File vault.changes of Package vault
-------------------------------------------------------------------
Fri Apr 05 12:11:26 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.16.0:
* SECURITY:
- auth/cert: compare public keys of trusted non-CA certificates
with incoming
- client certificates to prevent trusting certs with the same
serial number
- but not the same public/private key. [GH-25649]
- auth/cert: validate OCSP response was signed by the expected
issuer and serial number matched request [GH-26091]
- secrets/transit: fix a regression that was honoring nonces
provided in non-convergent modes during encryption.
[GH-22852]
* CHANGES:
- Upgrade grpc to v1.58.3 [GH-23703]
- Upgrade x/net to v0.17.0 [GH-23703]
- api: add the enterprise parameter to the /sys/health endpoint
[GH-24270]
- auth/alicloud: Update plugin to v0.16.1 [GH-25014]
- auth/alicloud: Update plugin to v0.17.0 [GH-25217]
- auth/approle: Normalized error response messages when invalid
credentials are provided [GH-23786]
- auth/azure: Update plugin to v0.16.1 [GH-22795]
- auth/azure: Update plugin to v0.17.0 [GH-25258]
- auth/cf: Update plugin to v0.16.0 [GH-25196]
- auth/gcp: Update plugin to v0.16.2 [GH-25233]
- auth/jwt: Update plugin to v0.19.0 [GH-24972]
- auth/jwt: Update plugin to v0.20.0 [GH-25326]
- auth/jwt: Update plugin to v0.20.1 [GH-25937]
- auth/kerberos: Update plugin to v0.10.1 [GH-22797]
- auth/kerberos: Update plugin to v0.11.0 [GH-25232]
- auth/kubernetes: Update plugin to v0.18.0 [GH-25207]
- auth/oci: Update plugin to v0.14.1 [GH-22774]
- auth/oci: Update plugin to v0.15.1 [GH-25245]
- cli: Using vault plugin reload with -plugin in the root
namespace will now reload the plugin across all namespaces
instead of just the root namespace. [GH-24878]
- cli: vault plugin info and vault plugin deregister now
require 2 positional arguments instead of accepting either 1
or 2. [GH-24250]
- core (enterprise): Seal High Availability (HA) must be
enabled by enable_multiseal in configuration.
- core: Bump Go version to 1.21.8.
- database/couchbase: Update plugin to v0.10.1 [GH-25275]
- database/elasticsearch: Update plugin to v0.14.0 [GH-25263]
- database/mongodbatlas: Update plugin to v0.11.0 [GH-25264]
- database/redis-elasticache: Update plugin to v0.3.0
[GH-25296]
- database/redis: Update plugin to v0.2.3 [GH-25289]
- database/snowflake: Update plugin to v0.10.0 [GH-25143]
- database/snowflake: Update plugin to v0.9.1 [GH-25020]
- events: Remove event noficiations websocket endpoint in
non-Enterprise [GH-25640]
- events: Source URL is now vault://{vault node} [GH-24201]
- identity (enterprise): POST requests to the
/identity/entity/merge endpoint
- are now always forwarded from standbys to the active node.
[GH-24325]
- plugins/database: Reading connection config at
database/config/:name will now return a computed
running_plugin_version field if a non-builtin version is
running. [GH-25105]
- plugins: Add a warning to the response from
sys/plugins/reload/backend if no plugins were reloaded.
[GH-24512]
- plugins: By default, environment variables provided during
plugin registration will now take precedence over system
environment variables.
- Use the environment variable
VAULT_PLUGIN_USE_LEGACY_ENV_LAYERING=true to opt out and keep
higher preference for system environment
- variables. When this flag is set, Vault will check during
unseal for conflicts and print warnings for any plugins with
environment
- variables that conflict with system environment variables.
[GH-25128]
- plugins: /sys/plugins/runtimes/catalog response will always
include a list of "runtimes" in the response, even if empty.
[GH-24864]
- sdk: Upgrade dependent packages by sdk.
- This includes github.com/docker/docker to
v24.0.7+incompatible,
- google.golang.org/grpc to v1.57.2 and golang.org/x/net to
v0.17.0. [GH-23913]
- secrets/ad: Update plugin to v0.16.2 [GH-25058]
- secrets/ad: Update plugin to v0.17.0 [GH-25187]
- secrets/alicloud: Update plugin to v0.16.0 [GH-25257]
- secrets/azure: Update plugin to v0.17.0 [GH-25189]
- secrets/gcp: Update plugin to v0.18.0 [GH-25173]
- secrets/gcpkms: Update plugin to v0.16.0 [GH-25231]
- secrets/keymgmt: Update plugin to v0.10.0
- secrets/kubernetes: Update plugin to v0.7.0 [GH-25204]
- secrets/kv: Update plugin to v0.16.2 [GH-22790]
- secrets/kv: Update plugin to v0.17.0 [GH-25277]
- secrets/mongodbatlas: Update plugin to v0.10.2 [GH-23849]
- secrets/mongodbatlas: Update plugin to v0.11.0 [GH-25253]
- secrets/openldap: Update plugin to v0.11.3 [GH-25040]
- secrets/openldap: Update plugin to v0.12.0 [GH-25251]
- secrets/openldap: Update plugin to v0.12.1 [GH-25524]
- secrets/terraform: Update plugin to v0.7.5 [GH-25288]
- telemetry: Seal wrap encrypt/decrypt metrics now
differentiate between seals using a metrics label of seal
name rather than separate metric names. [GH-23837]
- ui: Update icons to use Flight icons where available.
[GH-24823]
- ui: add subnav for replication items [GH-24283]
* FEATURES:
- Add Snapshot Inspector Tool: Add CLI tool to inspect Vault
snapshots [GH-23457]
- Audit Filtering: Audit devices support expression-based
filter rules (powered by go-bexpr) to determine which entries
are written to the audit log. [GH-24558]
- Controlled Access to Unauthenticated Endpoints (enterprise):
Gives admins more control over how unauthenticated endpoints
in Vault can be accessed and in some cases what information
they return. [GH-23547] [GH-23534] [GH-23740]
- Custom messages (enterprise): Introduces custom messages
settings, allowing users to view, and operators to configure
system-wide messages.
- Database Event Notifications: The database plugin now emits
event notifications. [GH-24718]
- Default Lease Count Quota (enterprise): Apply a new global
default lease count quota of 300k leases for all
- new installs of Vault. [GH-24382]
- Experimental Raft-WAL Option: Reduces risk of infinite
snapshot loops for follower nodes in large-scale Integrated
Storage deployments. [GH-21460]
- Manual License Utilization Reporting: Added manual license
- utilization reporting, which allows users to create manual
exports of product-license [metering
- data] to report to Hashicorp.
- Plugin Identity Tokens: Adds secret-less configuration of AWS
secret engine using web identity federation. [GH-24987]
- Plugin Workload Identity (enterprise): Vault can generate
identity tokens for plugins to use in workload identity
federation auth flows.
- Quotas in Privileged Namespaces: Enable
creation/update/deletion of quotas from the privileged
namespace
- Reload seal configuration on SIGHUP: Seal configuration is
reloaded on SIGHUP so that seal configuration can
- be changed without shutting down vault [GH-23571]
- Request Limiter (enterprise): Add adaptive concurrency lim...
-------------------------------------------------------------------
Fri Apr 05 11:33:00 UTC 2024 - opensuse_buildservice@ojkastl.de
- Update to version 1.15.6:
* SECURITY:
- auth/cert: compare public keys of trusted non-CA certificates
with incoming
- client certificates to prevent trusting certs with the same
serial number
- but not the same public/private key. [GH-25649]
* CHANGES:
- core: Bump Go version to 1.21.7.
- secrets/openldap: Update plugin to v0.12.1 [GH-25524]
* FEATURES:
- Manual License Utilization Reporting: Added manual license
- utilization reporting, which allows users to create manual
exports of product-license [metering
- data] to report to Hashicorp.
* IMPROVEMENTS:
- auth/cert: Cache trusted certs to reduce memory usage and
improve performance of logins. [GH-25421]
- ui: Add deletion_allowed param to transformations and include
tokenization as a type option [GH-25436]
- ui: redirect back to current route after reauthentication
when token expires [GH-25335]
- ui: remove unnecessary OpenAPI calls for unmanaged auth
methods [GH-25364]
* BUG FIXES:
- agent: Fix issue where Vault Agent was unable to render KVv2
secrets with delete_version_after set. [GH-25387]
- audit: Handle a potential panic while formatting audit
entries for an audit log [GH-25605]
- core (enterprise): Fix a deadlock that can occur on
performance secondary clusters when there are many mounts and
a mount is deleted or filtered [GH-25448]
- core (enterprise): Fix a panic that can occur if only one
seal exists but is unhealthy on the non-first restart of
Vault.
- core/quotas: Deleting a namespace that contains a rate limit
quota no longer breaks replication [GH-25439]
- openapi: Fixing response fields for rekey operations
[GH-25509]
- secrets/transit: When provided an invalid input with
hash_algorithm=none, a lock was not released properly before
reporting an error leading to deadlocks on a subsequent key
configuration update. [GH-25336]
- storage/file: Fixing spuriously deleting storage keys ending
with .temp [GH-25395]
- transform (enterprise): guard against a panic looking up a
token in exportable mode with barrier storage.
- ui: Do not disable JSON display toggle for KV version 2
secrets [GH-25235]
- ui: Do not show resultant-acl banner on namespaces a user has
access to [GH-25256]
- ui: Fix copy button not working on masked input when value is
not a string [GH-25269]
- ui: Update the KV secret data when you change the version
you're viewing of a nested secret. [GH-25152]
-------------------------------------------------------------------
Sun Feb 4 09:15:38 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- new package vault (Hashicorp vault): A tool for secrets
management, encryption as a service, and privileged access
management
