Skip to content

chore(deps): update dependency hashicorp/vault to v1.14.3

Renovate Bot requested to merge renovate/hashicorp-vault-1.x into master

This MR contains the following updates:

Package Update Change
hashicorp/vault patch v1.14.0 -> v1.14.3

Dependency Lookup Warnings

Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information.

Release Notes

hashicorp/vault (hashicorp/vault)

v1.14.3

Compare Source

1.14.3

September 13, 2023

SECURITY:

  • secrets/transit: fix a regression that was honoring nonces provided in non-convergent modes during encryption. [GH-22852]

CHANGES:

  • core: Bump Go version to 1.20.8.

FEATURES:

  • Merkle Tree Corruption Detection (enterprise): Add a new endpoint to check merkle tree corruption.

IMMROVEMENTS:

  • auth/ldap: improved login speed by adding concurrency to LDAP token group searches [GH-22659]
  • core/quotas: Add configuration to allow skipping of expensive role calculations [GH-22651]
  • kmip (enterprise): reduce latency of KMIP operation handling

BUG FIXES:

  • cli: Fix the CLI failing to return wrapping information for KV PUT and PATCH operations when format is set to table. [GH-22818]
  • core/quotas: Only perform ResolveRoleOperation for role-based quotas and lease creation. [GH-22597]
  • core/quotas: Reduce overhead for role calculation when using cloud auth methods. [GH-22583]
  • core/seal: add a workaround for potential connection [hangs] in Azure autoseals. [GH-22760]
  • core: All subloggers now reflect configured log level on reload. [GH-22038]
  • kmip (enterprise): fix date handling error with some re-key operations
  • raft/autopilot: Add dr-token flag for raft autopilot cli commands [GH-21165]
  • replication (enterprise): Fix discovery of bad primary cluster addresses to be more reliable
  • secrets/transit: fix panic when providing non-PEM formatted public key for import [GH-22753]
  • ui: fixes long namespace names overflow in the sidebar

v1.14.2

Compare Source

August 30, 2023

CHANGES:

  • auth/azure: Update plugin to v0.16.0 [GH-22277]
  • core: Bump Go version to 1.20.7.
  • database/snowflake: Update plugin to v0.9.0 [GH-22516]

IMMROVEMENTS:

  • auto-auth/azure: Added Azure Workload Identity Federation support to auto-auth (for Vault Agent and Vault Proxy). [GH-22264]
  • core: Log rollback manager failures during unmount, remount to prevent replication failures on secondary clusters. [GH-22235]
  • kmip (enterprise): Add namespace lock and unlock support [GH-21925]
  • replication (enterprise): Make reindex less disruptive by allowing writes during the flush phase.
  • secrets/database: Improves error logging for static role rotations by including the database and role names. [GH-22253]
  • storage/raft: Cap the minimum dead_server_last_contact_threshold to 1m. [GH-22040]
  • ui: KV View Secret card will link to list view if input ends in "/" [GH-22502]
  • ui: adds allowed_user_ids field to create role form and user_ids to generate certificates form in pki [GH-22191]
  • ui: enables create and update KV secret workflow when control group present [GH-22471]
  • website/docs: Fix link formatting in Vault lambda extension docs [GH-22396]

BUG FIXES:

  • activity (enterprise): Fix misattribution of entities to no or child namespace auth methods [GH-18809]
  • agent: Environment variable VAULT_CACERT_BYTES now works for Vault Agent templates. [GH-22322]
  • api: Fix breakage with UNIX domain socket addresses introduced by newest Go versions as a security fix. [GH-22523]
  • core (enterprise): Remove MFA Configuration for namespace when deleting namespace
  • core/metrics: vault.raft_storage.bolt.write.time should be a counter not a summary [GH-22468]
  • core/quotas (enterprise): Fix a case where we were applying login roles to lease count quotas in a non-login context. Also fix a related potential deadlock. [GH-21110]
  • core: Remove "expiration manager is nil on tokenstore" error log for unauth requests on DR secondary as they do not have expiration manager. [GH-22137]
  • core: Fix bug where background thread to update locked user entries runs on DR secondaries. [GH-22355]
  • core: Fix readonly errors that could occur while loading mounts/auths during unseal [GH-22362]
  • core: Fixed an instance where incorrect route entries would get tainted. We now pre-calculate namespace specific paths to avoid this. [GH-21470]
  • expiration: Fix a deadlock that could occur when a revocation failure happens while restoring leases on startup. [GH-22374]
  • license: Add autoloaded license path to the cache exempt list. This is to ensure the license changes on the active node is observed on the perfStandby node. [GH-22363]
  • replication (enterprise): Fix bug sync invalidate CoreReplicatedClusterInfoPath
  • replication (enterprise): Fix panic when update-primary was called on demoted clusters using update_primary_addrs
  • replication (enterprise): Fixing a bug by which the atomicity of a merkle diff result could be affected. This means it could be a source of a merkle-diff & sync process failing to switch into stream-wal mode afterwards.
  • sdk/ldaputil: Properly escape user filters when using UPN domains sdk/ldaputil: use EscapeLDAPValue implementation from cap/ldap [GH-22249]
  • secrets/ldap: Fix bug causing schema and password_policy to be overwritten in config. [GH-22330]
  • secrets/transform (enterprise): Batch items with repeated tokens in the tokenization decode api will now contain the decoded_value element
  • secrets/transform (enterprise): Fix nil panic when encoding a tokenization transformation on a non-active node
  • secrets/transform (enterprise): Tidy operations will be re-scheduled at a minimum of every minute, not a maximum of every minute
  • storage/raft: Fix race where new follower joining can get pruned by dead server cleanup. [GH-20986]
  • ui: Fix blank page or ghost secret when canceling KV secret create [GH-22541]
  • ui: fixes max_versions default for secret metadata unintentionally overriding kv engine defaults [GH-22394]
  • ui: fixes model defaults overwriting input value when user tries to clear form input [GH-22458]
  • ui: fixes text readability issue in revoke token confirmation dialog [GH-22390]

v1.14.1

Compare Source

July 25, 2023

CHANGES:

  • auth/ldap: Normalize HTTP response codes when invalid credentials are provided [GH-21282]
  • core/namespace (enterprise): Introduce the concept of high-privilege namespace (administrative namespace), which will have access to some system backend paths that were previously only accessible in the root namespace. [GH-21215]
  • secrets/transform (enterprise): Enforce a transformation role's max_ttl setting on encode requests, a warning will be returned if max_ttl was applied.
  • storage/aerospike: Aerospike storage shouldn't be used on 32-bit architectures and is now unsupported on them. [GH-20825]

IMMROVEMENTS:

  • core/fips: Add RPM, DEB packages of FIPS 140-2 and HSM+FIPS 140-2 Vault Enterprise.
  • eventbus: updated go-eventlogger library to allow removal of nodes referenced by pipelines (used for subscriptions) [GH-21623]
  • openapi: Better mount points for kv-v1 and kv-v2 in openapi.json [GH-21563]
  • replication (enterprise): Avoid logging warning if request is forwarded from a performance standby and not a performance secondary
  • secrets/pki: Add a parameter to allow ExtKeyUsage field usage from a role within ACME. [GH-21702]
  • secrets/transform (enterprise): Switch to pgx PostgreSQL driver for better timeout handling
  • sys/metrics (enterprise): Adds a gauge metric that tracks whether enterprise builtin secret plugins are enabled. [GH-21681]

BUG FIXES:

  • agent: Fix "generate-config" command documentation URL [GH-21466]
  • auth/azure: Fix intermittent 401s by preventing performance secondary clusters from rotating root credentials. [GH-21800]
  • auth/token, sys: Fix path-help being unavailable for some list-only endpoints [GH-18571]
  • auth/token: Fix parsing of auth/token/create fields to avoid incorrect warnings about ignored parameters [GH-18556]
  • awsutil: Update awsutil to v0.2.3 to fix a regression where Vault no longer respects AWS_ROLE_ARN, AWS_WEB_IDENTITY_TOKEN_FILE, and AWS_ROLE_SESSION_NAME. [GH-21951]
  • core/managed-keys (enterprise): Allow certain symmetric PKCS#11 managed key mechanisms (AES CBC with and without padding) to operate without an HMAC.
  • core: Fixed an instance where incorrect route entries would get tainted. We now pre-calculate namespace specific paths to avoid this. [GH-24170]
  • core: Fixed issue with some durations not being properly parsed to include days. [GH-21357]
  • identity: Remove caseSensitivityKey to prevent errors while loading groups which could result in missing groups in memDB when duplicates are found. [GH-20965]
  • openapi: Fix response schema for PKI Issue requests [GH-21449]
  • openapi: Fix schema definitions for PKI EAB APIs [GH-21458]
  • replication (enterprise): update primary cluster address after DR failover
  • secrets/azure: Fix intermittent 401s by preventing performance secondary clusters from rotating root credentials. [GH-21631]
  • secrets/pki: Fix bug with ACME tidy, 'unable to determine acme base folder path'. [GH-21870]
  • secrets/pki: Fix preserving acme_account_safety_buffer on config/auto-tidy. [GH-21870]
  • secrets/pki: Prevent deleted issuers from reappearing when migrating from a version 1 bundle to a version 2 bundle (versions including 1.13.0, 1.12.2, and 1.11.6); when managed keys were removed but referenced in the Vault 1.10 legacy CA bundle, this the error: no managed key found with uuid. [GH-21316]
  • secrets/transform (enterprise): Fix nil panic when deleting a template with tokenization transformations present
  • secrets/transform (enterprise): Grab shared locks for various read operations, only escalating to write locks if work is required
  • serviceregistration: Fix bug where multiple nodes in a secondary cluster could be labelled active after updating the cluster's primary [GH-21642]
  • ui: Adds missing values to details view after generating PKI certificate [GH-21635]
  • ui: Fixed an issue where editing an SSH role would clear default_critical_options and default_extension if left unchanged. [GH-21739]
  • ui: Fixed secrets, leases, and policies filter dropping focus after a single character [GH-21767]
  • ui: Fixes issue with certain navigational links incorrectly displaying in child namespaces [GH-21562]
  • ui: Fixes login screen display issue with Safari browser [GH-21582]
  • ui: Fixes problem displaying certificates issued with unsupported signature algorithms (i.e. ed25519) [GH-21926]
  • ui: Fixes styling of private key input when configuring an SSH key [GH-21531]
  • ui: Surface DOMException error when browser settings prevent localStorage. [GH-21503]

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever MR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

  • If you want to rebase/retry this MR, check this box
Edited by Renovate Bot

Merge request reports