File openbao.changes of Package openbao
-------------------------------------------------------------------
Fri Aug 29 04:08:42 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 2.4.0:
* SECURITY
- audit/file: Restrict mode parameter
- Refuse setting an irregular file mode
- Silently strip any executable bits [GH-1651]
* CHANGES
- certutil.ParsePublicKeyPEM of the package
github.com/openbao/openbao/sdk/v2/helper/certutil will now
return a crypto.PublicKey instead of any. You might need to
remove type assertions from your code. [GH-1611]
- database: Drop obsolete upgrade check in roleAtPath()
function introduced in v0.10 of Vault. [GH-1675]
- sdk/framework: Remove LegacyStringToSliceHookFunc, use
mapstructure.StringToWeakSliceHookFunc instead. [GH-1626]
- sdk/helper: Removed sdk/helper/base62, sdk/helper/mlock,
sdk/helper/parseutil, sdk/helper/password,
sdk/helper/strutil, and sdk/helper/tlsutil packages.
Please use github.com/openbao/go-secure-stdlib/xxx or
github.com/hashicorp/go-secure-stdlib/xxx instead.
- sdk/database/helper/connutil: Removed Initialize from
ConnectionProducer interface, and SQLConnectionProducer
struct. [GH-1676]
- sdk/logical: Introduce context to
logical.HandleListPage(...). [GH-1696]
- sdk: Bump Go version to 1.24.0 [GH-1690]
- vault/seal: removal of deprecated migration path of an old
pre-Vault v1.0 (encrypted) recovery config location [GH-1424]
* FEATURES
- Allow filtering LIST, SCAN responses via the
list_scan_response_keys_filter_path parameter to restrict
information to only readable or listable values. [GH-1389]
- Configuration-Based Audit Devices: Create and remove audit
devices through server configuration updates. Changes are
applied on restart and SIGHUP with issues appearing in the
logs. [GH-1700]
- Declarative Self-Initialization: allow server operators to
define initial service state through request-driven
initialization that occurs automatically on first server
start. Operators can reference environment variables and
files to provision initial authentication, audit, and secret
mounts in addition to having full control over general
requests to OpenBao It is suggested to put the minimal
necessary configuration in this and use a proper IaC platform
like OpenTofu to perform further configuration of the
instance. [GH-1506]
- Delay recovery key generation for auto-unseal mechanisms and
make rotation authenticated: Add authenticated root and
recovery key rotation endpoints, allow delayed recovery key
generation (setting initial shares to 0). Solve the issue
with the unauthenticated recovery key rotation APIs.
[GH-1518]
- Inline, Write-less Authentication: support passing
authentication information inline with the desired main
operation to avoid the need for separate authentication
calls, storing and maintaining tokens. This authentication
form will not work with operations that create leases. In
this form of authentication, no storage writes occur as a
result of authentication allowing its use on future
read-enabled standby nodes. [GH-1433]
- Add static key unseal mechanism to allow auto-unseal in
environments with explicit trust chaining. [GH-1425]
* IMPROVEMENTS
- api/auth/jwt: initial implementation of JWT Auth Method
[GH-1526]
- auth/oidc: Add new show_qr=true cli option to display a QR
code of the login URL. [GH-1561]
- auto-unsealing: Improved the clarity of the warning message
logged when the server is uninitialized and auto-unsealing is
configured. [GH-1411]
- builtin/credential/jwt: Support TLS authentication against
explicit alt name/subject. [GH-1533]
- cel: Add cel-go ext helpers for string, list, optional,
regex, math, set, and encoder operations [GH-1697]
- cel: Unify CEL helper functions between JWT and PKI modules,
making email validation and other utilities available across
both authentication and certificate management [GH-1697]
- cli: add new subcommand "bao operator validate-config" to
validate a configuration file syntax [GH-1609]
- core: sys/seal-status: endpoint now always returns the
barrier seal type, explicitly adds recovery seal type
[GH-1638]
- deps: Update go-jose v3 to go-jose v4 [GH-1477]
- secrets/kv: Add CAS (Compare-And-Swap) support for metadata
operations in KV v2 secrets engine. Metadata updates now
support versioning via metadata_cas parameter and
metadata_cas_required configuration option to prevent
concurrent modification conflicts. [GH-1372]
- ui: change the message 'Vault is sealed to 'OpenBao is
Sealed' by changing the title of the unseal template
[GH-1652]
- seal/pkcs11: Support and default to software encryption for
RSA key types. [GH-1742]
* DEPRECATIONS
- storage/postgresql: remove support for legacy PostgreSQL
versions before 9.5 which require a special upsert function.
[GH-1570]
* BUGFIXES
- api: Fix compatibility with sys/health from Vault Enterprise
[GH-1730]
- command: fixes typo in Windows command for setting BAO_ADDR
in development mode [GH-1527]
- core/namespaces: Prevent infinite loop in namespace loading
due to incorrect list pagination when more than 100 sibling
namespaces exist under a given parent [GH-1696]
- identity: fix nil panic when collecting metrics with
unsafe_cross_namespace_identity=true. [GH-1715]
- pki: Truncate should error on expired certificates [GH-1369]
- releases: add missing container image manifests for *-hsm
variants [GH-1597]
- sdk: Various constants in the sdk package mistakenly had no
explicit type. They now now typed correctly. [GH-1523]
- secrets/pki: Prevent infinite loop in tidy stemming from
incorrect list pagination [GH-1696]
- storage/postgresql: more graceful handling of parallel table
creation [GH-1506]
-------------------------------------------------------------------
Fri Aug 08 04:50:09 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 2.3.2:
* Breaking Changes
Due to security vulnerabilities, there are three breaking
changes in this security release:
- audit subsystem will no longer allow creation of new devices
via the API except by setting
unsafe_allow_api_audit_creation. In the v2.4.0 release,
support for configuration-based audit device definition will
be added.
- auth/ldap has changed entity formats to normalize against
whitespace and case-sensitivity when the unsafe
username_as_alias=true parameter is set.
- TOTP codes now must be exactly N numeric digits and cannot
contain leading or trailing whitespace and will be rejected
by the API if they do.
* SECURITY
- audit: Add server configuration options to disable audit
mount creation via the API and to disable audit log
prefixing. HCSEC-2025-14 / CVE-2025-6000 / CVE-2025-54997.
[GH-1634]
- unsafe_allow_api_audit_creation (default: false) controls
the ability to create audit mounts via the API
- allow_audit_log_prefixing (default: false) controls the
availability of the prefix audit mount option
- auth/mfa: correctly limit reuse of TOTP codes during login
MFA enforcement. HCSEC-2025-19 / CVE-2025-6015 /
CVE-2025-55003. [GH-1629]
- auth/userpass: Prevent timing-based leak in userpass auth
method. HCSEC-2025-15 / CVE-2025-6011 / CVE-2025-54999.
Assumed to also apply to HCSEC-2025-21 / CVE-2025-6010.
[GH-1628]
- core/auth: Correctly handle alias lookahead for user lockout
consistency. HCSEC-2025-16 / CVE-2025-6004 / CVE-2025-54998.
- auth/userpass: Consistently handle alias lookahead as case
insensitive. HCSEC-2025-16 / CVE-2025-6004 / CVE-2025-54998.
- auth/ldap: Attempt consistent entity aliasing w.r.t. spacing
and casing. HCSEC-2025-16 / CVE-2025-6004 / CVE-2025-54998
and HCSEC-2025-20 / CVE-2025-6013 / CVE-2025-55001. [GH-1632]
- core/identity: Correctly lowercase policy names to prevent
root policy assignment. HCSEC-2025-13 / CVE-2025-5999 /
CVE-2025-54996. [GH-1627]
- secrets/totp: Fix TOTP verification reuse bypass when the
TOTP code contains spaces. HCSEC-2025-17 / CVE-2025-6014 /
CVE-2025-55000. [GH-1625]
* IMPROVEMENTS
- core: Update to Go 1.24.6. [GH-1637]
* BUG FIXES
- Ignore missing mounts when deleting a namespace. This can
happen when a mount is unmounted in parallel. [GH-1594]
- agent/template: add missing backoff mechanism for the
templating server [GH-1448]
- core/namespaces: fixed race condition in namespace deletion
operation during instance sealing [GH-1525]
- core/policies: fix bug with missing existing policies in
namespaces during failover, startup [GH-1613]
- identity/oidc: Fix unintentional lowercasing of namespace
accessor in assignments. [GH-1539]
-------------------------------------------------------------------
Mon Jun 30 05:21:30 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 2.3.1:
* Bump to v2.3.1 - Drop Illumos support per policy in #711 (#1503)
* Bump sdk to v2.3.1, add changelog to v2.3.0 (#1501)
* Bump API to v2.3.1 in core, sdk (#1500)
* Minor improvements to CEL for PKI (#1390) (#1499)
* Allow disabling unauthenticated rekey (#1498)
* Add changelog entry for sdk/framework vulnerability (#1497)
* Fix PostgreSQL table creation on replica (#1478) (#1494)
* Namespaces UI support (#1406) (#1484)
* Fix identity store resolution (#1432) (#1491)
* Go dependency bumps to fix vulnerabilities in dependencies (#1492)
* Backport go-viper/mapstructure/v2 move (#1488)
* Point goreleaser and container image contacts to new OpenSSF domain (#1415) (#1489)
* Fix changelog entries (#1440) (#1487)
* HSM: Add arm64 builds & Alpine containers (#1427) (#1486)
* Fix flaky PostgreSQL backend connection test (#1368) (#1485)
* Fix detailed metadata on list results (#1388) (#1483)
* CEL for Certificate Issuance Policy (#794) (#1482)
* Deprecation notice for undocumented duplicate PKCS#11 seal options (#1385) (#1481)
* Bump github.com/ebitengine/purego to v0.8.4 (#1373)
* Changelog for v2.3.0-beta20250528 (#1371)
* Update to go-kms-wrapping/v2.4.0 (#1370)
* Track lock in namespace entry directly (#1367)
* Add check and set for policies (#1162)
* Namespaces locking/unlocking implementation (#1347)
* Add policy and path expiration (#1142)
* Add NeoNephos to supporters section of homepage (#1363)
* Support clearing views via pagination, with transaction (#1102)
* Describe how user access and roles are managed to cover OSPS-AC-02.01 (#1359)
* Use per-namespace storage layouts for identity (#1360)
* Update contributors and maintainers information (#1305)
* add hsm docker distribution to downloads page (#1353)
* MFA Login namespace adjustments (#1348)
* Describe usage of artifacts stores to cover OSPS-QA-05 (#1355)
* Describe how dependencies are tracked as part of OSPS-QA-02.01 (#1354)
* Detailed metadata in policy endpoint (#1224)
* Display seal configuration info keys in logs (#1346)
* Renew `goodcertbadroot.pem` (#1351)
* discarded ctx cancel functions
* struct literal uses unkeyed fields
* malformed struct field tag
* the ctxCancel function is not used on all paths (possible context leak)
* unreachable code
* Release note on PKCS#11 library finalization (see go-kms-wrapping)
* Better document configuration directories
* Add changelog entry
* Fix description of OU field in UI
* Namespaces: Test flake, deadlock, race condition cleanup (#1311)
* Add changelog to namespaces (#1321)
* Fix `/sys/remount` across namespaces (#1259)
* Hierarchical namespace storage (#1317)
* Move namespace resolution from http to core (#1279)
* Delete namespace-level quota on namespace deletion (#1296)
* fairshare job manager/worker: stop synchronously (#1291)
* Namespace-aware password policy storage & lookup (#1282)
* Add namespace-aware rate-limit quota (#1161)
* fix(identity): ensure identity store is set only for root namespace (#1271)
* Fix preSeal ordering w.r.t NamespaceStore (#1269)
* Implement Cascading Delete for Namespaces and Associated Resources (#1206)
* move namespace uuid into namespace struct (#1167)
* Forbid illegal namespace characters (#1203)
* Namespaces Regression: Restricted APIs in `sys/raw` (#1163)
* Tests for namespace route resolution - issue #1020 (#1201)
* Fix namespace, mount name exclusion logic (#1202)
* Namespace aware identity store #1110 (#1159)
* Namespace-aware Expiration Manager #1125 (#1158)
* Namespace-aware token store #1068 (#1123)
* Implement namespace name restrictions #1023 (#1143)
* feat: add `bao namespace scan` (#1133)
* Refactor namespace store (#1113)
* implement namespace aware plugin storage (#1157)
* Add support for child namespaces (#1051)
* Implement namespace aware Cubbyhole #1067 (#1112)
* Polish namespaces API (#1041)
* Add PATCH support to namespaces API (#1027)
* Namespace aware policy store #1069 (#1106)
* Create required mounts when setting up namespace (#1047)
* Correctly handle request routing (#1028)
* Polish NamespaceStore implementation (#1026)
* Add NamespaceStore to the namespace branch (#896)
* Fix various minor docs formatting issues (#1344)
* Add JSON configuration example to website (#1338)
* Bump dependencies (#1318)
* Bump ubi9-minimal from 9.5 to 9.6 (#1329)
* Allow building with HSM support on MacOS (#1330)
* Bump to Go 1.24.3 (#1324)
* Prevent information disclosure on invalid request (#1323)
* PostgreSQL - Remove redundant PermitPool (#1299)
* Fix deadlock on legacy root key path migration (#1234)
* Support retrying PostgreSQL connection (#1280)
* Allow lazy discovery of OIDC connection information (#1306)
* Bump actions/setup-go from 5.4.0 to 5.5.0 in /.github/actions/set-up-go (#1309)
* Fix marshaling and setting nil request body (#1315)
* Add JWT CEL Role RFC (#1312)
* Add OSPS to policies (#1313)
* Describe coverage of OSPS requirement OSPS-QA-01.02 (#1307)
* Fix incorrect conversion between integer types (on <64 bit systems) (#1310)
* Bump go.opentelemetry.io/otel/trace from 1.34.0 to 1.35.0 (#1294)
* CEL auth program evaluation during JWT login (#869)
* Add CEL best practices RFC (#1267)
* Affirm Level 1: OSPS-LE-02.01 (#1287)
* Affirm Level 1: OSPS-VM-02.01 has been met (#1273)
* Allow empty PostgreSQL connection URLs (#1297)
* chore(tools): rm codechecker bin (#1292)
* Affirm Level 1: OSPS-DO-01.01 (#1286)
* Affirm Level 1: OSPS-GV-03.01 (#1285)
* Document coverage of OSPS requirement OSPS-QA-01.01 (#1289)
* Minor cleanup of the rekey webpage (#1288)
* Bump actions/download-artifact from 4.2.1 to 4.3.0 (#1275)
* Bump github.com/go-sql-driver/mysql from 1.8.1 to 1.9.2 (#1277)
* Bump github.com/openbao/go-kms-wrapping/wrappers/pkcs11/v2 (#1276)
* chore: remove artifacts in `dependencies/` (#1272)
* Fix make goreleaser-check after split (#1257)
* Add release notes for v2.2.1 to website (#1256)
* Update critical dependencies (#1251)
* Return quoted string when -output-curl-string flag is passed #1038 (#1238)
* Bump ember-test-selectors from 6.0.0 to 7.1.0 in /ui (#1239)
* match ssh test to updated behaviour (#1243)
* (secrets/pki): add not_before_bound and not_after_bound (#1172)
* Bump github.com/golangci/revgrep (#1240)
* Bump k8s.io/api from 0.32.1 to 0.32.3 (#1241)
* Bump actions/setup-node from 4.3.0 to 4.4.0 (#1242)
* Do not encode empty subproblems in ACME (#1236)
* Fix name of org-level maintainers team (#1237)
* fix(ssh): `generate_signing_key=false` not honored on issuer submission endpoints (#1235)
* Bump actions/upload-artifact from 4.6.1 to 4.6.2 (#1148)
* Fix test-ui (#1211)
* Upgrade ESLint and prettier (#1218)
* Bump highlight.js from 10.7.2 to 11.11.1 in /ui (#1035)
* Bump honnef.co/go/tools from 0.4.3 to 0.6.1 (#1217)
* Bump mvdan.cc/gofumpt from 0.7.0 to 0.8.0 (#1216)
* Fix vault/diagnose test failure (#1221)
* Add h1 for mfa-validate api-doc (#1230)
* Clarify that region is required (#1220)
* doc(telemetry.mdx): add metrics_prefix (#1214)
* Do not set LimitNOFILE (#1179)
* update SSH‑CA configure acceptance test for multi‑issuer flow (#1210)
* build: update Go version and dependencies (#1209)
* Another attempt to fix TestOIDC_PeriodicFunc (#1178)
* Transactions for ssh-related functions (#989)
* Bump github.com/ory/dockertest/v3 from 3.10.0 to 3.12.0 (#1197)
* Add guide for listing detailed endpoints (#1190)
* Bump typescript from 5.8.2 to 5.8.3 in /website (#1195)
* Bump golang.org/x/text from 0.23.0 to 0.24.0 (#1196)
* Bump actions/go-dependency-submission from 2.0.1 to 2.0.3 (#1192)
* Bump actions/setup-go from 5.3.0 to 5.4.0 in /.github/actions/set-up-go (#1193)
* fix mirror workflow (#1191)
* Add Dave to DevWG voting members (#1187)
* Add support for automatic unsealing of OpenBao using a KMIP protocol (#1144)
* Add action to mirror repo to Codeberg (#1186)
* Bump actions/cache from 4.2.2 to 4.2.3 (#1149)
* Bump react-dom from 19.0.0 to 19.1.0 in /website (#1174)
* Bump gotest.tools/gotestsum from 1.10.0 to 1.12.1 (#1118)
* Bump actions/download-artifact from 4.1.9 to 4.2.1 (#1150)
* Bump actions/setup-node from 4.2.0 to 4.3.0 (#1151)
* Bump actions/cache from 4.2.2 to 4.2.3 in /.github/actions/set-up-go (#1152)
* Bump github.com/hashicorp/go-secure-stdlib/password from 0.1.1 to 0.1.4 (#1153)
* Add link to dev-wg project in CONTRIBUTING.md (#1180)
* Add new moderators: voigt, Gabrielopesantos, karras (#1171)
* docs: Add SSH CA Multi-issuer RFC to website docs (#1146)
* Support Multiple Issuers for SSH Secret Engine Mounts (#880)
* config.go: fix config file filename comment (de-vault) (#1141)
* Validate policies can contain comments, be JSON (#1134)
* PKI test failure (#1139)
* Remove beta warning (#1138)
* Add hex to templating for ACL policies (#1081)
* Add webpage for OSPS baseline (#1124)
* fix(docs/pkcs11): remove documentation regarding key generation (#1135)
* Allow periodicFunc to execute "now" (#1129)
* docs: Correct config file location in token helper docs (#1132)
* Add EdgeX Selects OpenBao Blog (#1127)
* Add GitLab to supporters section of homepage (#1128)
* Address timing issue caused by race-detection slowdown (#1100)
* Fix vulns (#1126)
* Fix ACME TLS documentation (#1122)
* Mitigate security risks found using Zizmor (#924)
* add rfc#432 to docs rfc index (#1116)
* Bump ember-cli-deprecation-workflow from 2.1.0 to 3.2.0 in /ui (#1104)
* website: Fix typos in website content (#1108)
* Officially add TSC membership process (#1101)
* Bump browser-actions/setup-chrome from 1.7.2 to 1.7.3 (#1089)
* Bump actions/setup-node from 4.1.0 to 4.2.0 (#1092)
* Bump webpack from 5.97.1 to 5.98.0 in /ui (#1094)
* Use consistent path for root key (#1006)
* Bump github.com/shirou/gopsutil/v4 from 4.24.12 to 4.25.2 (#1095)
* Bump actions/download-artifact from 4.1.8 to 4.1.9
* Bump actions/upload-artifact from 4.6.0 to 4.6.1
* Bump actions/setup-go from 4.0.1 to 5.3.0 in /.github/actions/set-up-go
* Add wildcard so dependabot traverses child directories (#1088)
* Add v2.2.0 changelog to release notes (#1085)
* Nit: Fix link to create/update role in api/pki docs (#1071)
* Bump github.com/hashicorp/cap from 0.8.0 to 0.9.0 (#1058)
* Bump actions/cache to v4, use pinning (#1064)
* Bump prettier-eslint-cli from 7.1.0 to 8.0.1 in /ui (#1059)
* Bump typescript from 5.7.3 to 5.8.2 in /website (#1057)
* Simplify Goreleaser templates (#1039)
* userpass: fix the wrong error return value (#1055)
* Add blog post for horizontal scalability (#1049)
* fix(ui): repairs missing checkmarks, in checkboxes, due to invalid usage of sass-svg-uri (#1042)
* Bump github.com/hashicorp/cap from 0.3.0 to 0.8.0 (#1036)
* Bump swagger-ui-dist from 5.18.2 to 5.19.0 in /ui (#1034)
* Bump d3-transition from 1.3.2 to 3.0.1 in /ui (#1032)
* fix prerelease image tagging (#1030)
* Revive Valkey plugin (#1019)
* Add API and CLI commands to promote/demote nodes in the Raft cluster (#996)
* cleanup leftover DR Token options (#1018)
* Add transaction wrappers to database endpoints (#995)
* Add transactions to AppRole funcs (#992)
* Bump github.com/natefinch/atomic (#1012)
* Update libraries.mdx (#1015)
* Bump @types/rsvp from 4.0.4 to 4.0.9 in /ui (#1011)
* Bump qunit-dom from 2.0.0 to 3.4.0 in /ui (#1010)
* Bump @types/ember-resolver from 5.0.13 to 9.0.2 in /ui (#1009)
* Bump ember-cli-htmlbars from 6.0.1 to 6.3.0 in /ui (#1008)
* identity: return metadata when listing entity-aliases (#1013)
* Minor docs improvements and chore (#1005)
-------------------------------------------------------------------
Mon Jun 30 04:54:04 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 2.3.1:
OpenBao v2.3.0 is unreleased due to a bug in Illumos builds.
* SECURITY
- core/sys: Add listener parameter
(disable_unauthed_rekey_endpoints, default: false) to
optionally disable unauthenticated rekey operations (to
sys/rekey/* and sys/rekey-recovery-key/*) for a listener.
This will be set to true in a future release; see the
deprecation notice for more information. Auditing is now
enabled for these endpoints as well. CVE-2025-52894. Upstream
HCSEC-2025-11 / CVE-2025-4656.
- sdk/framework: prevent additional information disclosure on
invalid request. CVE-2025-52893. [GH-1495]
* CHANGES
- packaging/systemd: Do not set LimitNOFILE, allowing Go to
automatically manage this value on behalf of the server. See
also golang/go#46279. [GH-1179]
- storage/postgresql: Support empty connection URLs to use
standard component-wise variables [GH-1297]
- packaging: Support for Illumos removed due to broken builds
[GH-1503]
* FEATURES
- KMIP Auto-Unseal: Add support for automatic unsealing of
OpenBao using a KMIP protocol. [GH-1144]
- Namespaces UI Support: Added namespace UI support, including
namespace picker and namespace management pages. [GH-1406]
- Namespaces: Support for tenant isolation using namespaces,
application API compatible with upstream's implementation.
- Create, read, update, delete a hierarchical directory of
namespaces
- Manage isolated per-namespace secrets engines, auth
methods, tokens, policies and more
- Migrate (remount) secrets engines and auth methods between
namespaces
- Lock and unlock namespaces
- Route requests to namespaces via path
(/my-namespace/secrets) or X-Vault-Namespace header (or
both!)
- CLI support via the bao namespace family of commands and
the -namespace flag. [GH-1165]
- Add ARM64 HSM builds and Alpine-based HSM container images
[GH-1427]
- Support Common Expression Language (CEL) in PKI. CEL allows
role authors to create flexible, dynamic certificate policies
with complex, custom validation support and arbitrary control
over the final certificate object. [GH-794]
- auth/jwt: Add support for Common Expression Language (CEL)
login roles. CEL allows role authors to create flexible,
dynamic policies with complex, custom claim validation
support and arbitrary templating of logical.Auth data.
[GH-869]
- ssh: Support multiple certificate issuers in SSH secret
engine mounts, enabling safer rotation of SSH CA key material
[GH-880]
* IMPROVEMENTS
- When using auto-unseal via KMS, KMS-specific configuration
information (non-sensitive) is now logged at server startup.
[GH-1346]
- approle: Use transactions for read + write operations
[GH-992]
- auth/jwt: Support lazy resolution of oidc_discovery_url or
jwks_url when skip_jwks_validation=true is specified on
auth/jwt/config; OIDC status is now reported on reading the
configuration. [GH-1306]
- core/identity: add unsafe_cross_namespace_identity to give
compatibility with Vault Enterprise's cross-namespace group
membership. [GH-1432]
- core/policies: Add check-and-set support for modifying
policies, allowing for protection against concurrent
modifications. [GH-1162]
- core/policies: Add endpoint to allow detailed listing of
policies [GH-1224]
- core/policies: Allow setting expiration on policies and
component paths, removing policies or preventing usage of
path rules after expiration. [GH-1142]
- core: Support pagination and transactions in ClearView,
CollectKeys, and ScanView, improving secret disable memory
consumption and request consistency. [GH-1102]
- database/valkey: Revive Redis plugin as Valkey, the
OSI-licensed fork of Redis [GH-1019]
- database: Use transactions for read-then-write methods in the
database package [GH-995]
- pki: add not_after_bound and not_before_bound role parameters
to safely limit issuance duration [GH-1172]
- ssh: Use transactions for read-then-write or multiple write
methods in the ssh package [GH-989]
- storage/postgresql: support retrying database connection on
startup to gracefully handle service ordering issues
[GH-1280]
* DEPRECATIONS
- Configuration of PKCS#11 auto-unseal using the duplicate and
undocumented module, token and key options is now deprecated.
Use the documented alternative options lib, token_label and
key_label instead, respectively. (More details) [GH-1385]
* BUG FIXES
- api: Stop marshaling nil interface data and adding it as a
request body on an api.Request [GH-1315]
- core/identity: load namespace entities, groups into MemDB
preventing them from disappearing on restart. [GH-1432]
- oidc: add some buffer time after calling oidcPeriodicFunc in
test, to prevent flakiness [GH-1178]
- pki: addresses a timing issue revealed in pki
Backend_RevokePlusTidy test [GH-1139]
- sealing/pkcs11: OpenBao now correctly finalizes the PKCS#11
library on shutdown (openbao/go-kms-wrapping#32).
- This is unlikely to have caused many real-world issues so
far. [GH-1349]
- secrets/kv: Fix panic on detailed metadata list when results
include a directory. [GH-1388]
- storage/postgresql: Remove redundant PermitPool enforced by
db.SetMaxOpenConns(...). [GH-1299]
- storage/postgresql: skip table creation automatically on
PostgreSQL replicas [GH-1478]
- vault: addresses a timing issue revealed in OIDC_PeriodicFunc
test [GH-1129]
- vault: fixes a timing issue in OIDC_PeriodicFunc test
[GH-1100]
-------------------------------------------------------------------
Sat May 31 07:19:27 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 2.2.2:
Release notes:
https://github.com/openbao/openbao/blob/v2.2.2/CHANGELOG.md
* SECURITY:
- sdk/framework: prevent information disclosure on invalid
request. HCSEC-2025-09 / CVE-2025-4166. [GH-1323]
* BUG FIXES:
- ui: Fix description of Organizational Unit (OU) field in PKI.
[GH-1333]
-------------------------------------------------------------------
Thu Apr 24 06:58:27 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- Update to version 2.2.1:
* Release v2.2.1 (#1255)
* Backport core deps (#1252)
* Return quoted string when -output-curl-string flag is passed
#1038 (#1238) (#1250)
* build: update Go version and dependencies (#1209) (#1246)
* Fix vulns (#1126) (#1245)
* Fix vault/diagnose test failure (#1221) (#1247)
* Do not encode empty subproblems in ACME (#1236) (#1248)
* Fix name of org-level maintainers team (#1237) (#1249)
-------------------------------------------------------------------
Wed Mar 05 18:15:57 UTC 2025 - opensuse_buildservice@ojkastl.de
- Update to version 2.2.0:
Release notes: https://openbao.org/docs/release-notes/2-2-2/#220
Full list of changes:
https://github.com/openbao/openbao/compare/v2.1.0...v2.2.0
* New Features:
- ACME TLS Listener Certificate Provisioning: Automatically
fetch TLS certificates for OpenBao Server's TCP listeners via
an Automatic Certificate Management Environment (ACME - RFC
8555) capable certificate authority (CA). This allows OpenBao
to be self-hosted, using a CA contained within the instance
to sign the instance's own certificates. [GH-857]
- PKCS#11 Auto-Unseal: Add support for automatic unsealing of
OpenBao using a PKCS#11-enabled Hardware Security Module
(HSM) or Key Management System (KMS). [GH-889]
- Scanning: introduce the ability to recursively list (scan)
within plugins, adding a separate scan ACL capability,
operation type, HTTP verb (SCAN with GET fallback via
?scan=true), API, and CLI support. This also adds support to
the KVv1 and KVv2 engines. [GH-763]
- Transit: Add support for key derivation mechansims (derives a
new key from a base key).
- This path uses the named base key and derivation
algorithm specific parameters to derive a new named key.
- Currently, only the ECDH key agreement algorithm is
supported: the base key is one's own ECC private key and
the "peer_public_key" is the pem-encoded other party's
ECC public key.The computed shared secret is the
resulting derived key. [GH-811]
- UI: Reintroduction of the WebUI. [GH-940]
- raft: Added support for nodes to join the Raft cluster as
non-voters. [GH-741]
* Changes
- command/server: Prevent and warn about loading of duplicate
config file from config directory. [GH-816]
- container: Set -dev-no-store-token in default container
images, fixing default read-only containers. [GH-826]
- core/seal: remove support for legacy pre-keyring barrier
entries core/seal: remove support for legacy (direct) shamir
unseal keys [GH-750]
- core: Remove support for Solaris due to lack of Docker
support. [GH-710]
-------------------------------------------------------------------
Wed Jan 22 05:59:28 UTC 2025 - opensuse_buildservice@ojkastl.de
- Update to version 2.1.1:
* Add changelog for v2.1.1 (#932)
* Update all keys and certs to TTL 100 years (#793) (#931)
* Fix expired cert auth test-fixture (#892) (#930)
* Bump to latest Go 1.23.5 version (#912) (#929)
* Bump alpine from 3.20 to 3.21 (#831) (#928)
* Bump extended standard library dependencies (#927)
-------------------------------------------------------------------
Fri Nov 29 20:20:11 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 2.1.0:
* Note:
- This release does not ship with the UI enabled. The UI will
be available in the future. #129
- OpenBao does not provide support for Vault Enterprise
features. If there is an enterprise feature you would like to
see added to the project, please open a feature request.
- OpenBao is fully API compatible with Vault 1.14.9, and seal
compatible with the plugins the project supports. Plugin
support for OpenBao can be found here.
* New Features:
- Remove Mount Table Limits: Using transactional storage, we've
split the
- auth and secret mount tables into separate storage entires,
removing the
- requirement that the entire table fit into a single storage
entry limited by
- max_entry_size. This allows potentially hundreds of thousands
of mounts on
- a single scaled-up server. [GH-622]
- Transactional Storage: Plugin developers can now take
advantage of safe
- storage modification APIs when the underlying physical
storage supports
- them. The physical.TransactionalBackend and
logical.TransactionalStorage
- types allow developers to begin read-only and writable
transactions,
- committing or rolling back the desired changes. [GH-292]
- Transit: Support PKI CSR and certificate storage alongside
key material. This allows callers to securely create keys and
submit requests for certificates without the key material
leaving Transit. Storage of the certificate on the key avoids
the need for an additional K/V mount. Rotation of this
certificate and its chain is also supported. [GH-536]
- auth/oidc: Add a new callback_mode role option value device
to use the oidc device flow instead of a callback, add a new
poll_interval role option to control how often to poll for a
response, and add a new callbackmode=device option to the
oidc login method in the cli. [GH-319]
- auth/oidc: Add new callback_mode=direct role option to cause
the oidc callback to be direct to the server instead of the
client, and add a callbackmode=direct option to the oidc
login method in the cli. [GH-318]
- physical/postgres: Reintroduce Postgres database for OpenBao
storage, implementing paginated list support. This feature is
currently in preview and breaking changes may occur. [GH-467]
* Changelog
- 93609bf: Add changelog for v2.1.0 GA (#772) (@cipherboy)
- d083548: Bump go-kms-wrapping, openbao-template prior to
release (#770) (@cipherboy)
- Full changelog see
https://github.com/openbao/openbao/releases/tag/v2.1.0
https://github.com/openbao/openbao/releases/tag/v2.1.0-beta20241114.3
-------------------------------------------------------------------
Tue Nov 19 08:39:56 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 2.0.3:
* This release does not ship with the UI enabled. The UI will be
available in the future. #129
* OpenBao does not provide support for Vault Enterprise features.
If there is an enterprise feature you would like to see added
to the project, please open a feature request.
* OpenBao is fully API compatible with Vault 1.14.9, and seal
compatible with the plugins the project supports. Plugin
support for OpenBao can be found
[here](https://github.com/orgs/openbao/discussions/64).
* Add v2.0.3 to CHANGELOG.md (#728)
* Bump golang.org/x/net (#692) (#726)
* Bump github.com/go-jose/go-jose/v3 to v3.0.3 (#693) (#727)
* Bump go version to 1.22.9 for v2.0.3 release (#725)
* Fix goreleaser prerelease status (#713) (#721)
* Replace github.com/mholt/archiver/v3 with stdlib (#611) (#714)
* Update to UBI 9.5 (#701) (#719)
* Fix root namespace permission elevation (#695) (#718)
* Bump github.com/golang-jwt/jwt/v4 (#691) (#717)
* Compute raft peer bootstrap challenge via HKDF (#690) (#716)
* Exclude changelog directory from release archive (#641) (#715)
* Update goreleaser config version to 2 (#709) (#720)
-------------------------------------------------------------------
Sun Oct 06 08:14:21 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 2.0.2:
* This release does not ship with the UI enabled. The UI will be
available in the future. #129
* OpenBao does not provide support for Vault Enterprise features.
If there is an enterprise feature you would like to see added
to the project, please open a feature request.
* OpenBao is fully API compatible with Vault 1.14.9, and seal
compatible with the plugins the project supports. Plugin
support for OpenBao can be found
[here](https://github.com/orgs/openbao/discussions/64).
* use correct Alpine version (#589)
* release: v2.0.2 (#586)
* Bump to go 1.22.8 (#588)
* Deny empty valid_principals during SSH issuance (#561)
* Correctly handle IPv6 for HTTP-01 (#559)
* add vault symlink to Docker images (#548)
* Fix k8s registration variables (#527)
* Fix aliasNameFromLoginRequest panic (#512)
* fix command `vault print token` to `bao print token` in curl
string generated by `buildCurlString()` (#511)
-------------------------------------------------------------------
Tue Sep 10 08:54:13 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 2.0.1:
* This release does not ship with the UI enabled. The UI will be
available in the future. #129
* OpenBao does not provide support for Vault Enterprise features.
If there is an enterprise feature you would like to see added
to the project, please open a feature request.
* OpenBao is fully API compatible with Vault 1.14.9, and seal
compatible with the plugins the project supports. Plugin
support for OpenBao can be found
[here](https://github.com/orgs/openbao/discussions/64).
* Changelog
- Disable UI tests (#479) (@cipherboy)
- Fix Ed25519 Pointer in PKI Existing handling (#461)
(@cipherboy)
- Fix api, sdk modules with v2.0.1 (#425) (@cipherboy)
- Fix bao cli login success message (#452) (@sadikkuzu)
- Fix broken zlint test (#458) (@cipherboy)
- Pass BAO_ADDR to the token helper (#348) (@ruuda)
- Update Docker dependency (#505) (@cipherboy)
- Update to Go 1.22.6 toolchain for v2.0.1 (#504) (@cipherboy)
- fix: variable name collision in docker-entrypoint (#446)
(@jackhodgkiss)
- labels use openbao as prefix instead of vault (#416)
(@finkandreas)
- release: v2.0.1 (@JanMa)
- build using CGO_ENABLED=0 on i586, s390x and armv7l
-------------------------------------------------------------------
Thu Jul 18 12:47:17 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 2.0.0:
* This release does not ship with the UI enabled. The UI will be
available in the future. #129
* This release provides initial support for artifact signing.
* OpenBao does not provide support for Vault Enterprise features.
If there is an enterprise feature you would like to see added
to the project, please open a feature request.
* OpenBao is fully API compatible with Vault 1.14.9, and seal
compatible with the plugins the project supports. Plugin
support for OpenBao can be found here.
* Changelog
- Gate Docker steps behind GOOS (#412)
- Add GOOS matrix to release workflow (#411)
- Update Go version, changelog, modules for GA (#410)
- set bao binary version info with Goreleaser (#401)
- Remove cross-cluster revocation from PKI (#365)
- Update docs to include mlock removal RFC (#391)
- Bump actions/upload-artifact from 4.3.3 to 4.3.4 (#395)
- Clarify fork point in FAQ (#392)
- docs: recreate images and diagrams (#397)
- Bump test-summary/action from 2.2 to 2.4 (#387)
- Remove mlock and replace with cgroups (#363)
- Downgrade test-summary/action from 2.3 to 2.2 (#381)
- Bump test-summary/action from 2.1 to 2.3 (#199)
- Bump browser-actions/setup-chrome from 1.5.0 to 1.7.1 (#377)
- Bump actions/github-script from 6.4.1 to 7.0.1 (#198)
- Bump actions/upload-artifact from 3.1.2 to 4.3.3 (#376)
- fix release asset parsing for download page (#378)
- update website dependencies (#368)
- docs(token): document the token format (#372)
- Fix artifact signing, use default runner
- Bump actions/configure-pages from 4 to 5 (#370)
-------------------------------------------------------------------
Sun Feb 4 08:43:31 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- new package openbao: provide a software solution to manage,
store, and distribute sensitive data including secrets,
certificates, and keys (open source fork of Hashicorp Vault)
