v1.6.4

Release vault v1.6.4

v1.5.8

Release vault v1.5.8

v1.7.0

1.7.0

24 March 2021

CHANGES:

• go: Update go version to 1.15.8 [GH-11060]

FEATURES:

• Aerospike Storage Backend: Add support for using Aerospike as a storage backend [GH-10131]
• agent: Support for persisting the agent cache to disk [GH-10938]
• auth/jwt: Adds max_age role parameter and auth_time claim validation. [GH-10919]
• kmip (enterprise): Use entropy augmentation to generate kmip certificates
• sdk: Private key generation in the certutil package now allows custom io.Readers to be used. [GH-10653]
• secrets/aws: add IAM tagging support for iam_user roles [GH-10953]
• secrets/database/cassandra: Add ability to customize dynamic usernames [GH-10906]
• secrets/database/couchbase: Add ability to customize dynamic usernames [GH-10995]
• secrets/database/mongodb: Add ability to customize dynamic usernames [GH-10858]
• secrets/database/mssql: Add ability to customize dynamic usernames [GH-10767]
• secrets/database/mysql: Add ability to customize dynamic usernames [GH-10834]
• secrets/database/postgresql: Add ability to customize dynamic usernames [GH-10766]
• secrets/openldap: Added dynamic roles to OpenLDAP similar to the combined database engine [GH-10996]
• secrets/terraform: New secret engine for managing Terraform Cloud API tokens [GH-10931]
• ui: Adds check for feature flag on application, and updates namespace toolbar on login if present [GH-10588]
• ui: Adds the wizard to the Database Secret Engine [GH-10982]
• ui: Database secrets engine, supporting MongoDB only [GH-10655]

IMPROVEMENTS:

• agent: Add template-retry stanza to agent config. [GH-10644]
• agent: Agent can now run as a Windows service. [GH-10231]
• agent: Better concurrent request handling on identical requests proxied through Agent. [GH-10705]
• agent: Route templating server through cache when persistent cache is enabled. [GH-10927]
• agent: change auto-auth to preload an existing token on start [GH-10850]
• auth/ldap: Improve consistency in error messages [GH-10537]
• auth/okta: Adds support for Okta Verify TOTP MFA. [GH-10942]
• changelog: Add dependencies listed in dependencies/2-25-21 [GH-11015]
• command/debug: Now collects logs (at level trace) as a periodic output. [GH-10609]
• core (enterprise): "vault status" command works when a namespace is set. [GH-10725]
• core (enterprise): Update Trial Enterprise license from 30 minutes to 6 hours
• core/metrics: Added "vault operator usage" command. [GH-10365]
• core/metrics: New telemetry metrics reporting lease expirations by time interval and namespace [GH-10375]
• core: Added active since timestamp to the status output of active nodes. [GH-10489]
• core: Check audit device with a test message before adding it. [GH-10520]
• core: Track barrier encryption count and automatically rotate after a large number of operations or on a schedule [GH-10744]
• core: add metrics for active entity count [GH-10514]
• core: add partial month client count api [GH-11022]
• core: dev mode listener allows unauthenticated sys/metrics requests [GH-10992]
• core: reduce memory used by leases [GH-10726]
• secrets/gcp: Truncate ServiceAccount display names longer than 100 characters. [GH-10558]
• storage/raft (enterprise): Listing of peers is now allowed on DR secondary
  cluster nodes, as an update operation that takes in DR operation token for
  authenticating the request.
• ui: Clarify language on usage metrics page empty state [GH-10951]
• ui: Customize MongoDB input fields on Database Secrets Engine [GH-10949]
• ui: Upgrade Ember-cli from 3.8 to 3.22. [GH-9972]
• ui: Upgrade Storybook from 5.3.19 to 6.1.17. [GH-10904]
• ui: Upgrade date-fns from 1.3.0 to 2.16.1. [GH-10848]
• ui: Upgrade dependencies to resolve potential JS vulnerabilities [GH-10677]
• ui: better errors on Database secrets engine role create [GH-10980]

BUG FIXES:

• agent: Only set the namespace if the VAULT_NAMESPACE env var isn't present [GH-10556]
• agent: Set TokenParent correctly in the Index to be cached. [GH-10833]
• agent: Set namespace for template server in agent. [GH-10757]
• api/sys/config/ui: Fixes issue where multiple UI custom header values are ignored and only the first given value is used [GH-10490]
• api: Fixes CORS API methods that were outdated and invalid [GH-10444]
• auth/jwt: Fixes bound_claims validation for provider-specific group and user info fetching. [GH-10546]
• auth/jwt: Fixes an issue where JWT verification keys weren't updated after a jwks_url change. [GH-10919]
• auth/jwt: Fixes an issue where jwt_supported_algs were not being validated for JWT auth using
  jwks_url and jwt_validation_pubkeys. [GH-10919]
• auth/oci: Fixes alias name to use the role name, and not the literal string name [GH-10] [GH-10952]
• consul-template: Update consul-template vendor version and associated dependencies to master,
  pulling in hashicorp/consul-template#1447 [GH-10756]
• core (enterprise): Limit entropy augmentation during token generation to root tokens. [GH-10487]
• core (enterprise): Vault EGP policies attached to path * were not correctly scoped to the namespace.
• core/identity: Fix deadlock in entity merge endpoint. [GH-10877]
• core: Avoid deadlocks by ensuring that if grabLockOrStop returns stopped=true, the lock will not be held. [GH-10456]
• core: Avoid disclosing IP addresses in the errors of unauthenticated requests [GH-10579]
• core: Fix client.Clone() to include the address [GH-10077]
• core: Fix duplicate quotas on performance standby nodes. [GH-10855]
• core: Fix rate limit resource quota migration from 1.5.x to 1.6.x by ensuring purgeInterval and
  staleAge are set appropriately. [GH-10536]
• core: Make all APIs that report init status consistent, and make them report
  initialized=true when a Raft join is in progress. [GH-10498]
• core: Make the response to an unauthenticated request to sys/internal endpoints consistent regardless of mount existence. [GH-10650]
• core: Turn off case sensitivity for allowed entity alias check during token create operation. [GH-10743]
• http: change max_request_size to be unlimited when the config value is less than 0 [GH-10072]
• license: Fix license caching issue that prevents new licenses to get picked up by the license manager [GH-10424]
• metrics: Protect emitMetrics from panicking during post-seal [GH-10708]
• quotas/rate-limit: Fix quotas enforcing old rate limit quota paths [GH-10689]
• replication (enterprise): Fix bug with not starting merkle sync while requests are in progress
• secrets/data...

v1.7.0-rc2

Release vault v1.7.0-rc2

v1.7.0-rc1

CHANGES:

• go: Update go version to 1.15.8 [GH-11060]

FEATURES:

• Aerospike Storage Backend: Add support for using Aerospike as a storage backend [GH-10131]
• agent: Support for persisting the agent cache to disk [GH-10938]
• auth/jwt: Adds max_age role parameter and auth_time claim validation. [GH-10919]
• kmip (enterprise): Use entropy augmentation to generate kmip certificates
• sdk: Private key generation in the certutil package now allows custom io.Readers to be used. [GH-10653]
• secrets/aws: add IAM tagging support for iam_user roles [GH-10953]
• secrets/database/cassandra: Add ability to customize dynamic usernames [GH-10906]
• secrets/database/couchbase: Add ability to customize dynamic usernames [GH-10995]
• secrets/database/mongodb: Add ability to customize dynamic usernames [GH-10858]
• secrets/database/mssql: Add ability to customize dynamic usernames [GH-10767]
• secrets/database/mysql: Add ability to customize dynamic usernames [GH-10834]
• secrets/database/postgresql: Add ability to customize dynamic usernames [GH-10766]
• secrets/openldap: Added dynamic roles to OpenLDAP similar to the combined database engine [GH-10996]
• secrets/terraform: New secret engine for managing Terraform Cloud API tokens [GH-10931]
• ui: Adds check for feature flag on application, and updates namespace toolbar on login if present [GH-10588]
• ui: Adds the wizard to the Database Secret Engine [GH-10982]
• ui: Database secrets engine, supporting MongoDB only [GH-10655]

IMPROVEMENTS:

• agent: Add template-retry stanza to agent config. [GH-10644]
• agent: Agent can now run as a Windows service. [GH-10231]
• agent: Better concurrent request handling on identical requests proxied through Agent. [GH-10705]
• agent: Route templating server through cache when persistent cache is enabled. [GH-10927]
• agent: change auto-auth to preload an existing token on start [GH-10850]
• auth/ldap: Improve consistency in error messages [GH-10537]
• auth/okta: Adds support for Okta Verify TOTP MFA. [GH-10942]
• changelog: Add dependencies listed in dependencies/2-25-21 [GH-11015]
• command/debug: Now collects logs (at level trace) as a periodic output. [GH-10609]
• core (enterprise): "vault status" command works when a namespace is set. [GH-10725]
• core (enterprise): Update Trial Enterprise license from 30 minutes to 6 hours
• core/metrics: Added "vault operator usage" command. [GH-10365]
• core/metrics: New telemetry metrics reporting lease expirations by time interval and namespace [GH-10375]
• core: Added active since timestamp to the status output of active nodes. [GH-10489]
• core: Check audit device with a test message before adding it. [GH-10520]
• core: Track barrier encryption count and automatically rotate after a large number of operations or on a schedule [GH-10744]
• core: add metrics for active entity count [GH-10514]
• core: add partial month client count api [GH-11022]
• core: dev mode listener allows unauthenticated sys/metrics requests [GH-10992]
• core: reduce memory used by leases [GH-10726]
• secrets/gcp: Truncate ServiceAccount display names longer than 100 characters. [GH-10558]
• storage/raft (enterprise): Listing of peers is now allowed on DR secondary
  cluster nodes, as an update operation that takes in DR operation token for
  authenticating the request.
• ui: Clarify language on usage metrics page empty state [GH-10951]
• ui: Customize MongoDB input fields on Database Secrets Engine [GH-10949]
• ui: Upgrade Ember-cli from 3.8 to 3.22. [GH-9972]
• ui: Upgrade Storybook from 5.3.19 to 6.1.17. [GH-10904]
• ui: Upgrade date-fns from 1.3.0 to 2.16.1. [GH-10848]
• ui: Upgrade dependencies to resolve potential JS vulnerabilities [GH-10677]
• ui: better errors on Database secrets engine role create [GH-10980]

BUG FIXES:

• agent: Only set the namespace if the VAULT_NAMESPACE env var isn't present [GH-10556]
• agent: Set TokenParent correctly in the Index to be cached. [GH-10833]
• agent: Set namespace for template server in agent. [GH-10757]
• api/sys/config/ui: Fixes issue where multiple UI custom header values are ignored and only the first given value is used [GH-10490]
• api: Fixes CORS API methods that were outdated and invalid [GH-10444]
• auth/jwt: Fixes bound_claims validation for provider-specific group and user info fetching. [GH-10546]
• auth/jwt: Fixes an issue where JWT verification keys weren't updated after a jwks_url change. [GH-10919]
• auth/jwt: Fixes an issue where jwt_supported_algs were not being validated for JWT auth using
  jwks_url and jwt_validation_pubkeys. [GH-10919]
• auth/oci: Fixes alias name to use the role name, and not the literal string name [GH-10] [GH-10952]
• consul-template: Update consul-template vendor version and associated dependencies to master,
  pulling in hashicorp/consul-template#1447 [GH-10756]
• core (enterprise): Limit entropy augmentation during token generation to root tokens. [GH-10487]
• core (enterprise): Vault EGP policies attached to path * were not correctly scoped to the namespace.
• core/identity: Fix deadlock in entity merge endpoint. [GH-10877]
• core: Avoid deadlocks by ensuring that if grabLockOrStop returns stopped=true, the lock will not be held. [GH-10456]
• core: Avoid disclosing IP addresses in the errors of unauthenticated requests [GH-10579]
• core: Fix client.Clone() to include the address [GH-10077]
• core: Fix duplicate quotas on performance standby nodes. [GH-10855]
• core: Fix rate limit resource quota migration from 1.5.x to 1.6.x by ensuring purgeInterval and
  staleAge are set appropriately. [GH-10536]
• core: Make all APIs that report init status consistent, and make them report
  initialized=true when a Raft join is in progress. [GH-10498]
• core: Make the response to an unauthenticated request to sys/internal endpoints consistent regardless of mount existence. [GH-10650]
• core: Turn off case sensitivity for allowed entity alias check during token create operation. [GH-10743]
• http: change max_request_size to be unlimited when the config value is less than 0 [GH-10072]
• license: Fix license caching issue that prevents new licenses to get picked up by the license manager [GH-10424]
• metrics: Protect emitMetrics from panicking during post-seal [GH-10708]
• quotas/rate-limit: Fix quotas enforcing old rate limit quota paths [GH-10689]
• replication (enterprise): Fix bug with not starting merkle sync while requests are in progress
• secrets/database/influxdb: Fix issue where ...

v1.6.3

SECURITY:

• Limited Unauthenticated License Read: We addressed a security vulnerability that allowed for the unauthenticated
  reading of Vault licenses from DR Secondaries. This vulnerability affects Vault and Vault Enterprise and is
  fixed in 1.6.3 (CVE-2021-27668).

CHANGES:

• secrets/mongodbatlas: Move from whitelist to access list API [GH-10966]

IMPROVEMENTS:

• ui: Clarify language on usage metrics page empty state [GH-10951]

BUG FIXES:

• auth/kubernetes: Cancel API calls to TokenReview endpoint when request context
  is closed [GH-10930]
• core/identity: Fix deadlock in entity merge endpoint. [GH-10877]
• quotas: Fix duplicate quotas on performance standby nodes. [GH-10855]
• quotas/rate-limit: Fix quotas enforcing old rate limit quota paths [GH-10689]
• replication (enterprise): Don't write request count data on DR Secondaries.
  Fixes DR Secondaries becoming out of sync approximately every 30s. [GH-10970]
• secrets/azure (enterprise): Forward service principal credential creation to the
  primary cluster if called on a performance standby or performance secondary. [GH-10902]

v1.6.2

SECURITY:

• IP Address Disclosure: We fixed a vulnerability where, under some error
  conditions, Vault would return an error message disclosing internal IP
  addresses. This vulnerability affects Vault and Vault Enterprise and is fixed in
  1.6.2 (CVE-2021-3024).
• Limited Unauthenticated Remove Peer: As of Vault 1.6, the remove-peer command
  on DR secondaries did not require authentication. This issue impacts the
  stability of HA architecture, as a bad actor could remove all standby
  nodes from a DR
  secondary. This issue affects Vault Enterprise 1.6.0 and 1.6.1, and is fixed in
  1.6.2 (CVE-2021-3282).
• Mount Path Disclosure: Vault previously returned different HTTP status codes for
  existent and non-existent mount paths. This behavior would allow unauthenticated
  brute force attacks to reveal which paths had valid mounts. This issue affects
  Vault and Vault Enterprise and is fixed in 1.6.2 (CVE-2020-25594).

CHANGES:

• go: Update go version to 1.15.7 [GH-10730]

FEATURES:

• ui: Adds check for feature flag on application, and updates namespace toolbar on login if present [GH-10588]

IMPROVEMENTS:

• core (enterprise): "vault status" command works when a namespace is set. [GH-10725]
• core: reduce memory used by leases [GH-10726]
• storage/raft (enterprise): Listing of peers is now allowed on DR secondary
  cluster nodes, as an update operation that takes in DR operation token for
  authenticating the request.

BUG FIXES:

• agent: Set namespace for template server in agent. [GH-10757]
• core: Make the response to an unauthenticated request to sys/internal endpoints consistent regardless of mount existence. [GH-10650]
• metrics: Protect emitMetrics from panicking during post-seal [GH-10708]
• secrets/gcp: Fix issue with account and iam_policy roleset WALs not being removed after attempts when GCP project no longer exists [GH-10759]
• storage/raft (enterprise): Automated snapshots with Azure required specifying
  azure_blob_environment, which should have had as a default AZUREPUBLICCLOUD.
• storage/raft (enterprise): Autosnapshots config and storage weren't excluded from
  performance replication, causing conflicts and errors.
• ui: Fix bug that double encodes secret route when there are spaces in the path and makes you unable to view the version history. [GH-10596]
• ui: Fix expected response from feature-flags endpoint [GH-10684]

v1.5.7

SECURITY:

• IP Address Disclosure: We fixed a vulnerability where, under some error
  conditions, Vault would return an error message disclosing internal IP
  addresses. This vulnerability affects Vault and Vault Enterprise and is fixed in
  1.6.2 and 1.5.7 (CVE-2021-3024).
• Mount Path Disclosure: Vault previously returned different HTTP status codes for
  existent and non-existent mount paths. This behavior would allow unauthenticated
  brute force attacks to reveal which paths had valid mounts. This issue affects
  Vault and Vault Enterprise and is fixed in 1.6.2 and 1.5.7 (CVE-2020-25594).

IMPROVEMENTS:

• storage/raft (enterprise): Listing of peers is now allowed on DR secondary
  cluster nodes, as an update operation that takes in DR operation token for
  authenticating the request.

BUG FIXES:

• core: Avoid disclosing IP addresses in the errors of unauthenticated requests [GH-10579]
• core: Make the response to an unauthenticated request to sys/internal endpoints consistent regardless of mount existence. [GH-10650]

v1.6.1

Release vault v1.6.1

v1.5.6

Release vault v1.5.6