Vault - 1.13.9
Security
October 25, 2023
CHANGES:
- core: Bump Go version to 1.20.10.
- replication (enterprise): Switch to non-deprecated gRPC field for resolver target host
IMPROVEMENTS:
- api/plugins: add
tls-server-name
arg for plugin registration [GH-23549] - core: Use a worker pool for the rollback manager. Add new metrics for the rollback manager to track the queued tasks. [GH-22567]
BUG FIXES:
- command/server: Fix bug with sigusr2 where pprof files were not closed correctly [GH-23636]
- events: Ignore sending context to give more time for events to send [GH-23500]
- expiration: Prevent large lease loads from delaying state changes, e.g. becoming active or standby. [GH-23282]
- kmip (enterprise): Improve handling of failures due to storage replication issues.
- kmip (enterprise): Return a structure in the response for query function Query Server Information.
- mongo-db: allow non-admin database for root credential rotation [GH-23240]
- replication (enterprise): Fix a bug where undo logs would only get enabled on the initial node in a cluster.
- replication (enterprise): Fix a missing unlock when changing replication state
- secrets/transit (enterprise): Address an issue using sign/verify operations with managed keys returning an error about it not containing a private key
- secrets/transit (enterprise): Address panic when using GCP,AWS,Azure managed keys for encryption operations. At this time all encryption operations for the cloud providers have been disabled, only signing operations are supported.
- secrets/transit (enterprise): Apply hashing arguments and defaults to managed key sign/verify operations
- secrets/transit: Do not allow auto rotation on managed_key key types [GH-23723]
1.13.6
August 30, 2023
CHANGES:
- core: Bump Go version to 1.20.7.
IMPROVEMENTS:
- core: Log rollback manager failures during unmount, remount to prevent replication failures on secondary clusters. [GH-22235]
- replication (enterprise): Make reindex less disruptive by allowing writes during the flush phase.
- secrets/database: Improves error logging for static role rotations by including the database and role names. [GH-22253]
- storage/raft: Cap the minimum dead_server_last_contact_threshold to 1m. [GH-22040]
- ui: KV View Secret card will link to list view if input ends in "/" [GH-22502]
- ui: enables create and update KV secret workflow when control group present [GH-22471]
BUG FIXES:
- activity (enterprise): Fix misattribution of entities to no or child namespace auth methods [GH-18809]
- api: Fix breakage with UNIX domain socket addresses introduced by newest Go versions as a security fix. [GH-22523]
- core (enterprise): Remove MFA Configuration for namespace when deleting namespace
- core/quotas (enterprise): Fix a case where we were applying login roles to lease count quotas in a non-login context.
Also fix a related potential deadlock. [GH-21110] - core: Remove "expiration manager is nil on tokenstore" error log for unauth requests on DR secondary as they do not have expiration manager. [GH-22137]
- core: Fix bug where background thread to update locked user entries runs on DR secondaries. [GH-22355]
- core: Fix readonly errors that could occur while loading mounts/auths during unseal [GH-22362]
- core: Fixed an instance where incorrect route entries would get tainted. We now pre-calculate namespace specific paths to avoid this. [GH-21470]
- expiration: Fix a deadlock that could occur when a revocation failure happens while restoring leases on startup. [GH-22374]
- license: Add autoloaded license path to the cache exempt list. This is to ensure the license changes on the active node is observed on the perfStandby node. [GH-22363]
- replication (enterprise): Fix bug sync invalidate CoreReplicatedClusterInfoPath
- replication (enterprise): Fix panic when update-primary was called on demoted clusters using update_primary_addrs
- replication (enterprise): Fixing a bug by which the atomicity of a merkle diff result could be affected. This means it could be a source of a merkle-diff & sync process failing to switch into stream-wal mode afterwards.
- sdk/ldaputil: Properly escape user filters when using UPN domains
sdk/ldaputil: use EscapeLDAPValue implementation from cap/ldap [GH-22249] - secrets/ldap: Fix bug causing schema and password_policy to be overwritten in config. [GH-22331]
- secrets/transform (enterprise): Tidy operations will be re-scheduled at a minimum of every minute, not a maximum of every minute
- ui: Fix blank page or ghost secret when canceling KV secret create [GH-22541]
- ui: fixes
max_versions
default for secret metadata unintentionally overriding kv engine defaults [GH-22394] - ui: fixes model defaults overwriting input value when user tries to clear form input [GH-22458]
1.13.8
September 27, 2023
SECURITY:
- sentinel (enterprise): Sentinel RGP policies allowed for cross-namespace denial-of-service. This vulnerability, CVE-2023-3775, is fixed in Vault Enterprise 1.15.0, 1.14.4, and 1.13.8. [HSEC-2023-29]
CHANGES:
- core (enterprise): Ensure Role Governing Policies are only applied down the namespace hierarchy
IMPROVEMENTS:
- ui: Added allowed_domains_template field for CA type role in SSH engine [GH-23119]
BUG FIXES:
- core: Fixes list password policy to include those with names containing / characters. [GH-23155]
- secrets/pki: Fix removal of issuers to clean up unreferenced CRLs. [GH-23007]
- ui (enterprise): Fix error message when generating SSH credential with control group [GH-23025]
- ui: Fixes old pki's filter and search roles page bug [GH-22810]
- ui: don't exclude features present on license [GH-22855]
1.13.7
September 13, 2023
SECURITY:
- secrets/transit: fix a regression that was honoring nonces provided in non-convergent modes during encryption. This vulnerability, CVE-2023-4680, is fixed in Vault 1.14.3, 1.13.7, and 1.12.11. [GH-22852, HSEC-2023-28]
CHANGES:
- core: Bump Go version to 1.20.8.
- database/snowflake: Update plugin to v0.7.3 [GH-22591]
FEATURES:
- ** Merkle Tree Corruption Detection (enterprise) **: Add a new endpoint to check merkle tree corruption.
IMPROVEMENTS:
- auth/ldap: improved login speed by adding concurrency to LDAP token group searches [GH-22659]
- core/quotas: Add configuration to allow skipping of expensive role calculations [GH-22651]
- kmip (enterprise): reduce latency of KMIP operation handling
BUG FIXES:
- cli: Fix the CLI failing to return wrapping information for KV PUT and PATCH operations when format is set to
table
. [GH-22818] - core/quotas: Only perform ResolveRoleOperation for role-based quotas and lease creation. [GH-22597]
- core/quotas: Reduce overhead for role calculation when using cloud auth methods. [GH-22583]
- core/seal: add a workaround for potential connection [hangs] in Azure autoseals. [GH-22760]
- core: All subloggers now reflect configured log level on reload. [GH-22038]
- kmip (enterprise): fix date handling error with some re-key operations
- raft/autopilot: Add dr-token flag for raft autopilot cli commands [GH-21165]
- replication (enterprise): Fix discovery of bad primary cluster addresses to be more reliable
Security
Details
date
Oct. 25, 2023, midnight
name
1.13.9
type
Patch
👇
Register or login to:
- 🔍View and search all Vault releases.
- 🛠️Create and share lists to track your tools.
- 🚨Setup notifications for major, security, feature or patch updates.
- 🚀Much more coming soon!