Vault - 1.15.6
Security
February 29, 2024
SECURITY:
- auth/cert: compare public keys of trusted non-CA certificates with incoming
client certificates to prevent trusting certs with the same serial number
but not the same public/private key. [GH-25649]
CHANGES:
- core: Bump Go version to 1.21.7.
- secrets/openldap: Update plugin to v0.12.1 [GH-25524]
FEATURES:
- Manual License Utilization Reporting: Added manual license
utilization reporting, which allows users to create manual exports of product-license [metering
data] to report to Hashicorp.
IMPROVEMENTS:
- auth/cert: Cache trusted certs to reduce memory usage and improve performance of logins. [GH-25421]
- ui: Add
deletion_allowedparam to transformations and includetokenizationas a type option [GH-25436] - ui: redirect back to current route after reauthentication when token expires [GH-25335]
- ui: remove unnecessary OpenAPI calls for unmanaged auth methods [GH-25364]
BUG FIXES:
- agent: Fix issue where Vault Agent was unable to render KVv2 secrets with delete_version_after set. [GH-25387]
- audit: Handle a potential panic while formatting audit entries for an audit log [GH-25605]
- core (enterprise): Fix a deadlock that can occur on performance secondary clusters when there are many mounts and a mount is deleted or filtered [GH-25448]
- core (enterprise): Fix a panic that can occur if only one seal exists but is unhealthy on the non-first restart of Vault.
- core/quotas: Deleting a namespace that contains a rate limit quota no longer breaks replication [GH-25439]
- openapi: Fixing response fields for rekey operations [GH-25509]
- secrets/transit: When provided an invalid input with hash_algorithm=none, a lock was not released properly before reporting an error leading to deadlocks on a subsequent key configuration update. [GH-25336]
- storage/file: Fixing spuriously deleting storage keys ending with .temp [GH-25395]
- transform (enterprise): guard against a panic looking up a token in exportable mode with barrier storage.
- ui: Do not disable JSON display toggle for KV version 2 secrets [GH-25235]
- ui: Do not show resultant-acl banner on namespaces a user has access to [GH-25256]
- ui: Fix copy button not working on masked input when value is not a string [GH-25269]
- ui: Update the KV secret data when you change the version you're viewing of a nested secret. [GH-25152]
Security
Security wording was detected, but no CVEs were found.
Details
date
Feb. 29, 2024, midnight
name
1.15.6
type
Patch
👇
Register or login to:
- 🔍View and search all Vault releases.
- 🛠️Create and share lists to track your tools.
- 🚨Setup notifications for major, security, feature or patch updates.
- 🚀Much more coming soon!