transit encrypt batch doesn't work with key_version [GH-11628]
• secrets/database: Fixed an issue that prevented external database plugin processes from restarting after a shutdown. [GH-12087]
• ui: Automatically refresh the page when user logs out [GH-12035]
• ui: Fixes metrics page when read on counter config not allowed [GH-12348]
• ui: fix oidc login with Safari [GH-11884]

v1.8.1

1.8.1

August 5th, 2021

CHANGES:

• go: Update go version to 1.16.6 [GH-12245]

IMPROVEMENTS:

• serviceregistration: add external-source: "vault" metadata value for Consul registration. [GH-12163]

BUG FIXES:

• auth/aws: Remove warning stating AWS Token TTL will be capped by the Default Lease TTL. [GH-12026]
• auth/jwt: Fixes OIDC auth from the Vault UI when using form_post as the oidc_response_mode. [GH-12258]
• core (enterprise): Disallow autogenerated licenses to be used in diagnose even when config is specified
• core: fix byte printing for diagnose disk checks [GH-12229]
• identity: do not allow a role's token_ttl to be longer than the signing key's verification_ttl [GH-12151]

v1.8.0

1.8.0

July 28th, 2021

CHANGES:

• agent: Errors in the template engine will no longer cause agent to exit unless
  explicitly defined to do so. A new configuration parameter,
  exit_on_retry_failure, within the new top-level stanza, template_config, can
  be set to true in order to cause agent to exit. Note that for agent to exit if
  template.error_on_missing_key is set to true, exit_on_retry_failure must
  be also set to true. Otherwise, the template engine will log an error but then
  restart its internal runner. [GH-11775]
• agent: Update to use IAM Service Account Credentials endpoint for signing JWTs
  when using GCP Auto-Auth method [GH-11473]
• core (enterprise): License/EULA changes that ensure the presence of a valid HashiCorp license to
  start Vault. More information is available in the Vault License FAQ

FEATURES:

• GCP Secrets Engine Static Accounts: Adds ability to use existing service accounts for generation
  of service account keys and access tokens. [GH-12023]
• Key Management Secrets Engine (Enterprise): Adds general availability for distributing and managing keys in AWS KMS. [GH-11958]
• License Autoloading (Enterprise): Licenses may now be automatically loaded from the environment or disk.
• MySQL Database UI: The UI now supports adding and editing MySQL connections in the database secret engine [GH-11532]
• Vault Diagnose: A new vault operator command to detect common issues with vault server setups.

IMPROVEMENTS:

• agent/template: Added static_secret_render_interval to specify how often to fetch non-leased secrets [GH-11934]
• agent: Allow Agent auto auth to read symlinked JWT files [GH-11502]
• api: Allow a leveled logger to be provided to api.Client through SetLogger. [GH-11696]
• auth/aws: Underlying error included in validation failure message. [GH-11638]
• cli/api: Add lease lookup command [GH-11129]
• core: Add prefix_filter to telemetry config [GH-12025]
• core: Add a darwin/arm64 binary release supporting the Apple M1 CPU [GH-12071]
• core: Add a small (<1s) exponential backoff to failed TCP listener Accept failures. [GH-11588]
• core (enterprise): Add controlled capabilities to control group policy stanza
• core: Add metrics for standby node forwarding. [GH-11366]
• core: Add metrics to report if a node is a perf standby, if a node is a dr secondary or primary, and if a node is a perf secondary or primary. [GH-11472]
• core: Send notifications to systemd on start, stop, and configuration reload. [GH-11517]
• core: add irrevocable lease list and count apis [GH-11607]
• core: allow arbitrary length stack traces upon receiving SIGUSR2 (was 32MB) [GH-11364]
• db/cassandra: Added tls_server_name to specify server name for TLS validation [GH-11820]
• go: Update to Go 1.16.5 [GH-11802]
• raft: Improve raft batch size selection [GH-11907]
• raft: change freelist type to map and set nofreelistsync to true [GH-11895]
• replication: Delay evaluation of X-Vault-Index headers until merkle sync completes.
• secrets/rabbitmq: Add ability to customize dynamic usernames [GH-11899]
• secrets/ad: Add rotate-role endpoint to allow rotations of service accounts. [GH-11942]
• secrets/aws: add IAM tagging support for iam_user roles [GH-10953]
• secrets/aws: add ability to provide a role session name when generating STS credentials [GH-11345]
• secrets/database/elasticsearch: Add ability to customize dynamic usernames [GH-11957]
• secrets/database/influxdb: Add ability to customize dynamic usernames [GH-11796]
• secrets/database/mongodb: Add ability to customize SocketTimeout, ConnectTimeout, and ServerSelectionTimeout [GH-11600]
• secrets/database/mongodb: Increased throughput by allowing for multiple request threads to simultaneously update users in MongoDB [GH-11600]
• secrets/database/mongodbatlas: Adds the ability to customize username generation for dynamic users in MongoDB Atlas. [GH-11956]
• secrets/database/redshift: Add ability to customize dynamic usernames [GH-12016]
• secrets/database/snowflake: Add ability to customize dynamic usernames [GH-11997]
• ssh: add support for templated values in SSH CA DefaultExtensions [GH-11495]
• storage/raft/autopilot (enterprise): Enable Autopilot on DR secondary clusters
• storage/raft: Support autopilot for HA only raft storage. [GH-11260]
• ui: Add Validation to KV secret engine [GH-11785]
• ui: Add database secret engine support for MSSQL [GH-11231]
• ui: Add push notification message when selecting okta auth. [GH-11442]
• ui: Add regex validation to Transform Template pattern input [GH-11586]
• ui: Add specific error message if unseal fails due to license [GH-11705]
• ui: Add validation support for open api form fields [GH-11963]
• ui: Added auth method descriptions to UI login page [GH-11795]
• ui: JSON fields on database can be cleared on edit [GH-11708]
• ui: Obscure secret values on input and displayOnly fields like certificates. [GH-11284]
• ui: Redesign of KV 2 Delete toolbar. [GH-11530]
• ui: Replace tool partials with components. [GH-11672]
• ui: Show description on secret engine list [GH-11995]
• ui: Update ember to latest LTS and upgrade UI dependencies [GH-11447]
• ui: Update partials to components [GH-11680]
• ui: Updated ivy code mirror component for consistency [GH-11500]
• ui: Updated node to v14, latest stable build [GH-12049]
• ui: Updated search select component styling [GH-11360]
• ui: add transform secrets engine to features list [GH-12003]
• ui: add validations for duplicate path kv engine [GH-11878]
• ui: show site-wide banners for license warnings if applicable [GH-11759]
• ui: update license page with relevant autoload info [GH-11778]

DEPRECATIONS:

• secrets/gcp: Deprecated the /gcp/token/:roleset and /gcp/key/:roleset paths for generating
  secrets for rolesets. Use /gcp/roleset/:roleset/token and /gcp/roleset/:roleset/key instead. [GH-12023]

BUG FIXES:

• activity: Omit wrapping tokens and control groups from client counts [GH-11826]
• agent/cert: Fix issue where the API client on agent was not honoring certificate
  information from the auto-auth config map on renewals or retries. [GH-11576]
• agent/template: fix command shell quoting issue [GH-11838]
• agent: Fixed agent templating to use configured tls servername values [GH-11288]
• agent: fix timestamp format in log messages from the templating engine [GH-11838]
• auth/approle: fixing dereference of nil pointer [GH-11864]
• auth/jwt: Updates the hashicorp/cap library to v0.1.0 to
  bring in a verification key caching fix. [GH-11784]
• auth/kubernetes: Fix AliasLookahead to correctly extract ServiceAccount UID when using ephemeral JWTs [[GH-1207...

v1.8.0-rc2

Release vault v1.8.0-rc2

v1.8.0-rc1

Release vault v1.8.0-rc1

v1.7.3

Release vault v1.7.3

v1.7.2

1.7.2

May 20th, 2021

SECURITY:

• Non-Expiring Leases: Vault and Vault Enterprise renewed nearly-expiring token
  leases and dynamic secret leases with a zero-second TTL, causing them to be
  treated as non-expiring, and never revoked. This issue affects Vault and Vault
  Enterprise versions 0.10.0 through 1.7.1, and is fixed in 1.5.9, 1.6.5, and
  1.7.2 (CVE-2021-32923).

CHANGES:

• agent: Update to use IAM Service Account Credentials endpoint for signing JWTs
  when using GCP Auto-Auth method [GH-11473]
• auth/gcp: Update to v0.9.1 to use IAM Service Account Credentials API for
  signing JWTs [GH-11494]

IMPROVEMENTS:

• api, agent: LifetimeWatcher now does more retries when renewal failures occur. This also impacts Agent auto-auth and leases managed via Agent caching. [GH-11445]
• auth/aws: Underlying error included in validation failure message. [GH-11638]
• http: Add optional HTTP response headers for hostname and raft node ID [GH-11289]
• secrets/aws: add ability to provide a role session name when generating STS credentials [GH-11345]
• secrets/database/mongodb: Add ability to customize SocketTimeout, ConnectTimeout, and ServerSelectionTimeout [GH-11600]
• secrets/database/mongodb: Increased throughput by allowing for multiple request threads to simultaneously update users in MongoDB [GH-11600]

BUG FIXES:

• agent/cert: Fix issue where the API client on agent was not honoring certificate
  information from the auto-auth config map on renewals or retries. [GH-11576]
• agent: Fixed agent templating to use configured tls servername values [GH-11288]
• core (enterprise): Fix plugins mounted in namespaces being unable to use password policies [GH-11596]
• core: correct logic for renewal of leases nearing their expiration time. [GH-11650]
• identity: Use correct mount accessor when refreshing external group memberships. [GH-11506]
• replication: Fix panic trying to update walState during identity group invalidation. [GH-1865]
• secrets/database: Fix marshalling to allow providing numeric arguments to external database plugins. [GH-11451]
• secrets/database: Fixed minor race condition when rotate-root is called [GH-11600]
• secrets/database: Fixes issue for V4 database interface where SetCredentials wasn't falling back to using RotateRootCredentials if SetCredentials is Unimplemented [GH-11585]
• secrets/keymgmt (enterprise): Fixes audit logging for the read key response.
• storage/raft: Support cluster address change for nodes in a cluster managed by autopilot [GH-11247]
• ui: Fix entity group membership and metadata not showing [GH-11641]
• ui: Fix text link URL on database roles list [GH-11597]

v1.6.5

1.6.5

May 20th, 2021

SECURITY:

• Non-Expiring Leases: Vault and Vault Enterprise renewed nearly-expiring token
  leases and dynamic secret leases with a zero-second TTL, causing them to be
  treated as non-expiring, and never revoked. This issue affects Vault and Vault
  Enterprise versions 0.10.0 through 1.7.1, and is fixed in 1.5.9, 1.6.5, and
  1.7.2 (CVE-2021-32923).

CHANGES:

• agent: Update to use IAM Service Account Credentials endpoint for signing JWTs
  when using GCP Auto-Auth method [GH-11473]
• auth/gcp: Update to v0.8.1 to use IAM Service Account Credentials API for
  signing JWTs [GH-11498]

BUG FIXES:

• core (enterprise): Fix plugins mounted in namespaces being unable to use password policies [GH-11596]
• core: correct logic for renewal of leases nearing their expiration time. [GH-11650]
• secrets/database: Fix marshalling to allow providing numeric arguments to external database plugins. [GH-11451]
• secrets/database: Fixes issue for V4 database interface where SetCredentials wasn't falling back to using RotateRootCredentials if SetCredentials is Unimplemented [GH-11585]
• ui: Fix namespace-bug on login [GH-11182]

v1.5.9

1.5.9

May 20th, 2021

SECURITY:

• Non-Expiring Leases: Vault and Vault Enterprise renewed nearly-expiring token
  leases and dynamic secret leases with a zero-second TTL, causing them to be
  treated as non-expiring, and never revoked. This issue affects Vault and Vault
  Enterprise versions 0.10.0 through 1.7.1, and is fixed in 1.5.9, 1.6.5, and
  1.7.2 (CVE-2021-32923).

CHANGES:

• agent: Update to use IAM Service Account Credentials endpoint for signing JWTs
  when using GCP Auto-Auth method [GH-11473]
• auth/gcp: Update to v0.7.2 to use IAM Service Account Credentials API for
  signing JWTs [GH-11499]

BUG FIXES:

• core: correct logic for renewal of leases nearing their expiration time. [GH-11650]

v1.7.1

Release vault 1.7.1