Skip to content

chore(deps): update dependency hashicorp/vault to v1.16.0

WALL-E requested to merge renovate/hashicorp-vault-1.x into master

This MR contains the following updates:

Package Update Change
hashicorp/vault minor v1.15.4 -> v1.16.0

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

hashicorp/vault (hashicorp/vault)

v1.16.0

Compare Source

v1.15.7+ent: v1.15.7+ent

Compare Source

1.15.7 Enterprise

March 28, 2024

SECURITY:

  • auth/cert: validate OCSP response was signed by the expected issuer and serial number matched request [GH-26091]

IMPROVEMENTS:

  • auth/cert: Allow validation with OCSP responses with no NextUpdate time [GH-25912]
  • core (enterprise): Avoid seal rewrapping in some specific unnecessary cases.
  • core (enterprise): persist seal rewrap status, so rewrap status API is consistent on secondary nodes.
  • ui: remove leading slash from KV version 2 secret paths [GH-25874]

BUG FIXES:

  • audit: Operator changes to configured audit headers (via /sys/config/auditing) will now force invalidation and be reloaded from storage when data is replicated to other nodes.
  • auth/cert: Address an issue in which OCSP query responses were not cached [GH-25986]
  • auth/cert: Allow cert auth login attempts if ocsp_fail_open is true and OCSP servers are unreachable [GH-25982]
  • cli: fixes plugin register CLI failure to error when plugin image doesn't exist [GH-24990]
  • core (enterprise): fix issue where the Seal HA rewrap system may remain running when an active node steps down.
  • core/login: Fixed a potential deadlock when a login fails and user lockout is enabled. [GH-25697]
  • replication (enterprise): fixed data integrity issue with the processing of identity aliases causing duplicates to occur in rare cases
  • ui: Fix kubernetes auth method roles tab [GH-25999]
  • ui: call resultant-acl without namespace header when user mounted at root namespace [GH-25766]

v1.15.6

Compare Source

1.15.6

February 29, 2024

SECURITY:

  • auth/cert: compare public keys of trusted non-CA certificates with incoming client certificates to prevent trusting certs with the same serial number but not the same public/private key. [GH-25649]

CHANGES:

  • core: Bump Go version to 1.21.7.
  • secrets/openldap: Update plugin to v0.12.1 [GH-25524]

FEATURES:

  • Manual License Utilization Reporting: Added manual license utilization reporting, which allows users to create manual exports of product-license [metering data] to report to Hashicorp.

IMPROVEMENTS:

  • auth/cert: Cache trusted certs to reduce memory usage and improve performance of logins. [GH-25421]
  • ui: Add deletion_allowed param to transformations and include tokenization as a type option [GH-25436]
  • ui: redirect back to current route after reauthentication when token expires [GH-25335]
  • ui: remove unnecessary OpenAPI calls for unmanaged auth methods [GH-25364]

BUG FIXES:

  • agent: Fix issue where Vault Agent was unable to render KVv2 secrets with delete_version_after set. [GH-25387]
  • audit: Handle a potential panic while formatting audit entries for an audit log [GH-25605]
  • core (enterprise): Fix a deadlock that can occur on performance secondary clusters when there are many mounts and a mount is deleted or filtered [GH-25448]
  • core (enterprise): Fix a panic that can occur if only one seal exists but is unhealthy on the non-first restart of Vault.
  • core/quotas: Deleting a namespace that contains a rate limit quota no longer breaks replication [GH-25439]
  • openapi: Fixing response fields for rekey operations [GH-25509]
  • secrets/transit: When provided an invalid input with hash_algorithm=none, a lock was not released properly before reporting an error leading to deadlocks on a subsequent key configuration update. [GH-25336]
  • storage/file: Fixing spuriously deleting storage keys ending with .temp [GH-25395]
  • transform (enterprise): guard against a panic looking up a token in exportable mode with barrier storage.
  • ui: Do not disable JSON display toggle for KV version 2 secrets [GH-25235]
  • ui: Do not show resultant-acl banner on namespaces a user has access to [GH-25256]
  • ui: Fix copy button not working on masked input when value is not a string [GH-25269]
  • ui: Update the KV secret data when you change the version you're viewing of a nested secret. [GH-25152]

v1.15.5

Compare Source

1.15.5

January 31, 2024

SECURITY:

  • audit: Fix bug where use of 'log_raw' option could result in other devices logging raw audit data [GH-24968] [HCSEC-2024-01]

CHANGES:

  • core: Bump Go version to 1.21.5.
  • database/snowflake: Update plugin to v0.9.1 [GH-25020]
  • secrets/ad: Update plugin to v0.16.2 [GH-25058]
  • secrets/openldap: Update plugin to v0.11.3 [GH-25040]

IMPROVEMENTS:

  • command/server: display logs on startup immediately if disable-gated-logs flag is set [GH-24280]
  • core/activity: Include secret_syncs in activity log responses [GH-24710]
  • oidc/provider: Adds code_challenge_methods_supported to OpenID Connect Metadata [GH-24979]
  • storage/raft: Upgrade to bbolt 1.3.8, along with an extra patch to reduce time scanning large freelist maps. [GH-24010]
  • sys (enterprise): Adds the chroot_namespace field to this sys/internal/ui/resultant-acl endpoint, which exposes the value of the chroot namespace from the listener config.
  • ui: latest version of chrome does not automatically redirect back to the app after authentication unless triggered by the user, hence added a link to redirect back to the app. [GH-18513]

BUG FIXES:

  • audit/socket: Provide socket based audit backends with 'prefix' configuration option when supplied. [GH-25004]
  • audit: Fix bug where use of 'log_raw' option could result in other devices logging raw audit data [GH-24968]
  • auth/saml (enterprise): Fixes support for Microsoft Entra ID enterprise applications
  • core (enterprise): fix a potential deadlock if an error is received twice from underlying storage for the same key
  • core: upgrade github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2 to support azure workload identities. [GH-24954]
  • helper/pkcs7: Fix slice out-of-bounds panic [GH-24891]
  • kmip (enterprise): Only return a Server Correlation Value to clients using KMIP version 1.4.
  • plugins: fix panic when registering containerized plugin with a custom runtime on a perf standby
  • ui: Allows users to dismiss the resultant-acl banner. [GH-25106]
  • ui: Correctly handle redirects from pre 1.15.0 Kv v2 edit, create, and show urls. [GH-24339]
  • ui: Fixed minor bugs with database secrets engine [GH-24947]
  • ui: Fixes input for jwks_ca_pem when configuring a JWT auth method [GH-24697]
  • ui: Fixes policy input toolbar scrolling by default [GH-23297]
  • ui: The UI can now be used to create or update database roles by operator without permission on the database connection. [GH-24660]
  • ui: fix KV v2 details view defaulting to JSON view when secret value includes { [GH-24513]
  • ui: fix incorrectly calculated capabilities on PKI issuer endpoints [GH-24686]
  • ui: fix issue where kv v2 capabilities checks were not passing in the full secret path if secret was inside a directory. [GH-24404]
  • ui: fix navigation items shown to user when chroot_namespace configured [GH-24492]

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever MR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

  • If you want to rebase/retry this MR, check this box

This MR has been generated by Renovate Bot.

Edited by WALL-E

Merge request reports