1## 1.8.1 2### August 5th, 2021 3 4CHANGES: 5 6* go: Update go version to 1.16.6 [[GH-12245](https://github.com/hashicorp/vault/pull/12245)] 7 8IMPROVEMENTS: 9 10* serviceregistration: add `external-source: "vault"` metadata value for Consul registration. [[GH-12163](https://github.com/hashicorp/vault/pull/12163)] 11 12BUG FIXES: 13 14* auth/aws: Remove warning stating AWS Token TTL will be capped by the Default Lease TTL. [[GH-12026](https://github.com/hashicorp/vault/pull/12026)] 15* auth/jwt: Fixes OIDC auth from the Vault UI when using `form_post` as the `oidc_response_mode`. [[GH-12258](https://github.com/hashicorp/vault/pull/12258)] 16* core (enterprise): Disallow autogenerated licenses to be used in diagnose even when config is specified 17* core: fix byte printing for diagnose disk checks [[GH-12229](https://github.com/hashicorp/vault/pull/12229)] 18* identity: do not allow a role's token_ttl to be longer than the signing key's verification_ttl [[GH-12151](https://github.com/hashicorp/vault/pull/12151)] 19 20## 1.8.0 21### July 28th, 2021 22 23CHANGES: 24 25* agent: Errors in the template engine will no longer cause agent to exit unless 26explicitly defined to do so. A new configuration parameter, 27`exit_on_retry_failure`, within the new top-level stanza, `template_config`, can 28be set to `true` in order to cause agent to exit. Note that for agent to exit if 29`template.error_on_missing_key` is set to `true`, `exit_on_retry_failure` must 30be also set to `true`. Otherwise, the template engine will log an error but then 31restart its internal runner. [[GH-11775](https://github.com/hashicorp/vault/pull/11775)] 32* agent: Update to use IAM Service Account Credentials endpoint for signing JWTs 33when using GCP Auto-Auth method [[GH-11473](https://github.com/hashicorp/vault/pull/11473)] 34* core (enterprise): License/EULA changes that ensure the presence of a valid HashiCorp license to 35start Vault. More information is available in the [Vault License FAQ](https://www.vaultproject.io/docs/enterprise/license/faqs) 36 37FEATURES: 38 39* **GCP Secrets Engine Static Accounts**: Adds ability to use existing service accounts for generation 40 of service account keys and access tokens. [[GH-12023](https://github.com/hashicorp/vault/pull/12023)] 41* **Key Management Secrets Engine (Enterprise)**: Adds general availability for distributing and managing keys in AWS KMS. [[GH-11958](https://github.com/hashicorp/vault/pull/11958)] 42* **License Autoloading (Enterprise)**: Licenses may now be automatically loaded from the environment or disk. 43* **MySQL Database UI**: The UI now supports adding and editing MySQL connections in the database secret engine [[GH-11532](https://github.com/hashicorp/vault/pull/11532)] 44* **Vault Diagnose**: A new `vault operator` command to detect common issues with vault server setups. 45 46IMPROVEMENTS: 47 48* agent/template: Added static_secret_render_interval to specify how often to fetch non-leased secrets [[GH-11934](https://github.com/hashicorp/vault/pull/11934)] 49* agent: Allow Agent auto auth to read symlinked JWT files [[GH-11502](https://github.com/hashicorp/vault/pull/11502)] 50* api: Allow a leveled logger to be provided to `api.Client` through `SetLogger`. [[GH-11696](https://github.com/hashicorp/vault/pull/11696)] 51* auth/aws: Underlying error included in validation failure message. [[GH-11638](https://github.com/hashicorp/vault/pull/11638)] 52* cli/api: Add lease lookup command [[GH-11129](https://github.com/hashicorp/vault/pull/11129)] 53* core: Add `prefix_filter` to telemetry config [[GH-12025](https://github.com/hashicorp/vault/pull/12025)] 54* core: Add a darwin/arm64 binary release supporting the Apple M1 CPU [[GH-12071](https://github.com/hashicorp/vault/pull/12071)] 55* core: Add a small (<1s) exponential backoff to failed TCP listener Accept failures. [[GH-11588](https://github.com/hashicorp/vault/pull/11588)] 56* core (enterprise): Add controlled capabilities to control group policy stanza 57* core: Add metrics for standby node forwarding. [[GH-11366](https://github.com/hashicorp/vault/pull/11366)] 58* core: Add metrics to report if a node is a perf standby, if a node is a dr secondary or primary, and if a node is a perf secondary or primary. [[GH-11472](https://github.com/hashicorp/vault/pull/11472)] 59* core: Send notifications to systemd on start, stop, and configuration reload. [[GH-11517](https://github.com/hashicorp/vault/pull/11517)] 60* core: add irrevocable lease list and count apis [[GH-11607](https://github.com/hashicorp/vault/pull/11607)] 61* core: allow arbitrary length stack traces upon receiving SIGUSR2 (was 32MB) [[GH-11364](https://github.com/hashicorp/vault/pull/11364)] 62* db/cassandra: Added tls_server_name to specify server name for TLS validation [[GH-11820](https://github.com/hashicorp/vault/pull/11820)] 63* go: Update to Go 1.16.5 [[GH-11802](https://github.com/hashicorp/vault/pull/11802)] 64* replication: Delay evaluation of X-Vault-Index headers until merkle sync completes. 65* secrets/rabbitmq: Add ability to customize dynamic usernames [[GH-11899](https://github.com/hashicorp/vault/pull/11899)] 66* secrets/ad: Add `rotate-role` endpoint to allow rotations of service accounts. [[GH-11942](https://github.com/hashicorp/vault/pull/11942)] 67* secrets/aws: add IAM tagging support for iam_user roles [[GH-10953](https://github.com/hashicorp/vault/pull/10953)] 68* secrets/aws: add ability to provide a role session name when generating STS credentials [[GH-11345](https://github.com/hashicorp/vault/pull/11345)] 69* secrets/database/elasticsearch: Add ability to customize dynamic usernames [[GH-11957](https://github.com/hashicorp/vault/pull/11957)] 70* secrets/database/influxdb: Add ability to customize dynamic usernames [[GH-11796](https://github.com/hashicorp/vault/pull/11796)] 71* secrets/database/mongodb: Add ability to customize `SocketTimeout`, `ConnectTimeout`, and `ServerSelectionTimeout` [[GH-11600](https://github.com/hashicorp/vault/pull/11600)] 72* secrets/database/mongodb: Increased throughput by allowing for multiple request threads to simultaneously update users in MongoDB [[GH-11600](https://github.com/hashicorp/vault/pull/11600)] 73* secrets/database/mongodbatlas: Adds the ability to customize username generation for dynamic users in MongoDB Atlas. [[GH-11956](https://github.com/hashicorp/vault/pull/11956)] 74* secrets/database/redshift: Add ability to customize dynamic usernames [[GH-12016](https://github.com/hashicorp/vault/pull/12016)] 75* secrets/database/snowflake: Add ability to customize dynamic usernames [[GH-11997](https://github.com/hashicorp/vault/pull/11997)] 76* ssh: add support for templated values in SSH CA DefaultExtensions [[GH-11495](https://github.com/hashicorp/vault/pull/11495)] 77* storage/raft: Improve raft batch size selection [[GH-11907](https://github.com/hashicorp/vault/pull/11907)] 78* storage/raft: change freelist type to map and set nofreelistsync to true [[GH-11895](https://github.com/hashicorp/vault/pull/11895)] 79* storage/raft: Switch to shared raft-boltdb library and add boltdb metrics [[GH-11269](https://github.com/hashicorp/vault/pull/11269)] 80* storage/raft: Support autopilot for HA only raft storage. [[GH-11260](https://github.com/hashicorp/vault/pull/11260)] 81* storage/raft (enterprise): Enable Autopilot on DR secondary clusters 82* ui: Add Validation to KV secret engine [[GH-11785](https://github.com/hashicorp/vault/pull/11785)] 83* ui: Add database secret engine support for MSSQL [[GH-11231](https://github.com/hashicorp/vault/pull/11231)] 84* ui: Add push notification message when selecting okta auth. [[GH-11442](https://github.com/hashicorp/vault/pull/11442)] 85* ui: Add regex validation to Transform Template pattern input [[GH-11586](https://github.com/hashicorp/vault/pull/11586)] 86* ui: Add specific error message if unseal fails due to license [[GH-11705](https://github.com/hashicorp/vault/pull/11705)] 87* ui: Add validation support for open api form fields [[GH-11963](https://github.com/hashicorp/vault/pull/11963)] 88* ui: Added auth method descriptions to UI login page [[GH-11795](https://github.com/hashicorp/vault/pull/11795)] 89* ui: JSON fields on database can be cleared on edit [[GH-11708](https://github.com/hashicorp/vault/pull/11708)] 90* ui: Obscure secret values on input and displayOnly fields like certificates. [[GH-11284](https://github.com/hashicorp/vault/pull/11284)] 91* ui: Redesign of KV 2 Delete toolbar. [[GH-11530](https://github.com/hashicorp/vault/pull/11530)] 92* ui: Replace tool partials with components. [[GH-11672](https://github.com/hashicorp/vault/pull/11672)] 93* ui: Show description on secret engine list [[GH-11995](https://github.com/hashicorp/vault/pull/11995)] 94* ui: Update ember to latest LTS and upgrade UI dependencies [[GH-11447](https://github.com/hashicorp/vault/pull/11447)] 95* ui: Update partials to components [[GH-11680](https://github.com/hashicorp/vault/pull/11680)] 96* ui: Updated ivy code mirror component for consistency [[GH-11500](https://github.com/hashicorp/vault/pull/11500)] 97* ui: Updated node to v14, latest stable build [[GH-12049](https://github.com/hashicorp/vault/pull/12049)] 98* ui: Updated search select component styling [[GH-11360](https://github.com/hashicorp/vault/pull/11360)] 99* ui: add transform secrets engine to features list [[GH-12003](https://github.com/hashicorp/vault/pull/12003)] 100* ui: add validations for duplicate path kv engine [[GH-11878](https://github.com/hashicorp/vault/pull/11878)] 101* ui: show site-wide banners for license warnings if applicable [[GH-11759](https://github.com/hashicorp/vault/pull/11759)] 102* ui: update license page with relevant autoload info [[GH-11778](https://github.com/hashicorp/vault/pull/11778)] 103 104DEPRECATIONS: 105 106* secrets/gcp: Deprecated the `/gcp/token/:roleset` and `/gcp/key/:roleset` paths for generating 107 secrets for rolesets. Use `/gcp/roleset/:roleset/token` and `/gcp/roleset/:roleset/key` instead. [[GH-12023](https://github.com/hashicorp/vault/pull/12023)] 108 109BUG FIXES: 110 111* activity: Omit wrapping tokens and control groups from client counts [[GH-11826](https://github.com/hashicorp/vault/pull/11826)] 112* agent/cert: Fix issue where the API client on agent was not honoring certificate 113 information from the auto-auth config map on renewals or retries. [[GH-11576](https://github.com/hashicorp/vault/pull/11576)] 114* agent/template: fix command shell quoting issue [[GH-11838](https://github.com/hashicorp/vault/pull/11838)] 115* agent: Fixed agent templating to use configured tls servername values [[GH-11288](https://github.com/hashicorp/vault/pull/11288)] 116* agent: fix timestamp format in log messages from the templating engine [[GH-11838](https://github.com/hashicorp/vault/pull/11838)] 117* auth/approle: fixing dereference of nil pointer [[GH-11864](https://github.com/hashicorp/vault/pull/11864)] 118* auth/jwt: Updates the [hashicorp/cap](https://github.com/hashicorp/cap) library to `v0.1.0` to 119 bring in a verification key caching fix. [[GH-11784](https://github.com/hashicorp/vault/pull/11784)] 120* auth/kubernetes: Fix AliasLookahead to correctly extract ServiceAccount UID when using ephemeral JWTs [[GH-12073](https://github.com/hashicorp/vault/pull/12073)] 121* auth/ldap: Fix a bug where the LDAP auth method does not return the request_timeout configuration parameter on config read. [[GH-11975](https://github.com/hashicorp/vault/pull/11975)] 122* cli: Add support for response wrapping in `vault list` and `vault kv list` with output format other than `table`. [[GH-12031](https://github.com/hashicorp/vault/pull/12031)] 123* cli: vault delete and vault kv delete should support the same output options (e.g. -format) as vault write. [[GH-11992](https://github.com/hashicorp/vault/pull/11992)] 124* core (enterprise): Fix orphan return value from auth methods executed on performance standby nodes. 125* core (enterprise): Fix plugins mounted in namespaces being unable to use password policies [[GH-11596](https://github.com/hashicorp/vault/pull/11596)] 126* core (enterprise): serialize access to HSM entropy generation to avoid errors in concurrent key generation. 127* core/metrics: Add generic KV mount support for vault.kv.secret.count telemetry metric [[GH-12020](https://github.com/hashicorp/vault/pull/12020)] 128* core: Fix cleanup of storage entries from cubbyholes within namespaces. [[GH-11408](https://github.com/hashicorp/vault/pull/11408)] 129* core: Fix edge cases in the configuration endpoint for barrier key autorotation. [[GH-11541](https://github.com/hashicorp/vault/pull/11541)] 130* core: Fix goroutine leak when updating rate limit quota [[GH-11371](https://github.com/hashicorp/vault/pull/11371)] 131* core: Fix race that allowed remounting on path used by another mount [[GH-11453](https://github.com/hashicorp/vault/pull/11453)] 132* core: Fix storage entry leak when revoking leases created with non-orphan batch tokens. [[GH-11377](https://github.com/hashicorp/vault/pull/11377)] 133* core: Fixed double counting of http requests after operator stepdown [[GH-11970](https://github.com/hashicorp/vault/pull/11970)] 134* core: correct logic for renewal of leases nearing their expiration time. [[GH-11650](https://github.com/hashicorp/vault/pull/11650)] 135* identity: Use correct mount accessor when refreshing external group memberships. [[GH-11506](https://github.com/hashicorp/vault/pull/11506)] 136* mongo-db: default username template now strips invalid '.' characters [[GH-11872](https://github.com/hashicorp/vault/pull/11872)] 137* pki: Only remove revoked entry for certificates during tidy if they are past their NotAfter value [[GH-11367](https://github.com/hashicorp/vault/pull/11367)] 138* replication: Fix panic trying to update walState during identity group invalidation. 139* replication: Fix: mounts created within a namespace that was part of an Allow 140 filtering rule would not appear on performance secondary if created after rule 141 was defined. 142* secret/pki: use case insensitive domain name comparison as per RFC1035 section 2.3.3 143* secret: fix the bug where transit encrypt batch doesn't work with key_version [[GH-11628](https://github.com/hashicorp/vault/pull/11628)] 144* secrets/ad: Forward all creds requests to active node [[GH-76](https://github.com/hashicorp/vault-plugin-secrets-ad/pull/76)] [[GH-11836](https://github.com/hashicorp/vault/pull/11836)] 145* secrets/database/cassandra: Fixed issue where hostnames were not being validated when using TLS [[GH-11365](https://github.com/hashicorp/vault/pull/11365)] 146* secrets/database/cassandra: Fixed issue where the PEM parsing logic of `pem_bundle` and `pem_json` didn't work for CA-only configurations [[GH-11861](https://github.com/hashicorp/vault/pull/11861)] 147* secrets/database/cassandra: Updated default statement for password rotation to allow for special characters. This applies to root and static credentials. [[GH-11262](https://github.com/hashicorp/vault/pull/11262)] 148* secrets/database: Fix marshalling to allow providing numeric arguments to external database plugins. [[GH-11451](https://github.com/hashicorp/vault/pull/11451)] 149* secrets/database: Fixed an issue that prevented external database plugin processes from restarting after a shutdown. [[GH-12087](https://github.com/hashicorp/vault/pull/12087)] 150* secrets/database: Fixed minor race condition when rotate-root is called [[GH-11600](https://github.com/hashicorp/vault/pull/11600)] 151* secrets/database: Fixes issue for V4 database interface where `SetCredentials` wasn't falling back to using `RotateRootCredentials` if `SetCredentials` is `Unimplemented` [[GH-11585](https://github.com/hashicorp/vault/pull/11585)] 152* secrets/openldap: Fix bug where schema was not compatible with rotate-root [#24](https://github.com/hashicorp/vault-plugin-secrets-openldap/pull/24) [[GH-12019](https://github.com/hashicorp/vault/pull/12019)] 153* storage/dynamodb: Handle throttled batch write requests by retrying, without which writes could be lost. [[GH-10181](https://github.com/hashicorp/vault/pull/10181)] 154* storage/raft: Support cluster address change for nodes in a cluster managed by autopilot [[GH-11247](https://github.com/hashicorp/vault/pull/11247)] 155* storage/raft: Tweak creation of vault.db file [[GH-12034](https://github.com/hashicorp/vault/pull/12034)] 156* storage/raft: leader_tls_servername wasn't used unless leader_ca_cert_file and/or mTLS were configured. [[GH-11252](https://github.com/hashicorp/vault/pull/11252)] 157* tokenutil: Perform the num uses check before token type. [[GH-11647](https://github.com/hashicorp/vault/pull/11647)] 158* transform (enterprise): Fix an issue with malformed transform configuration 159 storage when upgrading from 1.5 to 1.6. See Upgrade Notes for 1.6.x. 160* ui: Add role from database connection automatically populates the database for new role [[GH-11119](https://github.com/hashicorp/vault/pull/11119)] 161* ui: Add root rotation statements support to appropriate database secret engine plugins [[GH-11404](https://github.com/hashicorp/vault/pull/11404)] 162* ui: Automatically refresh the page when user logs out [[GH-12035](https://github.com/hashicorp/vault/pull/12035)] 163* ui: Fix Version History queryParams on LinkedBlock [[GH-12079](https://github.com/hashicorp/vault/pull/12079)] 164* ui: Fix bug where database secret engines with custom names cannot delete connections [[GH-11127](https://github.com/hashicorp/vault/pull/11127)] 165* ui: Fix bug where the UI does not recognize version 2 KV until refresh, and fix [object Object] error message [[GH-11258](https://github.com/hashicorp/vault/pull/11258)] 166* ui: Fix database role CG access [[GH-12111](https://github.com/hashicorp/vault/pull/12111)] 167* ui: Fix date display on expired token notice [[GH-11142](https://github.com/hashicorp/vault/pull/11142)] 168* ui: Fix entity group membership and metadata not showing [[GH-11641](https://github.com/hashicorp/vault/pull/11641)] 169* ui: Fix error message caused by control group [[GH-11143](https://github.com/hashicorp/vault/pull/11143)] 170* ui: Fix footer URL linking to the correct version changelog. [[GH-11283](https://github.com/hashicorp/vault/pull/11283)] 171* ui: Fix issue where logging in without namespace input causes error [[GH-11094](https://github.com/hashicorp/vault/pull/11094)] 172* ui: Fix namespace-bug on login [[GH-11182](https://github.com/hashicorp/vault/pull/11182)] 173* ui: Fix status menu no showing on login [[GH-11213](https://github.com/hashicorp/vault/pull/11213)] 174* ui: Fix text link URL on database roles list [[GH-11597](https://github.com/hashicorp/vault/pull/11597)] 175* ui: Fixed and updated lease renewal picker [[GH-11256](https://github.com/hashicorp/vault/pull/11256)] 176* ui: fix control group access for database credential [[GH-12024](https://github.com/hashicorp/vault/pull/12024)] 177* ui: fix issue where select-one option was not showing in secrets database role creation [[GH-11294](https://github.com/hashicorp/vault/pull/11294)] 178* ui: fix oidc login with Safari [[GH-11884](https://github.com/hashicorp/vault/pull/11884)] 179 180## 1.7.3 181### June 16th, 2021 182 183CHANGES: 184 185* go: Update go version to 1.15.13 [[GH-11857](https://github.com/hashicorp/vault/pull/11857)] 186 187IMPROVEMENTS: 188 189* db/cassandra: Added tls_server_name to specify server name for TLS validation [[GH-11820](https://github.com/hashicorp/vault/pull/11820)] 190* ui: Add specific error message if unseal fails due to license [[GH-11705](https://github.com/hashicorp/vault/pull/11705)] 191 192BUG FIXES: 193 194* auth/jwt: Updates the [hashicorp/cap](https://github.com/hashicorp/cap) library to `v0.1.0` to 195bring in a verification key caching fix. [[GH-11784](https://github.com/hashicorp/vault/pull/11784)] 196* core (enterprise): serialize access to HSM entropy generation to avoid errors in concurrent key generation. 197* secret: fix the bug where transit encrypt batch doesn't work with key_version [[GH-11628](https://github.com/hashicorp/vault/pull/11628)] 198* secrets/ad: Forward all creds requests to active node [[GH-76](https://github.com/hashicorp/vault-plugin-secrets-ad/pull/76)] [[GH-11836](https://github.com/hashicorp/vault/pull/11836)] 199* tokenutil: Perform the num uses check before token type. [[GH-11647](https://github.com/hashicorp/vault/pull/11647)] 200 201## 1.7.2 202### May 20th, 2021 203 204SECURITY: 205 206* Non-Expiring Leases: Vault and Vault Enterprise renewed nearly-expiring token 207leases and dynamic secret leases with a zero-second TTL, causing them to be 208treated as non-expiring, and never revoked. This issue affects Vault and Vault 209Enterprise versions 0.10.0 through 1.7.1, and is fixed in 1.5.9, 1.6.5, and 2101.7.2 (CVE-2021-32923). 211 212CHANGES: 213 214* agent: Update to use IAM Service Account Credentials endpoint for signing JWTs 215when using GCP Auto-Auth method [[GH-11473](https://github.com/hashicorp/vault/pull/11473)] 216* auth/gcp: Update to v0.9.1 to use IAM Service Account Credentials API for 217signing JWTs [[GH-11494](https://github.com/hashicorp/vault/pull/11494)] 218 219IMPROVEMENTS: 220 221* api, agent: LifetimeWatcher now does more retries when renewal failures occur. This also impacts Agent auto-auth and leases managed via Agent caching. [[GH-11445](https://github.com/hashicorp/vault/pull/11445)] 222* auth/aws: Underlying error included in validation failure message. [[GH-11638](https://github.com/hashicorp/vault/pull/11638)] 223* http: Add optional HTTP response headers for hostname and raft node ID [[GH-11289](https://github.com/hashicorp/vault/pull/11289)] 224* secrets/aws: add ability to provide a role session name when generating STS credentials [[GH-11345](https://github.com/hashicorp/vault/pull/11345)] 225* secrets/database/mongodb: Add ability to customize `SocketTimeout`, `ConnectTimeout`, and `ServerSelectionTimeout` [[GH-11600](https://github.com/hashicorp/vault/pull/11600)] 226* secrets/database/mongodb: Increased throughput by allowing for multiple request threads to simultaneously update users in MongoDB [[GH-11600](https://github.com/hashicorp/vault/pull/11600)] 227 228BUG FIXES: 229 230* agent/cert: Fix issue where the API client on agent was not honoring certificate 231information from the auto-auth config map on renewals or retries. [[GH-11576](https://github.com/hashicorp/vault/pull/11576)] 232* agent: Fixed agent templating to use configured tls servername values [[GH-11288](https://github.com/hashicorp/vault/pull/11288)] 233* core (enterprise): Fix plugins mounted in namespaces being unable to use password policies [[GH-11596](https://github.com/hashicorp/vault/pull/11596)] 234* core: correct logic for renewal of leases nearing their expiration time. [[GH-11650](https://github.com/hashicorp/vault/pull/11650)] 235* identity: Use correct mount accessor when refreshing external group memberships. [[GH-11506](https://github.com/hashicorp/vault/pull/11506)] 236* replication: Fix panic trying to update walState during identity group invalidation. [[GH-1865](https://github.com/hashicorp/vault/pull/1865)] 237* secrets/database: Fix marshalling to allow providing numeric arguments to external database plugins. [[GH-11451](https://github.com/hashicorp/vault/pull/11451)] 238* secrets/database: Fixed minor race condition when rotate-root is called [[GH-11600](https://github.com/hashicorp/vault/pull/11600)] 239* secrets/database: Fixes issue for V4 database interface where `SetCredentials` wasn't falling back to using `RotateRootCredentials` if `SetCredentials` is `Unimplemented` [[GH-11585](https://github.com/hashicorp/vault/pull/11585)] 240* secrets/keymgmt (enterprise): Fixes audit logging for the read key response. 241* storage/raft: Support cluster address change for nodes in a cluster managed by autopilot [[GH-11247](https://github.com/hashicorp/vault/pull/11247)] 242* ui: Fix entity group membership and metadata not showing [[GH-11641](https://github.com/hashicorp/vault/pull/11641)] 243* ui: Fix text link URL on database roles list [[GH-11597](https://github.com/hashicorp/vault/pull/11597)] 244 245## 1.7.1 246### 21 April 2021 247 248SECURITY: 249 250* The PKI Secrets Engine tidy functionality may cause Vault to exclude revoked-but-unexpired certificates from the 251 Vault CRL. This vulnerability affects Vault and Vault Enterprise 1.5.1 and newer and was fixed in versions 252 1.5.8, 1.6.4, and 1.7.1. (CVE-2021-27668) 253* The Cassandra Database and Storage backends were not correctly verifying TLS certificates. This issue affects all 254 versions of Vault and Vault Enterprise and was fixed in versions 1.6.4, and 1.7.1. (CVE-2021-27400) 255 256CHANGES: 257 258* go: Update to Go 1.15.11 [[GH-11395](https://github.com/hashicorp/vault/pull/11395)] 259 260IMPROVEMENTS: 261 262* auth/jwt: Adds ability to directly provide service account JSON in G Suite provider config. [[GH-11388](https://github.com/hashicorp/vault/pull/11388)] 263* core: Add tls_max_version listener config option. [[GH-11226](https://github.com/hashicorp/vault/pull/11226)] 264* core: Add metrics for standby node forwarding. [[GH-11366](https://github.com/hashicorp/vault/pull/11366)] 265* core: allow arbitrary length stack traces upon receiving SIGUSR2 (was 32MB) [[GH-11364](https://github.com/hashicorp/vault/pull/11364)] 266* storage/raft: Support autopilot for HA only raft storage. [[GH-11260](https://github.com/hashicorp/vault/pull/11260)] 267 268BUG FIXES: 269 270* core: Fix cleanup of storage entries from cubbyholes within namespaces. [[GH-11408](https://github.com/hashicorp/vault/pull/11408)] 271* core: Fix goroutine leak when updating rate limit quota [[GH-11371](https://github.com/hashicorp/vault/pull/11371)] 272* core: Fix storage entry leak when revoking leases created with non-orphan batch tokens. [[GH-11377](https://github.com/hashicorp/vault/pull/11377)] 273* core: requests forwarded by standby weren't always timed out. [[GH-11322](https://github.com/hashicorp/vault/pull/11322)] 274* pki: Only remove revoked entry for certificates during tidy if they are past their NotAfter value [[GH-11367](https://github.com/hashicorp/vault/pull/11367)] 275* replication: Fix: mounts created within a namespace that was part of an Allow 276 filtering rule would not appear on performance secondary if created after rule 277 was defined. 278* replication: Perf standby nodes on newly enabled DR secondary sometimes couldn't connect to active node with TLS errors. [[GH-1823](https://github.com/hashicorp/vault/pull/1823)] 279* secrets/database/cassandra: Fixed issue where hostnames were not being validated when using TLS [[GH-11365](https://github.com/hashicorp/vault/pull/11365)] 280* secrets/database/cassandra: Updated default statement for password rotation to allow for special characters. This applies to root and static credentials. [[GH-11262](https://github.com/hashicorp/vault/pull/11262)] 281* storage/dynamodb: Handle throttled batch write requests by retrying, without which writes could be lost. [[GH-10181](https://github.com/hashicorp/vault/pull/10181)] 282* storage/raft: leader_tls_servername wasn't used unless leader_ca_cert_file and/or mTLS were configured. [[GH-11252](https://github.com/hashicorp/vault/pull/11252)] 283* ui: Add root rotation statements support to appropriate database secret engine plugins [[GH-11404](https://github.com/hashicorp/vault/pull/11404)] 284* ui: Fix bug where the UI does not recognize version 2 KV until refresh, and fix [object Object] error message [[GH-11258](https://github.com/hashicorp/vault/pull/11258)] 285* ui: Fix OIDC bug seen when running on HCP [[GH-11283](https://github.com/hashicorp/vault/pull/11283)] 286* ui: Fix namespace-bug on login [[GH-11182](https://github.com/hashicorp/vault/pull/11182)] 287* ui: Fix status menu no showing on login [[GH-11213](https://github.com/hashicorp/vault/pull/11213)] 288* ui: fix issue where select-one option was not showing in secrets database role creation [[GH-11294](https://github.com/hashicorp/vault/pull/11294)] 289 290## 1.7.0 291### 24 March 2021 292 293CHANGES: 294 295* agent: Failed auto-auth attempts are now throttled by an exponential backoff instead of the 296~2 second retry delay. The maximum backoff may be configured with the new `max_backoff` parameter, 297which defaults to 5 minutes. [[GH-10964](https://github.com/hashicorp/vault/pull/10964)] 298* aws/auth: AWS Auth concepts and endpoints that use the "whitelist" and "blacklist" terms 299have been updated to more inclusive language (e.g. `/auth/aws/identity-whitelist` has been 300updated to`/auth/aws/identity-accesslist`). The old and new endpoints are aliases, 301sharing the same underlying data. The legacy endpoint names are considered **deprecated** 302and will be removed in a future release (not before Vault 1.9). The complete list of 303endpoint changes is available in the [AWS Auth API docs](/api-docs/auth/aws#deprecations-effective-in-vault-1-7). 304* go: Update Go version to 1.15.10 [[GH-11114](https://github.com/hashicorp/vault/pull/11114)] [[GH-11173](https://github.com/hashicorp/vault/pull/11173)] 305 306FEATURES: 307 308* **Aerospike Storage Backend**: Add support for using Aerospike as a storage backend [[GH-10131](https://github.com/hashicorp/vault/pull/10131)] 309* **Autopilot for Integrated Storage**: A set of features has been added to allow for automatic operator-friendly management of Vault servers. This is only applicable when integrated storage is in use. 310 * **Dead Server Cleanup**: Dead servers will periodically be cleaned up and removed from the Raft peer set, to prevent them from interfering with the quorum size and leader elections. 311 * **Server Health Checking**: An API has been added to track the state of servers, including their health. 312 * **New Server Stabilization**: When a new server is added to the cluster, there will be a waiting period where it must be healthy and stable for a certain amount of time before being promoted to a full, voting member. 313* **Tokenization Secrets Engine (Enterprise)**: The Tokenization Secrets Engine is now generally available. We have added support for MySQL, key rotation, and snapshot/restore. 314* agent: Support for persisting the agent cache to disk [[GH-10938](https://github.com/hashicorp/vault/pull/10938)] 315* auth/jwt: Adds `max_age` role parameter and `auth_time` claim validation. [[GH-10919](https://github.com/hashicorp/vault/pull/10919)] 316* core (enterprise): X-Vault-Index and related headers can be used by clients to manage eventual consistency. 317* kmip (enterprise): Use entropy augmentation to generate kmip certificates 318* sdk: Private key generation in the certutil package now allows custom io.Readers to be used. [[GH-10653](https://github.com/hashicorp/vault/pull/10653)] 319* secrets/aws: add IAM tagging support for iam_user roles [[GH-10953](https://github.com/hashicorp/vault/pull/10953)] 320* secrets/database/cassandra: Add ability to customize dynamic usernames [[GH-10906](https://github.com/hashicorp/vault/pull/10906)] 321* secrets/database/couchbase: Add ability to customize dynamic usernames [[GH-10995](https://github.com/hashicorp/vault/pull/10995)] 322* secrets/database/mongodb: Add ability to customize dynamic usernames [[GH-10858](https://github.com/hashicorp/vault/pull/10858)] 323* secrets/database/mssql: Add ability to customize dynamic usernames [[GH-10767](https://github.com/hashicorp/vault/pull/10767)] 324* secrets/database/mysql: Add ability to customize dynamic usernames [[GH-10834](https://github.com/hashicorp/vault/pull/10834)] 325* secrets/database/postgresql: Add ability to customize dynamic usernames [[GH-10766](https://github.com/hashicorp/vault/pull/10766)] 326* secrets/db/snowflake: Added support for Snowflake to the Database Secret Engine [[GH-10603](https://github.com/hashicorp/vault/pull/10603)] 327* secrets/keymgmt (enterprise): Adds beta support for distributing and managing keys in AWS KMS. 328* secrets/keymgmt (enterprise): Adds general availability for distributing and managing keys in Azure Key Vault. 329* secrets/openldap: Added dynamic roles to OpenLDAP similar to the combined database engine [[GH-10996](https://github.com/hashicorp/vault/pull/10996)] 330* secrets/terraform: New secret engine for managing Terraform Cloud API tokens [[GH-10931](https://github.com/hashicorp/vault/pull/10931)] 331* ui: Adds check for feature flag on application, and updates namespace toolbar on login if present [[GH-10588](https://github.com/hashicorp/vault/pull/10588)] 332* ui: Adds the wizard to the Database Secret Engine [[GH-10982](https://github.com/hashicorp/vault/pull/10982)] 333* ui: Database secrets engine, supporting MongoDB only [[GH-10655](https://github.com/hashicorp/vault/pull/10655)] 334 335IMPROVEMENTS: 336 337* agent: Add a `vault.retry` stanza that allows specifying number of retries on failure; this applies both to templating and proxied requests. [[GH-11113](https://github.com/hashicorp/vault/pull/11113)] 338* agent: Agent can now run as a Windows service. [[GH-10231](https://github.com/hashicorp/vault/pull/10231)] 339* agent: Better concurrent request handling on identical requests proxied through Agent. [[GH-10705](https://github.com/hashicorp/vault/pull/10705)] 340* agent: Route templating server through cache when persistent cache is enabled. [[GH-10927](https://github.com/hashicorp/vault/pull/10927)] 341* agent: change auto-auth to preload an existing token on start [[GH-10850](https://github.com/hashicorp/vault/pull/10850)] 342* auth/approle: Secrets ID generation endpoint now returns `secret_id_ttl` as part of its response. [[GH-10826](https://github.com/hashicorp/vault/pull/10826)] 343* auth/ldap: Improve consistency in error messages [[GH-10537](https://github.com/hashicorp/vault/pull/10537)] 344* auth/okta: Adds support for Okta Verify TOTP MFA. [[GH-10942](https://github.com/hashicorp/vault/pull/10942)] 345* changelog: Add dependencies listed in dependencies/2-25-21 [[GH-11015](https://github.com/hashicorp/vault/pull/11015)] 346* command/debug: Now collects logs (at level `trace`) as a periodic output. [[GH-10609](https://github.com/hashicorp/vault/pull/10609)] 347* core (enterprise): "vault status" command works when a namespace is set. [[GH-10725](https://github.com/hashicorp/vault/pull/10725)] 348* core (enterprise): Update Trial Enterprise license from 30 minutes to 6 hours 349* core/metrics: Added "vault operator usage" command. [[GH-10365](https://github.com/hashicorp/vault/pull/10365)] 350* core/metrics: New telemetry metrics reporting lease expirations by time interval and namespace [[GH-10375](https://github.com/hashicorp/vault/pull/10375)] 351* core: Added active since timestamp to the status output of active nodes. [[GH-10489](https://github.com/hashicorp/vault/pull/10489)] 352* core: Check audit device with a test message before adding it. [[GH-10520](https://github.com/hashicorp/vault/pull/10520)] 353* core: Track barrier encryption count and automatically rotate after a large number of operations or on a schedule [[GH-10774](https://github.com/hashicorp/vault/pull/10774)] 354* core: add metrics for active entity count [[GH-10514](https://github.com/hashicorp/vault/pull/10514)] 355* core: add partial month client count api [[GH-11022](https://github.com/hashicorp/vault/pull/11022)] 356* core: dev mode listener allows unauthenticated sys/metrics requests [[GH-10992](https://github.com/hashicorp/vault/pull/10992)] 357* core: reduce memory used by leases [[GH-10726](https://github.com/hashicorp/vault/pull/10726)] 358* secrets/gcp: Truncate ServiceAccount display names longer than 100 characters. [[GH-10558](https://github.com/hashicorp/vault/pull/10558)] 359* storage/raft (enterprise): Listing of peers is now allowed on DR secondary 360cluster nodes, as an update operation that takes in DR operation token for 361authenticating the request. 362* transform (enterprise): Improve FPE transformation performance 363* transform (enterprise): Use transactions with batch tokenization operations for improved performance 364* ui: Clarify language on usage metrics page empty state [[GH-10951](https://github.com/hashicorp/vault/pull/10951)] 365* ui: Customize MongoDB input fields on Database Secrets Engine [[GH-10949](https://github.com/hashicorp/vault/pull/10949)] 366* ui: Upgrade Ember-cli from 3.8 to 3.22. [[GH-9972](https://github.com/hashicorp/vault/pull/9972)] 367* ui: Upgrade Storybook from 5.3.19 to 6.1.17. [[GH-10904](https://github.com/hashicorp/vault/pull/10904)] 368* ui: Upgrade date-fns from 1.3.0 to 2.16.1. [[GH-10848](https://github.com/hashicorp/vault/pull/10848)] 369* ui: Upgrade dependencies to resolve potential JS vulnerabilities [[GH-10677](https://github.com/hashicorp/vault/pull/10677)] 370* ui: better errors on Database secrets engine role create [[GH-10980](https://github.com/hashicorp/vault/pull/10980)] 371 372BUG FIXES: 373 374* agent: Only set the namespace if the VAULT_NAMESPACE env var isn't present [[GH-10556](https://github.com/hashicorp/vault/pull/10556)] 375* agent: Set TokenParent correctly in the Index to be cached. [[GH-10833](https://github.com/hashicorp/vault/pull/10833)] 376* agent: Set namespace for template server in agent. [[GH-10757](https://github.com/hashicorp/vault/pull/10757)] 377* api/sys/config/ui: Fixes issue where multiple UI custom header values are ignored and only the first given value is used [[GH-10490](https://github.com/hashicorp/vault/pull/10490)] 378* api: Fixes CORS API methods that were outdated and invalid [[GH-10444](https://github.com/hashicorp/vault/pull/10444)] 379* auth/jwt: Fixes `bound_claims` validation for provider-specific group and user info fetching. [[GH-10546](https://github.com/hashicorp/vault/pull/10546)] 380* auth/jwt: Fixes an issue where JWT verification keys weren't updated after a `jwks_url` change. [[GH-10919](https://github.com/hashicorp/vault/pull/10919)] 381* auth/jwt: Fixes an issue where `jwt_supported_algs` were not being validated for JWT auth using 382`jwks_url` and `jwt_validation_pubkeys`. [[GH-10919](https://github.com/hashicorp/vault/pull/10919)] 383* auth/oci: Fixes alias name to use the role name, and not the literal string `name` [[GH-10](https://github.com/hashicorp/vault-plugin-auth-oci/pull/10)] [[GH-10952](https://github.com/hashicorp/vault/pull/10952)] 384* consul-template: Update consul-template vendor version and associated dependencies to master, 385pulling in https://github.com/hashicorp/consul-template/pull/1447 [[GH-10756](https://github.com/hashicorp/vault/pull/10756)] 386* core (enterprise): Limit entropy augmentation during token generation to root tokens. [[GH-10487](https://github.com/hashicorp/vault/pull/10487)] 387* core (enterprise): Vault EGP policies attached to path * were not correctly scoped to the namespace. 388* core/identity: Fix deadlock in entity merge endpoint. [[GH-10877](https://github.com/hashicorp/vault/pull/10877)] 389* core: Avoid disclosing IP addresses in the errors of unauthenticated requests [[GH-10579](https://github.com/hashicorp/vault/pull/10579)] 390* core: Fix client.Clone() to include the address [[GH-10077](https://github.com/hashicorp/vault/pull/10077)] 391* core: Fix duplicate quotas on performance standby nodes. [[GH-10855](https://github.com/hashicorp/vault/pull/10855)] 392* core: Fix rate limit resource quota migration from 1.5.x to 1.6.x by ensuring `purgeInterval` and 393`staleAge` are set appropriately. [[GH-10536](https://github.com/hashicorp/vault/pull/10536)] 394* core: Make all APIs that report init status consistent, and make them report 395initialized=true when a Raft join is in progress. [[GH-10498](https://github.com/hashicorp/vault/pull/10498)] 396* core: Make the response to an unauthenticated request to sys/internal endpoints consistent regardless of mount existence. [[GH-10650](https://github.com/hashicorp/vault/pull/10650)] 397* core: Turn off case sensitivity for allowed entity alias check during token create operation. [[GH-10743](https://github.com/hashicorp/vault/pull/10743)] 398* http: change max_request_size to be unlimited when the config value is less than 0 [[GH-10072](https://github.com/hashicorp/vault/pull/10072)] 399* license: Fix license caching issue that prevents new licenses to get picked up by the license manager [[GH-10424](https://github.com/hashicorp/vault/pull/10424)] 400* metrics: Protect emitMetrics from panicking during post-seal [[GH-10708](https://github.com/hashicorp/vault/pull/10708)] 401* quotas/rate-limit: Fix quotas enforcing old rate limit quota paths [[GH-10689](https://github.com/hashicorp/vault/pull/10689)] 402* replication (enterprise): Fix bug with not starting merkle sync while requests are in progress 403* secrets/database/influxdb: Fix issue where not all errors from InfluxDB were being handled [[GH-10384](https://github.com/hashicorp/vault/pull/10384)] 404* secrets/database/mysql: Fixes issue where the DisplayName within generated usernames was the incorrect length [[GH-10433](https://github.com/hashicorp/vault/pull/10433)] 405* secrets/database: Sanitize `private_key` field when reading database plugin config [[GH-10416](https://github.com/hashicorp/vault/pull/10416)] 406* secrets/gcp: Fix issue with account and iam_policy roleset WALs not being removed after attempts when GCP project no longer exists [[GH-10759](https://github.com/hashicorp/vault/pull/10759)] 407* secrets/transit: allow for null string to be used for optional parameters in encrypt and decrypt [[GH-10386](https://github.com/hashicorp/vault/pull/10386)] 408* serviceregistration: Fix race during shutdown of Consul service registration. [[GH-10901](https://github.com/hashicorp/vault/pull/10901)] 409* storage/raft (enterprise): Automated snapshots with Azure required specifying 410`azure_blob_environment`, which should have had as a default `AZUREPUBLICCLOUD`. 411* storage/raft (enterprise): Reading a non-existent auto snapshot config now returns 404. 412* storage/raft (enterprise): The parameter aws_s3_server_kms_key was misnamed and 413didn't work. Renamed to aws_s3_kms_key, and make it work so that when provided 414the given key will be used to encrypt the snapshot using AWS KMS. 415* transform (enterprise): Fix bug tokenization handling metadata on exportable stores 416* transform (enterprise): Fix bug where tokenization store changes are persisted but don't take effect 417* transform (enterprise): Fix transform configuration not handling `stores` parameter on the legacy path 418* transform (enterprise): Make expiration timestamps human readable 419* transform (enterprise): Return false for invalid tokens on the validate endpoint rather than returning an HTTP error 420* ui: Add role from database connection automatically populates the database for new role [[GH-11119](https://github.com/hashicorp/vault/pull/11119)] 421* ui: Fix bug in Transform secret engine when a new role is added and then removed from a transformation [[GH-10417](https://github.com/hashicorp/vault/pull/10417)] 422* ui: Fix bug that double encodes secret route when there are spaces in the path and makes you unable to view the version history. [[GH-10596](https://github.com/hashicorp/vault/pull/10596)] 423* ui: Fix expected response from feature-flags endpoint [[GH-10684](https://github.com/hashicorp/vault/pull/10684)] 424* ui: Fix footer URL linking to the correct version changelog. [[GH-10491](https://github.com/hashicorp/vault/pull/10491)] 425 426DEPRECATIONS: 427* aws/auth: AWS Auth endpoints that use the "whitelist" and "blacklist" terms have been deprecated. 428Refer to the CHANGES section for additional details. 429 430## 1.6.5 431### May 20th, 2021 432 433SECURITY: 434 435* Non-Expiring Leases: Vault and Vault Enterprise renewed nearly-expiring token 436leases and dynamic secret leases with a zero-second TTL, causing them to be 437treated as non-expiring, and never revoked. This issue affects Vault and Vault 438Enterprise versions 0.10.0 through 1.7.1, and is fixed in 1.5.9, 1.6.5, and 4391.7.2 (CVE-2021-32923). 440 441CHANGES: 442 443* agent: Update to use IAM Service Account Credentials endpoint for signing JWTs 444when using GCP Auto-Auth method [[GH-11473](https://github.com/hashicorp/vault/pull/11473)] 445* auth/gcp: Update to v0.8.1 to use IAM Service Account Credentials API for 446signing JWTs [[GH-11498](https://github.com/hashicorp/vault/pull/11498)] 447 448BUG FIXES: 449 450* core (enterprise): Fix plugins mounted in namespaces being unable to use password policies [[GH-11596](https://github.com/hashicorp/vault/pull/11596)] 451* core: correct logic for renewal of leases nearing their expiration time. [[GH-11650](https://github.com/hashicorp/vault/pull/11650)] 452* secrets/database: Fix marshalling to allow providing numeric arguments to external database plugins. [[GH-11451](https://github.com/hashicorp/vault/pull/11451)] 453* secrets/database: Fixes issue for V4 database interface where `SetCredentials` wasn't falling back to using `RotateRootCredentials` if `SetCredentials` is `Unimplemented` [[GH-11585](https://github.com/hashicorp/vault/pull/11585)] 454* ui: Fix namespace-bug on login [[GH-11182](https://github.com/hashicorp/vault/pull/11182)] 455 456## 1.6.4 457### 21 April 2021 458 459SECURITY: 460 461* The PKI Secrets Engine tidy functionality may cause Vault to exclude revoked-but-unexpired certificates from the 462 Vault CRL. This vulnerability affects Vault and Vault Enterprise 1.5.1 and newer and was fixed in versions 463 1.5.8, 1.6.4, and 1.7.1. (CVE-2021-27668) 464* The Cassandra Database and Storage backends were not correctly verifying TLS certificates. This issue affects all 465 versions of Vault and Vault Enterprise and was fixed in versions 1.6.4, and 1.7.1. (CVE-2021-27400) 466 467CHANGES: 468 469* go: Update to Go 1.15.11 [[GH-11396](https://github.com/hashicorp/vault/pull/11396)] 470 471IMPROVEMENTS: 472 473* command/debug: Now collects logs (at level `trace`) as a periodic output. [[GH-10609](https://github.com/hashicorp/vault/pull/10609)] 474* core: Add tls_max_version listener config option. [[GH-11226](https://github.com/hashicorp/vault/pull/11226)] 475* core: allow arbitrary length stack traces upon receiving SIGUSR2 (was 32MB) [[GH-11364](https://github.com/hashicorp/vault/pull/11364)] 476 477BUG FIXES: 478 479* core: Fix cleanup of storage entries from cubbyholes within namespaces. [[GH-11408](https://github.com/hashicorp/vault/pull/11408)] 480* core: Fix goroutine leak when updating rate limit quota [[GH-11371](https://github.com/hashicorp/vault/pull/11371)] 481* core: Fix storage entry leak when revoking leases created with non-orphan batch tokens. [[GH-11377](https://github.com/hashicorp/vault/pull/11377)] 482* pki: Only remove revoked entry for certificates during tidy if they are past their NotAfter value [[GH-11367](https://github.com/hashicorp/vault/pull/11367)] 483* pki: Preserve ordering of all DN attribute values when issuing certificates [[GH-11259](https://github.com/hashicorp/vault/pull/11259)] 484* replication: Fix: mounts created within a namespace that was part of an Allow 485 filtering rule would not appear on performance secondary if created after rule 486 was defined. 487* secrets/database/cassandra: Fixed issue where hostnames were not being validated when using TLS [[GH-11365](https://github.com/hashicorp/vault/pull/11365)] 488* storage/raft: leader_tls_servername wasn't used unless leader_ca_cert_file and/or mTLS were configured. [[GH-11252](https://github.com/hashicorp/vault/pull/11252)] 489 490 491## 1.6.3 492### February 25, 2021 493 494SECURITY: 495 496* Limited Unauthenticated License Metadata Read: We addressed a security vulnerability that allowed for the unauthenticated 497reading of Vault license metadata from DR Secondaries. This vulnerability affects Vault Enterprise and is 498fixed in 1.6.3 (CVE-2021-27668). 499 500CHANGES: 501 502* secrets/mongodbatlas: Move from whitelist to access list API [[GH-10966](https://github.com/hashicorp/vault/pull/10966)] 503 504IMPROVEMENTS: 505 506* ui: Clarify language on usage metrics page empty state [[GH-10951](https://github.com/hashicorp/vault/pull/10951)] 507 508BUG FIXES: 509 510* auth/kubernetes: Cancel API calls to TokenReview endpoint when request context 511is closed [[GH-10930](https://github.com/hashicorp/vault/pull/10930)] 512* core/identity: Fix deadlock in entity merge endpoint. [[GH-10877](https://github.com/hashicorp/vault/pull/10877)] 513* quotas: Fix duplicate quotas on performance standby nodes. [[GH-10855](https://github.com/hashicorp/vault/pull/10855)] 514* quotas/rate-limit: Fix quotas enforcing old rate limit quota paths [[GH-10689](https://github.com/hashicorp/vault/pull/10689)] 515* replication (enterprise): Don't write request count data on DR Secondaries. 516Fixes DR Secondaries becoming out of sync approximately every 30s. [[GH-10970](https://github.com/hashicorp/vault/pull/10970)] 517* secrets/azure (enterprise): Forward service principal credential creation to the 518primary cluster if called on a performance standby or performance secondary. [[GH-10902](https://github.com/hashicorp/vault/pull/10902)] 519 520## 1.6.2 521### January 29, 2021 522 523SECURITY: 524 525* IP Address Disclosure: We fixed a vulnerability where, under some error 526conditions, Vault would return an error message disclosing internal IP 527addresses. This vulnerability affects Vault and Vault Enterprise and is fixed in 5281.6.2 (CVE-2021-3024). 529* Limited Unauthenticated Remove Peer: As of Vault 1.6, the remove-peer command 530on DR secondaries did not require authentication. This issue impacts the 531stability of HA architecture, as a bad actor could remove all standby 532nodes from a DR 533secondary. This issue affects Vault Enterprise 1.6.0 and 1.6.1, and is fixed in 5341.6.2 (CVE-2021-3282). 535* Mount Path Disclosure: Vault previously returned different HTTP status codes for 536existent and non-existent mount paths. This behavior would allow unauthenticated 537brute force attacks to reveal which paths had valid mounts. This issue affects 538Vault and Vault Enterprise and is fixed in 1.6.2 (CVE-2020-25594). 539 540CHANGES: 541 542* go: Update go version to 1.15.7 [[GH-10730](https://github.com/hashicorp/vault/pull/10730)] 543 544FEATURES: 545 546* ui: Adds check for feature flag on application, and updates namespace toolbar on login if present [[GH-10588](https://github.com/hashicorp/vault/pull/10588)] 547 548IMPROVEMENTS: 549 550* core (enterprise): "vault status" command works when a namespace is set. [[GH-10725](https://github.com/hashicorp/vault/pull/10725)] 551* core: reduce memory used by leases [[GH-10726](https://github.com/hashicorp/vault/pull/10726)] 552* storage/raft (enterprise): Listing of peers is now allowed on DR secondary 553cluster nodes, as an update operation that takes in DR operation token for 554authenticating the request. 555* core: allow setting tls_servername for raft retry/auto-join [[GH-10698](https://github.com/hashicorp/vault/pull/10698)] 556 557BUG FIXES: 558 559* agent: Set namespace for template server in agent. [[GH-10757](https://github.com/hashicorp/vault/pull/10757)] 560* core: Make the response to an unauthenticated request to sys/internal endpoints consistent regardless of mount existence. [[GH-10650](https://github.com/hashicorp/vault/pull/10650)] 561* metrics: Protect emitMetrics from panicking during post-seal [[GH-10708](https://github.com/hashicorp/vault/pull/10708)] 562* secrets/gcp: Fix issue with account and iam_policy roleset WALs not being removed after attempts when GCP project no longer exists [[GH-10759](https://github.com/hashicorp/vault/pull/10759)] 563* storage/raft (enterprise): Automated snapshots with Azure required specifying 564`azure_blob_environment`, which should have had as a default `AZUREPUBLICCLOUD`. 565* storage/raft (enterprise): Autosnapshots config and storage weren't excluded from 566performance replication, causing conflicts and errors. 567* ui: Fix bug that double encodes secret route when there are spaces in the path and makes you unable to view the version history. [[GH-10596](https://github.com/hashicorp/vault/pull/10596)] 568* ui: Fix expected response from feature-flags endpoint [[GH-10684](https://github.com/hashicorp/vault/pull/10684)] 569 570## 1.6.1 571### December 16, 2020 572 573SECURITY: 574 575* LDAP Auth Method: We addressed an issue where error messages returned by the 576 LDAP auth method allowed user enumeration [[GH-10537](https://github.com/hashicorp/vault/pull/10537)]. This vulnerability affects Vault OSS and Vault 577 Enterprise and is fixed in 1.5.6 and 1.6.1 (CVE-2020-35177). 578* Sentinel EGP: We've fixed incorrect handling of namespace paths to prevent 579 users within namespaces from applying Sentinel EGP policies to paths above 580 their namespace. This vulnerability affects Vault Enterprise and is fixed in 581 1.5.6 and 1.6.1 (CVE-2020-35453). 582 583IMPROVEMENTS: 584 585* auth/ldap: Improve consistency in error messages [[GH-10537](https://github.com/hashicorp/vault/pull/10537)] 586* core/metrics: Added "vault operator usage" command. [[GH-10365](https://github.com/hashicorp/vault/pull/10365)] 587* secrets/gcp: Truncate ServiceAccount display names longer than 100 characters. [[GH-10558](https://github.com/hashicorp/vault/pull/10558)] 588 589BUG FIXES: 590 591* agent: Only set the namespace if the VAULT_NAMESPACE env var isn't present [[GH-10556](https://github.com/hashicorp/vault/pull/10556)] 592* auth/jwt: Fixes `bound_claims` validation for provider-specific group and user info fetching. [[GH-10546](https://github.com/hashicorp/vault/pull/10546)] 593* core (enterprise): Vault EGP policies attached to path * were not correctly scoped to the namespace. 594* core: Avoid deadlocks by ensuring that if grabLockOrStop returns stopped=true, the lock will not be held. [[GH-10456](https://github.com/hashicorp/vault/pull/10456)] 595* core: Fix client.Clone() to include the address [[GH-10077](https://github.com/hashicorp/vault/pull/10077)] 596* core: Fix rate limit resource quota migration from 1.5.x to 1.6.x by ensuring `purgeInterval` and 597`staleAge` are set appropriately. [[GH-10536](https://github.com/hashicorp/vault/pull/10536)] 598* core: Make all APIs that report init status consistent, and make them report 599initialized=true when a Raft join is in progress. [[GH-10498](https://github.com/hashicorp/vault/pull/10498)] 600* secrets/database/influxdb: Fix issue where not all errors from InfluxDB were being handled [[GH-10384](https://github.com/hashicorp/vault/pull/10384)] 601* secrets/database/mysql: Fixes issue where the DisplayName within generated usernames was the incorrect length [[GH-10433](https://github.com/hashicorp/vault/pull/10433)] 602* secrets/database: Sanitize `private_key` field when reading database plugin config [[GH-10416](https://github.com/hashicorp/vault/pull/10416)] 603* secrets/transit: allow for null string to be used for optional parameters in encrypt and decrypt [[GH-10386](https://github.com/hashicorp/vault/pull/10386)] 604* storage/raft (enterprise): The parameter aws_s3_server_kms_key was misnamed and didn't work. Renamed to aws_s3_kms_key, and make it work so that when provided the given key will be used to encrypt the snapshot using AWS KMS. 605* transform (enterprise): Fix bug tokenization handling metadata on exportable stores 606* transform (enterprise): Fix transform configuration not handling `stores` parameter on the legacy path 607* transform (enterprise): Make expiration timestamps human readable 608* transform (enterprise): Return false for invalid tokens on the validate endpoint rather than returning an HTTP error 609* transform (enterprise): Fix bug where tokenization store changes are persisted but don't take effect 610* ui: Fix bug in Transform secret engine when a new role is added and then removed from a transformation [[GH-10417](https://github.com/hashicorp/vault/pull/10417)] 611* ui: Fix footer URL linking to the correct version changelog. [[GH-10491](https://github.com/hashicorp/vault/pull/10491)] 612* ui: Fox radio click on secrets and auth list pages. [[GH-10586](https://github.com/hashicorp/vault/pull/10586)] 613 614## 1.6.0 615### November 11th, 2020 616 617NOTE: 618 619Binaries for 32-bit macOS (i.e. the `darwin_386` build) will no longer be published. This target was dropped in the latest version of the Go compiler. 620 621CHANGES: 622 623* agent: Agent now properly returns a non-zero exit code on error, such as one due to template rendering failure. Using `error_on_missing_key` in the template config will cause agent to immediately exit on failure. In order to make agent properly exit due to continuous failure from template rendering errors, the old behavior of indefinitely restarting the template server is now changed to exit once the default retry attempt of 12 times (with exponential backoff) gets exhausted. [[GH-9670](https://github.com/hashicorp/vault/pull/9670)] 624* token: Periodic tokens generated by auth methods will have the period value stored in its token entry. [[GH-7885](https://github.com/hashicorp/vault/pull/7885)] 625* core: New telemetry metrics reporting mount table size and number of entries [[GH-10201](https://github.com/hashicorp/vault/pull/10201)] 626* go: Updated Go version to 1.15.4 [[GH-10366](https://github.com/hashicorp/vault/pull/10366)] 627 628FEATURES: 629 630* **Couchbase Secrets**: Vault can now manage static and dynamic credentials for Couchbase. [[GH-9664](https://github.com/hashicorp/vault/pull/9664)] 631* **Expanded Password Policy Support**: Custom password policies are now supported for all database engines. 632* **Integrated Storage Auto Snapshots (Enterprise)**: This feature enables an operator to schedule snapshots of the integrated storage backend and ensure those snapshots are persisted elsewhere. 633* **Integrated Storage Cloud Auto Join**: This feature for integrated storage enables Vault nodes running in the cloud to automatically discover and join a Vault cluster via operator-supplied metadata. 634* **Key Management Secrets Engine (Enterprise; Tech Preview)**: This new secret engine allows securely distributing and managing keys to Azure cloud KMS services. 635* **Seal Migration**: With Vault 1.6, we will support migrating from an auto unseal mechanism to a different mechanism of the same type. For example, if you were using an AWS KMS key to automatically unseal, you can now migrate to a different AWS KMS key. 636* **Tokenization (Enterprise; Tech Preview)**: Tokenization supports creating irreversible “tokens” from sensitive data. Tokens can be used in less secure environments, protecting the original data. 637* **Vault Client Count**: Vault now counts the number of active entities (and non-entity tokens) per month and makes this information available via the "Metrics" section of the UI. 638 639IMPROVEMENTS: 640 641* auth/approle: Role names can now be referenced in templated policies through the `approle.metadata.role_name` property [[GH-9529](https://github.com/hashicorp/vault/pull/9529)] 642* auth/aws: Improve logic check on wildcard `BoundIamPrincipalARNs` and include role name on error messages on check failure [[GH-10036](https://github.com/hashicorp/vault/pull/10036)] 643* auth/jwt: Add support for fetching groups and user information from G Suite during authentication. [[GH-123](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/123)] 644* auth/jwt: Adding EdDSA (ed25519) to supported algorithms [[GH-129](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/129)] 645* auth/jwt: Improve cli authorization error [[GH-137](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/137)] 646* auth/jwt: Add OIDC namespace_in_state option [[GH-140](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/140)] 647* secrets/transit: fix missing plaintext in bulk decrypt response [[GH-9991](https://github.com/hashicorp/vault/pull/9991)] 648* command/server: Delay informational messages in -dev mode until logs have settled. [[GH-9702](https://github.com/hashicorp/vault/pull/9702)] 649* command/server: Add environment variable support for `disable_mlock`. [[GH-9931](https://github.com/hashicorp/vault/pull/9931)] 650* core/metrics: Add metrics for storage cache [[GH_10079](https://github.com/hashicorp/vault/pull/10079)] 651* core/metrics: Add metrics for leader status [[GH 10147](https://github.com/hashicorp/vault/pull/10147)] 652* physical/azure: Add the ability to use Azure Instance Metadata Service to set the credentials for Azure Blob storage on the backend. [[GH-10189](https://github.com/hashicorp/vault/pull/10189)] 653* sdk/framework: Add a time type for API fields. [[GH-9911](https://github.com/hashicorp/vault/pull/9911)] 654* secrets/database: Added support for password policies to all databases [[GH-9641](https://github.com/hashicorp/vault/pull/9641), 655 [and more](https://github.com/hashicorp/vault/pulls?q=is%3Apr+is%3Amerged+dbpw)] 656* secrets/database/cassandra: Added support for static credential rotation [[GH-10051](https://github.com/hashicorp/vault/pull/10051)] 657* secrets/database/elasticsearch: Added support for static credential rotation [[GH-19](https://github.com/hashicorp/vault-plugin-database-elasticsearch/pull/19)] 658* secrets/database/hanadb: Added support for root credential & static credential rotation [[GH-10142](https://github.com/hashicorp/vault/pull/10142)] 659* secrets/database/hanadb: Default password generation now includes dashes. Custom statements may need to be updated 660 to include quotes around the password field [[GH-10142](https://github.com/hashicorp/vault/pull/10142)] 661* secrets/database/influxdb: Added support for static credential rotation [[GH-10118](https://github.com/hashicorp/vault/pull/10118)] 662* secrets/database/mongodbatlas: Added support for root credential rotation [[GH-14](https://github.com/hashicorp/vault-plugin-database-mongodbatlas/pull/14)] 663* secrets/database/mongodbatlas: Support scopes field in creations statements for MongoDB Atlas database plugin [[GH-15](https://github.com/hashicorp/vault-plugin-database-mongodbatlas/pull/15)] 664* seal/awskms: Add logging during awskms auto-unseal [[GH-9794](https://github.com/hashicorp/vault/pull/9794)] 665* storage/azure: Update SDK library to use [azure-storage-blob-go](https://github.com/Azure/azure-storage-blob-go) since previous library has been deprecated. [[GH-9577](https://github.com/hashicorp/vault/pull/9577/)] 666* secrets/ad: `rotate-root` now supports POST requests like other secret engines [[GH-70](https://github.com/hashicorp/vault-plugin-secrets-ad/pull/70)] 667* ui: Add ui functionality for the Transform Secret Engine [[GH-9665](https://github.com/hashicorp/vault/pull/9665)] 668* ui: Pricing metrics dashboard [[GH-10049](https://github.com/hashicorp/vault/pull/10049)] 669 670BUG FIXES: 671 672* auth/jwt: Fix bug preventing config edit UI from rendering [[GH-141](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/141)] 673* cli: Don't open or overwrite a raft snapshot file on an unsuccessful `vault operator raft snapshot` [[GH-9894](https://github.com/hashicorp/vault/pull/9894)] 674* core: Implement constant time version of shamir GF(2^8) math [[GH-9932](https://github.com/hashicorp/vault/pull/9932)] 675* core: Fix resource leak in plugin API (plugin-dependent, not all plugins impacted) [[GH-9557](https://github.com/hashicorp/vault/pull/9557)] 676* core: Fix race involved in enabling certain features via a license change 677* core: Fix error handling in HCL parsing of objects with invalid syntax [[GH-410](https://github.com/hashicorp/hcl/pull/410)] 678* identity: Check for timeouts in entity API [[GH-9925](https://github.com/hashicorp/vault/pull/9925)] 679* secrets/database: Fix handling of TLS options in mongodb connection strings [[GH-9519](https://github.com/hashicorp/vault/pull/9519)] 680* secrets/gcp: Ensure that the IAM policy version is appropriately set after a roleset's bindings have changed. [[GH-93](https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/93)] 681* ui: Mask LDAP bindpass while typing [[GH-10087](https://github.com/hashicorp/vault/pull/10087)] 682* ui: Update language in promote dr modal flow [[GH-10155](https://github.com/hashicorp/vault/pull/10155)] 683* ui: Update language on replication primary dashboard for clarity [[GH-10205](https://github.com/hashicorp/vault/pull/10217)] 684* core: Fix bug where updating an existing path quota could introduce a conflict. [[GH-10285](https://github.com/hashicorp/vault/pull/10285)] 685 686## 1.5.9 687### May 20th, 2021 688 689SECURITY: 690 691* Non-Expiring Leases: Vault and Vault Enterprise renewed nearly-expiring token 692leases and dynamic secret leases with a zero-second TTL, causing them to be 693treated as non-expiring, and never revoked. This issue affects Vault and Vault 694Enterprise versions 0.10.0 through 1.7.1, and is fixed in 1.5.9, 1.6.5, and 6951.7.2 (CVE-2021-32923). 696 697CHANGES: 698 699* agent: Update to use IAM Service Account Credentials endpoint for signing JWTs 700when using GCP Auto-Auth method [[GH-11473](https://github.com/hashicorp/vault/pull/11473)] 701* auth/gcp: Update to v0.7.2 to use IAM Service Account Credentials API for 702signing JWTs [[GH-11499](https://github.com/hashicorp/vault/pull/11499)] 703 704BUG FIXES: 705 706* core: correct logic for renewal of leases nearing their expiration time. [[GH-11650](https://github.com/hashicorp/vault/pull/11650)] 707 708## 1.5.8 709### 21 April 2021 710 711SECURITY: 712 713* The PKI Secrets Engine tidy functionality may cause Vault to exclude revoked-but-unexpired certificates from the 714 Vault CRL. This vulnerability affects Vault and Vault Enterprise 1.5.1 and newer and was fixed in versions 715 1.5.8, 1.6.4, and 1.7.1. (CVE-2021-27668) 716 717CHANGES: 718 719* go: Update to Go 1.14.15 [[GH-11397](https://github.com/hashicorp/vault/pull/11397)] 720 721IMPROVEMENTS: 722 723* core: Add tls_max_version listener config option. [[GH-11226](https://github.com/hashicorp/vault/pull/11226)] 724 725BUG FIXES: 726 727* core/identity: Fix deadlock in entity merge endpoint. [[GH-10877](https://github.com/hashicorp/vault/pull/10877)] 728* core: Fix cleanup of storage entries from cubbyholes within namespaces. [[GH-11408](https://github.com/hashicorp/vault/pull/11408)] 729* pki: Only remove revoked entry for certificates during tidy if they are past their NotAfter value [[GH-11367](https://github.com/hashicorp/vault/pull/11367)] 730* core: Avoid deadlocks by ensuring that if grabLockOrStop returns stopped=true, the lock will not be held. [[GH-10456](https://github.com/hashicorp/vault/pull/10456)] 731 732## 1.5.7 733### January 29, 2021 734 735SECURITY: 736 737* IP Address Disclosure: We fixed a vulnerability where, under some error 738conditions, Vault would return an error message disclosing internal IP 739addresses. This vulnerability affects Vault and Vault Enterprise and is fixed in 7401.6.2 and 1.5.7 (CVE-2021-3024). 741* Mount Path Disclosure: Vault previously returned different HTTP status codes for 742existent and non-existent mount paths. This behavior would allow unauthenticated 743brute force attacks to reveal which paths had valid mounts. This issue affects 744Vault and Vault Enterprise and is fixed in 1.6.2 and 1.5.7 (CVE-2020-25594). 745 746IMPROVEMENTS: 747 748* storage/raft (enterprise): Listing of peers is now allowed on DR secondary 749cluster nodes, as an update operation that takes in DR operation token for 750authenticating the request. 751 752BUG FIXES: 753 754* core: Avoid disclosing IP addresses in the errors of unauthenticated requests [[GH-10579](https://github.com/hashicorp/vault/pull/10579)] 755* core: Make the response to an unauthenticated request to sys/internal endpoints consistent regardless of mount existence. [[GH-10650](https://github.com/hashicorp/vault/pull/10650)] 756 757## 1.5.6 758### December 16, 2020 759 760SECURITY: 761 762* LDAP Auth Method: We addressed an issue where error messages returned by the 763 LDAP auth method allowed user enumeration [[GH-10537](https://github.com/hashicorp/vault/pull/10537)]. This vulnerability affects Vault OSS and Vault 764 Enterprise and is fixed in 1.5.6 and 1.6.1 (CVE-2020-35177). 765* Sentinel EGP: We've fixed incorrect handling of namespace paths to prevent 766 users within namespaces from applying Sentinel EGP policies to paths above 767 their namespace. This vulnerability affects Vault Enterprise and is fixed in 768 1.5.6 and 1.6.1. 769 770IMPROVEMENTS: 771 772* auth/ldap: Improve consistency in error messages [[GH-10537](https://github.com/hashicorp/vault/pull/10537)] 773 774BUG FIXES: 775 776* core (enterprise): Vault EGP policies attached to path * were not correctly scoped to the namespace. 777* core: Fix bug where updating an existing path quota could introduce a conflict [[GH-10285](https://github.com/hashicorp/vault/pull/10285)] 778* core: Fix client.Clone() to include the address [[GH-10077](https://github.com/hashicorp/vault/pull/10077)] 779* quotas (enterprise): Reset cache before loading quotas in the db during startup 780* secrets/transit: allow for null string to be used for optional parameters in encrypt and decrypt [[GH-10386](https://github.com/hashicorp/vault/pull/10386)] 781 782## 1.5.5 783### October 21, 2020 784 785IMPROVEMENTS: 786 787* auth/aws, core/seal, secret/aws: Set default IMDS timeouts to match AWS SDK [[GH-10133](https://github.com/hashicorp/vault/pull/10133)] 788 789BUG FIXES: 790 791* auth/aws: Restrict region selection when in the aws-us-gov partition to avoid IAM errors [[GH-9947](https://github.com/hashicorp/vault/pull/9947)] 792* core (enterprise): Allow operators to add and remove (Raft) peers in a DR secondary cluster using Integrated Storage. 793* core (enterprise): Add DR operation token to the remove peer API and CLI command (when DR secondary). 794* core (enterprise): Fix deadlock in handling EGP policies 795* core (enterprise): Fix extraneous error messages in DR Cluster 796* secrets/mysql: Conditionally overwrite TLS parameters for MySQL secrets engine [[GH-9729](https://github.com/hashicorp/vault/pull/9729)] 797* secrets/ad: Fix bug where `password_policy` setting was not using correct key when `ad/config` was read [[GH-71](https://github.com/hashicorp/vault-plugin-secrets-ad/pull/71)] 798* ui: Fix issue with listing roles and methods on the same auth methods with different names [[GH-10122](https://github.com/hashicorp/vault/pull/10122)] 799 800## 1.5.4 801### September 24th, 2020 802 803SECURITY: 804 805* Batch Token Expiry: We addressed an issue where batch token leases could outlive their TTL because we were not scheduling the expiration time correctly. This vulnerability affects Vault OSS and Vault Enterprise 1.0 and newer and is fixed in 1.4.7 and 1.5.4 (CVE-2020-25816). 806 807IMPROVEMENTS: 808 809* secrets/pki: Handle expiration of a cert not in storage as a success [[GH-9880](https://github.com/hashicorp/vault/pull/9880)] 810* auth/kubernetes: Add an option to disable defaulting to the local CA cert and service account JWT when running in a Kubernetes pod [[GH-97]](https://github.com/hashicorp/vault-plugin-auth-kubernetes/pull/97) 811* secrets/gcp: Add check for 403 during rollback to prevent repeated deletion calls [[GH-97](https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/97)] 812* core: Disable usage metrics collection on performance standby nodes. [[GH-9966](https://github.com/hashicorp/vault/pull/9966)] 813* credential/aws: Added X-Amz-Content-Sha256 as a default STS request header [[GH-10009](https://github.com/hashicorp/vault/pull/10009)] 814 815BUG FIXES: 816 817* agent: Fix `disable_fast_negotiation` not being set on the auth method when configured by user. [[GH-9892](https://github.com/hashicorp/vault/pull/9892)] 818* core (enterprise): Fix hang when cluster-wide plugin reload cleanup is slow on unseal 819* core (enterprise): Fix an error in cluster-wide plugin reload cleanup following such a reload 820* core: Fix crash when metrics collection encounters zero-length keys in KV store [[GH-9811](https://github.com/hashicorp/vault/pull/9881)] 821* mfa (enterprise): Fix incorrect handling of PingID responses that could result in auth requests failing 822* replication (enterprise): Improve race condition when using a newly created token on a performance standby node 823* replication (enterprise): Only write failover cluster addresses if they've changed 824* ui: fix bug where dropdown for identity/entity management is not reflective of actual policy [[GH-9958](https://github.com/hashicorp/vault/pull/9958)] 825 826## 1.5.3 827### August 27th, 2020 828 829NOTE: 830 831All security content from 1.5.2, 1.5.1, 1.4.5, 1.4.4, 1.3.9, 1.3.8, 1.2.6, and 1.2.5 has been made fully open source, and the git tags for 1.5.3, 1.4.6, 1.3.10, and 1.2.7 will build correctly for open source users. 832 833BUG FIXES: 834 835* auth/aws: Made header handling for IAM authentication more robust 836* secrets/ssh: Fixed a bug with role option for SSH signing algorithm to allow more than RSA signing 837 838## 1.5.2.1 839### August 21st, 2020 840### Enterprise Only 841 842NOTE: 843 844Includes correct license in the HSM binary. 845 846## 1.5.2 847### August 20th, 2020 848 849NOTE: 850 851OSS binaries of 1.5.1, 1.4.4, 1.3.8, and 1.2.5 were built without the Vault UI. Enterprise binaries are not affected. 852 853KNOWN ISSUES: 854 855* AWS IAM logins may return an error depending on the headers sent with the request. 856 For more details and a workaround, see the [1.5.2 Upgrade Guide](https://www.vaultproject.io/docs/upgrading/upgrade-to-1.5.2) 857* In versions 1.2.6, 1.3.9, 1.4.5, and 1.5.2, enterprise licenses on the HSM build were not incorporated correctly - enterprise 858 customers should use 1.2.6.1, 1.3.9.1, 1.4.5.1, and 1.5.2.1. 859 860 861## 1.5.1 862### August 20th, 2020 863 864SECURITY: 865 866* When using the IAM AWS Auth Method, under certain circumstances, values Vault uses to validate identities and roles can be manipulated and bypassed. This vulnerability affects Vault and Vault Enterprise 0.7.1 and newer and is fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1 (CVE-2020-16250) (Discovered by Felix Wilhelm of Google Project Zero) 867* When using the GCP GCE Auth Method, under certain circumstances, values Vault uses to validate GCE VMs can be manipulated and bypassed. This vulnerability affects Vault and Vault Enterprise 0.8.3 and newer and is fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1 (CVE-2020-16251) (Discovered by Felix Wilhelm of Google Project Zero) 868* When using Vault Agent with cert auto-auth and caching enabled, under certain circumstances, clients without permission to access agent's token may retrieve the token without login credentials. This vulnerability affects Vault Agent 1.1.0 and newer and is fixed in 1.5.1 (CVE-2020-17455) 869 870KNOWN ISSUES: 871 872* OSS binaries of 1.5.1, 1.4.4, 1.3.8, and 1.2.5 were built without the Vault UI. Enterprise binaries are not affected. 873* AWS IAM logins may return an error depending on the headers sent with the request. 874 For more details and a workaround, see the [1.5.1 Upgrade Guide](https://www.vaultproject.io/docs/upgrading/upgrade-to-1.5.1) 875 876CHANGES: 877 878* pki: The tidy operation will now remove revoked certificates if the parameter `tidy_revoked_certs` is set to `true`. This will result in certificate entries being immediately removed, as opposed to awaiting until its NotAfter time. Note that this only affects certificates that have been already revoked. [[GH-9609](https://github.com/hashicorp/vault/pull/9609)] 879* go: Updated Go version to 1.14.7 880 881IMPROVEMENTS: 882 883* auth/jwt: Add support for fetching groups and user information from G Suite during authentication. [[GH-9574](https://github.com/hashicorp/vault/pull/9574)] 884* auth/jwt: Add EdDSA to supported algorithms. [[GH-129](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/129)] 885* secrets/openldap: Add "ad" schema that allows the engine to correctly rotate AD passwords. [[GH-9740](https://github.com/hashicorp/vault/pull/9740)] 886* pki: Add a `allowed_domains_template` parameter that enables the use of identity templating within the `allowed_domains` parameter. [[GH-8509](https://github.com/hashicorp/vault/pull/8509)] 887* secret/azure: Use write-ahead-logs to cleanup any orphaned Service Principals [[GH-9773](https://github.com/hashicorp/vault/pull/9773)] 888* ui: Wrap TTL option on transit engine export action is updated to a new component. [[GH-9632](https://github.com/hashicorp/vault/pull/9632)] 889* ui: Wrap Tool uses newest version of TTL Picker component. [[GH-9691](https://github.com/hashicorp/vault/pull/9691)] 890 891BUG FIXES: 892 893* secrets/gcp: Ensure that the IAM policy version is appropriately set after a roleset's bindings have changed. [[GH-9603](https://github.com/hashicorp/vault/pull/9603)] 894* replication (enterprise): Fix status API output incorrectly stating replication is in `idle` state. 895* replication (enterprise): Use PrimaryClusterAddr if it's been set 896* core: Fix panic when printing over-long info fields at startup [[GH-9681](https://github.com/hashicorp/vault/pull/9681)] 897* core: Seal migration using the new minimal-downtime strategy didn't work properly with performance standbys. [[GH-9690](https://github.com/hashicorp/vault/pull/9690)] 898* core: Vault failed to start when there were non-string values in seal configuration [[GH-9555](https://github.com/hashicorp/vault/pull/9555)] 899* core: Handle a trailing slash in the API address used for enabling replication 900 901## 1.5.0 902### July 21st, 2020 903 904CHANGES: 905 906* audit: Token TTL and issue time are now provided in the auth portion of audit logs. [[GH-9091](https://github.com/hashicorp/vault/pull/9091)] 907* auth/gcp: Changes the default name of the entity alias that gets created to be the role ID for both IAM and GCE authentication. [[GH-99](https://github.com/hashicorp/vault-plugin-auth-gcp/pull/99)] 908* core: Remove the addition of newlines to parsed configuration when using integer/boolean values [[GH-8928](https://github.com/hashicorp/vault/pull/8928)] 909* cubbyhole: Reject reads and writes to an empty ("") path. [[GH-8971](https://github.com/hashicorp/vault/pull/8971)] 910* secrets/azure: Default password generation changed from uuid to cryptographically secure randomized string [[GH-40](https://github.com/hashicorp/vault-plugin-secrets-azure/pull/40)] 911* storage/gcs: The `credentials_file` config option has been removed. The `GOOGLE_APPLICATION_CREDENTIALS` environment variable 912 or default credentials may be used instead [[GH-9424](https://github.com/hashicorp/vault/pull/9424)] 913* storage/raft: The storage configuration now accepts a new `max_entry_size` config that will limit 914 the total size in bytes of any entry committed via raft. It defaults to `"1048576"` (1MiB). [[GH-9027](https://github.com/hashicorp/vault/pull/9027)] 915* token: Token creation with custom token ID via `id` will no longer allow periods (`.`) as part of the input string. 916 The final generated token value may contain periods, such as the `s.` prefix for service token 917 indication. [[GH-8646](https://github.com/hashicorp/vault/pull/8646/files)] 918* token: Token renewals will now return token policies within the `token_policies` , identity policies within `identity_policies`, and the full policy set within `policies`. [[GH-8535](https://github.com/hashicorp/vault/pull/8535)] 919* go: Updated Go version to 1.14.4 920 921FEATURES: 922 923* **Monitoring**: We have released a Splunk App [9] for Enterprise customers. The app is accompanied by an updated monitoring guide and a few new metrics to enable OSS users to effectively monitor Vault. 924* **Password Policies**: Allows operators to customize how passwords are generated for select secret engines (OpenLDAP, Active Directory, Azure, and RabbitMQ). 925* **Replication UI Improvements**: We have redesigned the replication UI to highlight the state and relationship between primaries and secondaries and improved management workflows, enabling a more holistic understanding of multiple Vault clusters. 926* **Resource Quotas**: As of 1.5, Vault supports specifying a quota to rate limit requests on OSS and Enterprise. Enterprise customers also have access to set quotas on the number of leases that can be generated on a path. 927* **OpenShift Support**: We have updated the Helm charts to allow users to install Vault onto their OpenShift clusters. 928* **Seal Migration**: We have made updates to allow migrations from auto unseal to Shamir unseal on Enterprise. 929* **AWS Auth Web Identity Support**: We've added support for AWS Web Identities, which will be used in the credentials chain if present. 930* **Vault Monitor**: Similar to the monitor command for Consul and Nomad, we have added the ability for Vault to stream logs from other Vault servers at varying log levels. 931* **AWS Secrets Groups Support**: IAM users generated by Vault may now be added to IAM Groups. 932* **Integrated Storage as HA Storage**: In Vault 1.5, it is possible to use Integrated Storage as HA Storage with a different storage backend as regular storage. 933* **OIDC Auth Provider Extensions**: We've added support to OIDC Auth to incorporate IdP-specific extensions. Currently this includes expanded Azure AD groups support. 934* **GCP Secrets**: Support BigQuery dataset ACLs in absence of IAM endpoints. 935* **KMIP**: Add support for signing client certificates requests (CSRs) rather than having them be generated entirely within Vault. 936 937IMPROVEMENTS: 938 939* audit: Replication status requests are no longer audited. [[GH-8877](https://github.com/hashicorp/vault/pull/8877)] 940* audit: Added mount_type field to requests and responses. [[GH-9167](https://github.com/hashicorp/vault/pull/9167)] 941* auth/aws: Add support for Web Identity credentials [[GH-7738](https://github.com/hashicorp/vault/pull/7738)] 942* auth/jwt: Support users that are members of more than 200 groups on Azure [[GH-120](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/120)] 943* auth/kerberos: Support identities without userPrincipalName [[GH-44](https://github.com/hashicorp/vault-plugin-auth-kerberos/issues/44)] 944* auth/kubernetes: Allow disabling `iss` validation [[GH-91](https://github.com/hashicorp/vault-plugin-auth-kubernetes/pull/91)] 945* auth/kubernetes: Try reading the ca.crt and TokenReviewer JWT from the default service account [[GH-83](https://github.com/hashicorp/vault-plugin-auth-kubernetes/pull/83)] 946* cli: Support reading TLS parameters from file for the `vault operator raft join` command. [[GH-9060](https://github.com/hashicorp/vault/pull/9060)] 947* cli: Add a new subcommand, `vault monitor`, for tailing server logs in the console. [[GH-8477](https://github.com/hashicorp/vault/pull/8477)] 948* core: Add the Go version used to build a Vault binary to the server message output. [[GH-9078](https://github.com/hashicorp/vault/pull/9078)] 949* core: Added Password Policies for user-configurable password generation [[GH-8637](https://github.com/hashicorp/vault/pull/8637)] 950* core: New telemetry metrics covering token counts, token creation, KV secret counts, lease creation. [[GH-9239](https://github.com/hashicorp/vault/pull/9239)] [[GH-9250](https://github.com/hashicorp/vault/pull/9250)] [[GH-9244](https://github.com/hashicorp/vault/pull/9244)] [[GH-9052](https://github.com/hashicorp/vault/pull/9052)] 951* physical/gcs: The storage backend now uses a dedicated client for HA lock updates to prevent lock table update failures when flooded by other client requests. [[GH-9424](https://github.com/hashicorp/vault/pull/9424)] 952* physical/spanner: The storage backend now uses a dedicated client for HA lock updates to prevent lock table update failures when flooded by other client requests. [[GH-9423](https://github.com/hashicorp/vault/pull/9423)] 953* plugin: Add SDK method, `Sys.ReloadPlugin`, and CLI command, `vault plugin reload`, for reloading plugins. [[GH-8777](https://github.com/hashicorp/vault/pull/8777)] 954* plugin (enterprise): Add a scope field to plugin reload, which when global, reloads the plugin anywhere in a cluster. [[GH-9347](https://github.com/hashicorp/vault/pull/9347)] 955* sdk/framework: Support accepting TypeFloat parameters over the API [[GH-8923](https://github.com/hashicorp/vault/pull/8923)] 956* secrets/aws: Add iam_groups parameter to role create/update [[GH-8811](https://github.com/hashicorp/vault/pull/8811)] 957* secrets/database: Add static role rotation for MongoDB Atlas database plugin [[GH-11](https://github.com/hashicorp/vault-plugin-database-mongodbatlas/pull/11)] 958* secrets/database: Add static role rotation for MSSQL database plugin [[GH-9062](https://github.com/hashicorp/vault/pull/9062)] 959* secrets/database: Allow InfluxDB to use insecure TLS without cert bundle [[GH-8778](https://github.com/hashicorp/vault/pull/8778)] 960* secrets/gcp: Support BigQuery dataset ACLs in absence of IAM endpoints [[GH-78](https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/78)] 961* secrets/pki: Allow 3072-bit RSA keys [[GH-8343](https://github.com/hashicorp/vault/pull/8343)] 962* secrets/ssh: Add a CA-mode role option to specify signing algorithm [[GH-9096](https://github.com/hashicorp/vault/pull/9096)] 963* secrets/ssh: The [Vault SSH Helper](https://github.com/hashicorp/vault-ssh-helper) can now be configured to reference a mount in a namespace [[GH-44](https://github.com/hashicorp/vault-ssh-helper/pull/44)] 964* secrets/transit: Transit requests that make use of keys now include a new field `key_version` in their responses [[GH-9100](https://github.com/hashicorp/vault/pull/9100)] 965* secrets/transit: Improving transit batch encrypt and decrypt latencies [[GH-8775](https://github.com/hashicorp/vault/pull/8775)] 966* sentinel: Add a sentinel config section, and "additional_enabled_modules", a list of Sentinel modules that may be imported in addition to the defaults. 967* ui: Update TTL picker styling on SSH secret engine [[GH-8891](https://github.com/hashicorp/vault/pull/8891)] 968* ui: Only render the JWT input field of the Vault login form on mounts configured for JWT auth [[GH-8952](https://github.com/hashicorp/vault/pull/8952)] 969* ui: Add replication dashboards. Improve replication management workflows. [[GH-8705]](https://github.com/hashicorp/vault/pull/8705). 970* ui: Update alert banners to match design systems black text. [[GH-9463]](https://github.com/hashicorp/vault/pull/9463). 971 972BUG FIXES: 973 974* auth/oci: Fix issue where users of the Oracle Cloud Infrastructure (OCI) auth method could not authenticate when the plugin backend was mounted at a non-default path. [[GH-7](https://github.com/hashicorp/vault-plugin-auth-oci/pull/7)] 975* core: Extend replicated cubbyhole fix in 1.4.0 to cover case where a performance primary is also a DR primary [[GH-9148](https://github.com/hashicorp/vault/pull/9148)] 976* replication (enterprise): Use the PrimaryClusterAddr if it's been set 977* seal/awskms: fix AWS KMS auto-unseal when AWS_ROLE_SESSION_NAME not set [[GH-9416](https://github.com/hashicorp/vault/pull/9416)] 978* sentinel: fix panic due to concurrent map access when rules iterate over metadata maps 979* secrets/aws: Fix issue where performance standbys weren't able to generate STS credentials after an IAM access key rotation in AWS and root IAM credential update in Vault [[GH-9186](https://github.com/hashicorp/vault/pull/9186)] 980* secrets/database: Fix issue where rotating root database credentials while Vault's storage backend is unavailable causes Vault to lose access to the database [[GH-8782](https://github.com/hashicorp/vault/pull/8782)] 981* secrets/database: Fix issue that prevents performance standbys from connecting to databases after a root credential rotation [[GH-9129](https://github.com/hashicorp/vault/pull/9129)] 982* secrets/database: Fix parsing of multi-line PostgreSQL statements [[GH-8512](https://github.com/hashicorp/vault/pull/8512)] 983* secrets/gcp: Fix issue were updates were not being applied to the `token_scopes` of a roleset. [[GH-90](https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/90)] 984* secrets/kv: Return the value of delete_version_after when reading kv/config, even if it is set to the default. [[GH-42](https://github.com/hashicorp/vault-plugin-secrets-kv/pull/42)] 985* ui: Add Toggle component into core addon so it is available in KMIP and other Ember Engines.[[GH-8913]](https://github.com/hashicorp/vault/pull/8913) 986* ui: Disallow max versions value of large than 9999999999999999 on kv2 secrets engine. [[GH-9242](https://github.com/hashicorp/vault/pull/9242)] 987* ui: Add and upgrade missing dependencies to resolve a failure with `make static-dist`. [[GH-9277](https://github.com/hashicorp/vault/pull/9371)] 988 989## 1.4.7.1 990### October 15th, 2020 991### Enterprise Only 992 993BUG FIXES: 994* replication (enterprise): Fix panic when old filter path evaluation fails 995 996## 1.4.7 997### September 24th, 2020 998 999SECURITY: 1000 1001* Batch Token Expiry: We addressed an issue where batch token leases could outlive their TTL because we were not scheduling the expiration time correctly. This vulnerability affects Vault OSS and Vault Enterprise 1.0 and newer and is fixed in 1.4.7 and 1.5.4 (CVE-2020-25816). 1002 1003IMPROVEMENTS: 1004 1005* secret/azure: Use write-ahead-logs to cleanup any orphaned Service Principals [[GH-9773](https://github.com/hashicorp/vault/pull/9773)] 1006 1007BUG FIXES: 1008* replication (enterprise): Don't stop replication if old filter path evaluation fails 1009 1010## 1.4.6 1011### August 27th, 2020 1012 1013NOTE: 1014 1015All security content from 1.5.2, 1.5.1, 1.4.5, 1.4.4, 1.3.9, 1.3.8, 1.2.6, and 1.2.5 has been made fully open source, and the git tags for 1.5.3, 1.4.6, 1.3.10, and 1.2.7 will build correctly for open source users. 1016 1017BUG FIXES: 1018 1019* auth/aws: Made header handling for IAM authentication more robust 1020* secrets/ssh: Fixed a bug with role option for SSH signing algorithm to allow more than RSA signing [[GH-9824](https://github.com/hashicorp/vault/pull/9824)] 1021 1022## 1.4.5.1 1023### August 21st, 2020 1024### Enterprise Only 1025 1026NOTE: 1027 1028Includes correct license in the HSM binary. 1029 1030## 1.4.5 1031### August 20th, 2020 1032 1033NOTE: 1034 1035OSS binaries of 1.5.1, 1.4.4, 1.3.8, and 1.2.5 were built without the Vault UI. Enterprise binaries are not affected. 1036 1037KNOWN ISSUES: 1038 1039* AWS IAM logins may return an error depending on the headers sent with the request. 1040 For more details and a workaround, see the [1.4.5 Upgrade Guide](https://www.vaultproject.io/docs/upgrading/upgrade-to-1.4.5) 1041* In versions 1.2.6, 1.3.9, 1.4.5, and 1.5.2, enterprise licenses on the HSM build were not incorporated correctly - enterprise 1042 customers should use 1.2.6.1, 1.3.9.1, 1.4.5.1, and 1.5.2.1. 1043 1044 1045## 1.4.4 1046### August 20th, 2020 1047 1048SECURITY: 1049 1050* When using the IAM AWS Auth Method, under certain circumstances, values Vault uses to validate identities and roles can be manipulated and bypassed. This vulnerability affects Vault and Vault Enterprise 0.7.1 and newer and is fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1 (CVE-2020-16250) (Discovered by Felix Wilhelm of Google Project Zero) 1051* When using the GCP GCE Auth Method, under certain circumstances, values Vault uses to validate GCE VMs can be manipulated and bypassed. This vulnerability affects Vault and Vault Enterprise 0.8.3 and newer and is fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1 (CVE-2020-16251) (Discovered by Felix Wilhelm of Google Project Zero) 1052 1053KNOWN ISSUES: 1054 1055* OSS binaries of 1.5.1, 1.4.4, 1.3.8, and 1.2.5 were built without the Vault UI. Enterprise binaries are not affected. 1056* AWS IAM logins may return an error depending on the headers sent with the request. 1057 For more details and a workaround, see the [1.4.4 Upgrade Guide](https://www.vaultproject.io/docs/upgrading/upgrade-to-1.4.4) 1058 1059BUG FIXES: 1060 1061* auth/okta: fix bug introduced in 1.4.0: only 200 external groups were fetched even if user belonged to more [[GH-9580](https://github.com/hashicorp/vault/pull/9580)] 1062* seal/awskms: fix AWS KMS auto-unseal when AWS_ROLE_SESSION_NAME not set [[GH-9416](https://github.com/hashicorp/vault/pull/9416)] 1063* secrets/aws: Fix possible issue creating access keys when using Performance Standbys [[GH-9606](https://github.com/hashicorp/vault/pull/9606)] 1064 1065IMPROVEMENTS: 1066* auth/aws: Retry on transient failures during AWS IAM auth login attempts [[GH-8727](https://github.com/hashicorp/vault/pull/8727)] 1067* ui: Add transit key algorithms aes128-gcm96, ecdsa-p384, ecdsa-p521 to the UI. [[GH-9070](https://github.com/hashicorp/vault/pull/9070)] & [[GH-9520](https://github.com/hashicorp/vault/pull/9520)] 1068 1069## 1.4.3 1070### July 2nd, 2020 1071 1072IMPROVEMENTS: 1073 1074* auth/aws: Add support for Web Identity credentials [[GH-9251](https://github.com/hashicorp/vault/pull/9251)] 1075* auth/kerberos: Support identities without userPrincipalName [[GH-44](https://github.com/hashicorp/vault-plugin-auth-kerberos/issues/44)] 1076* core: Add the Go version used to build a Vault binary to the server message output. [[GH-9078](https://github.com/hashicorp/vault/pull/9078)] 1077* secrets/database: Add static role rotation for MongoDB Atlas database plugin [[GH-9311](https://github.com/hashicorp/vault/pull/9311)] 1078* physical/mysql: Require TLS or plaintext flagging in MySQL configuration [[GH-9012](https://github.com/hashicorp/vault/pull/9012)] 1079* ui: Link to the Vault Changelog in the UI footer [[GH-9216](https://github.com/hashicorp/vault/pull/9216)] 1080 1081BUG FIXES: 1082 1083* agent: Restart template server when it shuts down [[GH-9200](https://github.com/hashicorp/vault/pull/9200)] 1084* auth/oci: Fix issue where users of the Oracle Cloud Infrastructure (OCI) auth method could not authenticate when the plugin backend was mounted at a non-default path. [[GH-9278](https://github.com/hashicorp/vault/pull/9278)] 1085* replication: The issue causing cubbyholes in namespaces on performance secondaries to not work, which was fixed in 1.4.0, was still an issue when the primary was both a performance primary and DR primary. 1086* seal: (enterprise) Fix issue causing stored seal and recovery keys to be mistaken as sealwrapped values 1087* secrets/aws: Fix issue where performance standbys weren't able to generate STS credentials after an IAM access key rotation in AWS and root IAM credential update in Vault [[GH-9207](https://github.com/hashicorp/vault/pull/9207)] 1088* secrets/database: Fix issue that prevents performance standbys from connecting to databases after a root credential rotation [[GH-9208](https://github.com/hashicorp/vault/pull/9208)] 1089* secrets/gcp: Fix issue were updates were not being applied to the `token_scopes` of a roleset. [[GH-9277](https://github.com/hashicorp/vault/pull/9277)] 1090 1091 1092## 1.4.2 (May 21st, 2020) 1093 1094SECURITY: 1095* core: Proxy environment variables are now redacted before being logged, in case the URLs include a username:password. This vulnerability, CVE-2020-13223, is fixed in 1.3.6 and 1.4.2, but affects 1.4.0 and 1.4.1, as well as older versions of Vault [[GH-9022](https://github.com/hashicorp/vault/pull/9022)] 1096* secrets/gcp: Fix a regression in 1.4.0 where the system TTLs were being used instead of the configured backend TTLs for dynamic service accounts. This vulnerability is CVE-2020-12757. [[GH-85](https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/85)] 1097 1098IMPROVEMENTS: 1099 1100* storage/raft: The storage stanza now accepts `leader_ca_cert_file`, `leader_client_cert_file`, and 1101 `leader_client_key_file` parameters to read and parse TLS certificate information from paths on disk. 1102 Existing non-path based parameters will continue to work, but their values will need to be provided as a 1103 single-line string with newlines delimited by `\n`. [[GH-8894](https://github.com/hashicorp/vault/pull/8894)] 1104* storage/raft: The `vault status` CLI command and the `sys/leader` API now contain the committed and applied 1105 raft indexes. [[GH-9011](https://github.com/hashicorp/vault/pull/9011)] 1106 1107BUG FIXES: 1108 1109* auth/aws: Fix token renewal issues caused by the metadata changes in 1.4.1 [[GH-8991](https://github.com/hashicorp/vault/pull/8991)] 1110* auth/ldap: Fix 1.4.0 regression that could result in auth failures when LDAP auth config includes upndomain. [[GH-9041](https://github.com/hashicorp/vault/pull/9041)] 1111* secrets/ad: Forward rotation requests from standbys to active clusters [[GH-66](https://github.com/hashicorp/vault-plugin-secrets-ad/pull/66)] 1112* secrets/database: Prevent generation of usernames that are not allowed by the MongoDB Atlas API [[GH-9](https://github.com/hashicorp/vault-plugin-database-mongodbatlas/pull/9)] 1113* secrets/database: Return an error if a manual rotation of static account credentials fails [[GH-9035](https://github.com/hashicorp/vault/pull/9035)] 1114* secrets/openldap: Forward all rotation requests from standbys to active clusters [[GH-9028](https://github.com/hashicorp/vault/pull/9028)] 1115* secrets/transform (enterprise): Fix panic that could occur when accessing cached template entries, such as a requests 1116 that accessed templates directly or indirectly from a performance standby node. 1117* serviceregistration: Fix a regression for Consul service registration that ignored using the listener address as 1118 the redirect address unless api_addr was provided. It now properly uses the same redirect address as the one 1119 used by Vault's Core object. [[GH-8976](https://github.com/hashicorp/vault/pull/8976)] 1120* storage/raft: Advertise the configured cluster address to the rest of the nodes in the raft cluster. This fixes 1121 an issue where a node advertising 0.0.0.0 is not using a unique hostname. [[GH-9008](https://github.com/hashicorp/vault/pull/9008)] 1122* storage/raft: Fix panic when multiple nodes attempt to join the cluster at once. [[GH-9008](https://github.com/hashicorp/vault/pull/9008)] 1123* sys: The path provided in `sys/internal/ui/mounts/:path` is now namespace-aware. This fixes an issue 1124 with `vault kv` subcommands that had namespaces provided in the path returning permission denied all the time. 1125 [[GH-8962](https://github.com/hashicorp/vault/pull/8962)] 1126* ui: Fix snowman that appears when namespaces have more than one period [[GH-8910](https://github.com/hashicorp/vault/pull/8910)] 1127 1128## 1.4.1 (April 30th, 2020) 1129 1130CHANGES: 1131 1132* auth/aws: The default set of metadata fields added in 1.4.1 has been changed to `account_id` and `auth_type` [[GH-8783](https://github.com/hashicorp/vault/pull/8783)] 1133* storage/raft: Disallow `ha_storage` to be specified if `raft` is set as the `storage` type. [[GH-8707](https://github.com/hashicorp/vault/pull/8707)] 1134 1135IMPROVEMENTS: 1136 1137* auth/aws: The set of metadata stored during login is now configurable [[GH-8783](https://github.com/hashicorp/vault/pull/8783)] 1138* auth/aws: Improve region selection to avoid errors seen if the account hasn't enabled some newer AWS regions [[GH-8679](https://github.com/hashicorp/vault/pull/8679)] 1139* auth/azure: Enable login from Azure VMs with user-assigned identities [[GH-33](https://github.com/hashicorp/vault-plugin-auth-azure/pull/33)] 1140* auth/gcp: The set of metadata stored during login is now configurable [[GH-92](https://github.com/hashicorp/vault-plugin-auth-gcp/pull/92)] 1141* auth/gcp: The type of alias name used during login is now configurable [[GH-95](https://github.com/hashicorp/vault-plugin-auth-gcp/pull/95)] 1142* auth/ldap: Improve error messages during LDAP operation failures [[GH-8740](https://github.com/hashicorp/vault/pull/8740)] 1143* identity: Add a batch delete API for identity entities [[GH-8785]](https://github.com/hashicorp/vault/pull/8785) 1144* identity: Improve performance of logins when no group updates are needed [[GH-8795]](https://github.com/hashicorp/vault/pull/8795) 1145* metrics: Add `vault.identity.num_entities` metric [[GH-8816]](https://github.com/hashicorp/vault/pull/8816) 1146* secrets/kv: Allow `delete-version-after` to be reset to 0 via the CLI [[GH-8635](https://github.com/hashicorp/vault/pull/8635)] 1147* secrets/rabbitmq: Improve error handling and reporting [[GH-8619](https://github.com/hashicorp/vault/pull/8619)] 1148* ui: Provide One Time Password during Operation Token generation process [[GH-8630]](https://github.com/hashicorp/vault/pull/8630) 1149 1150BUG FIXES: 1151 1152* auth/okta: Fix MFA regression (introduced in [GH-8143](https://github.com/hashicorp/vault/pull/8143)) from 1.4.0 [[GH-8807](https://github.com/hashicorp/vault/pull/8807)] 1153* auth/userpass: Fix upgrade value for `token_bound_cidrs` being ignored due to incorrect key provided [[GH-8826](https://github.com/hashicorp/vault/pull/8826/files)] 1154* config/seal: Fix segfault when seal block is removed [[GH-8517](https://github.com/hashicorp/vault/pull/8517)] 1155* core: Fix an issue where users attempting to build Vault could receive Go module checksum errors [[GH-8770](https://github.com/hashicorp/vault/pull/8770)] 1156* core: Fix blocked requests if a SIGHUP is issued during a long-running request has the state lock held. 1157 Also fixes deadlock that can happen if `vault debug` with the config target is ran during this time. 1158 [[GH-8755](https://github.com/hashicorp/vault/pull/8755)] 1159* core: Always rewrite the .vault-token file as part of a `vault login` to ensure permissions and ownership are set correctly [[GH-8867](https://github.com/hashicorp/vault/pull/8867)] 1160* database/mongodb: Fix context deadline error that may result due to retry attempts on failed commands 1161 [[GH-8863](https://github.com/hashicorp/vault/pull/8863)] 1162* http: Fix superflous call messages from the http package on logs caused by missing returns after 1163 `respondError` calls [[GH-8796](https://github.com/hashicorp/vault/pull/8796)] 1164* namespace (enterprise): Fix namespace listing to return `key_info` when a scoping namespace is also provided. 1165* seal/gcpkms: Fix panic that could occur if all seal parameters were provided via environment 1166 variables [[GH-8840](https://github.com/hashicorp/vault/pull/8840)] 1167* storage/raft: Fix memory allocation and incorrect metadata tracking issues with snapshots [[GH-8793](https://github.com/hashicorp/vault/pull/8793)] 1168* storage/raft: Fix panic that could occur if `disable_clustering` was set to true on Raft storage cluster [[GH-8784](https://github.com/hashicorp/vault/pull/8784)] 1169* storage/raft: Handle errors returned from the API during snapshot operations [[GH-8861](https://github.com/hashicorp/vault/pull/8861)] 1170* sys/wrapping: Allow unwrapping of wrapping tokens which contain nil data [[GH-8714](https://github.com/hashicorp/vault/pull/8714)] 1171 1172## 1.4.0 (April 7th, 2020) 1173 1174CHANGES: 1175 1176* cli: The raft configuration command has been renamed to list-peers to avoid 1177 confusion. 1178 1179FEATURES: 1180 1181* **Kerberos Authentication**: Vault now supports Kerberos authentication using a SPNEGO token. 1182 Login can be performed using the Vault CLI, API, or agent. 1183* **Kubernetes Service Discovery**: A new Kubernetes service discovery feature where, if 1184 configured, Vault will tag Vault pods with their current health status. For more, see [#8249](https://github.com/hashicorp/vault/pull/8249). 1185* **MongoDB Atlas Secrets**: Vault can now generate dynamic credentials for both MongoDB Atlas databases 1186 as well as the [Atlas programmatic interface](https://docs.atlas.mongodb.com/tutorial/manage-programmatic-access/). 1187* **OpenLDAP Secrets Engine**: We now support password management of existing OpenLDAP user entries. For more, see [#8360](https://github.com/hashicorp/vault/pull/8360/). 1188* **Redshift Database Secrets Engine**: The database secrets engine now supports static and dynamic secrets for the Amazon Web Services (AWS) Redshift service. 1189* **Service Registration Config**: A newly introduced `service_registration` configuration stanza, that allows for service registration to be configured separately from the storage backend. For more, see [#7887](https://github.com/hashicorp/vault/pull/7887/). 1190* **Transform Secrets Engine (Enterprise)**: A new secrets engine that handles secure data transformations against provided input values. 1191* **Integrated Storage**: Promoted out of beta and into general availability for both open-source and enterprise workloads. 1192 1193IMPROVEMENTS: 1194 1195* agent: add option to force the use of the auth-auth token, and ignore the Vault token in the request [[GH-8101](https://github.com/hashicorp/vault/pull/8101)] 1196* api: Restore and fix DNS SRV Lookup [[GH-8520](https://github.com/hashicorp/vault/pull/8520)] 1197* audit: HMAC http_raw_body in audit log; this ensures that large authenticated Prometheus metrics responses get 1198 replaced with short HMAC values [[GH-8130](https://github.com/hashicorp/vault/pull/8130)] 1199* audit: Generate-root, generate-recovery-token, and generate-dr-operation-token requests and responses are now audited. [[GH-8301](https://github.com/hashicorp/vault/pull/8301)] 1200* auth/aws: Reduce the number of simultaneous STS client credentials needed [[GH-8161](https://github.com/hashicorp/vault/pull/8161)] 1201* auth/azure: subscription ID, resource group, vm and vmss names are now stored in alias metadata [[GH-30](https://github.com/hashicorp/vault-plugin-auth-azure/pull/30)] 1202* auth/jwt: Additional OIDC callback parameters available for CLI logins [[GH-80](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/80) & [GH-86](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/86)] 1203* auth/jwt: Bound claims may be optionally configured using globs [[GH-89](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/89)] 1204* auth/jwt: Timeout during OIDC CLI login if process doesn't complete within 2 minutes [[GH-97](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/97)] 1205* auth/jwt: Add support for the `form_post` response mode [[GH-98](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/98)] 1206* auth/jwt: add optional client_nonce to authorization flow [[GH-104](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/104)] 1207* auth/okta: Upgrade okta sdk lib, which should improve handling of groups [[GH-8143](https://github.com/hashicorp/vault/pull/8143)] 1208* aws: Add support for v2 of the instance metadata service (see [issue 7924](https://github.com/hashicorp/vault/issues/7924) for all linked PRs) 1209* core: Separate out service discovery interface from storage interface to allow 1210 new types of service discovery not coupled to storage [[GH-7887](https://github.com/hashicorp/vault/pull/7887)] 1211* core: Add support for telemetry option `metrics_prefix` [[GH-8340](https://github.com/hashicorp/vault/pull/8340)] 1212* core: Entropy Augmentation can now be used with AWS KMS and Vault Transit seals 1213* core: Allow tls_min_version to be set to TLS 1.3 [[GH-8305](https://github.com/hashicorp/vault/pull/8305)] 1214* cli: Incorrect TLS configuration will now correctly fail [[GH-8025](https://github.com/hashicorp/vault/pull/8025)] 1215* identity: Allow specifying a custom `client_id` for identity tokens [[GH-8165](https://github.com/hashicorp/vault/pull/8165)] 1216* metrics/prometheus: improve performance with high volume of metrics updates [[GH-8507](https://github.com/hashicorp/vault/pull/8507)] 1217* replication (enterprise): Fix race condition causing clusters with high throughput writes to sometimes 1218 fail to enter streaming-wal mode 1219* replication (enterprise): Secondary clusters can now perform an extra gRPC call to all nodes in a primary 1220 cluster in an attempt to resolve the active node's address 1221* replication (enterprise): The replication status API now outputs `last_performance_wal`, `last_dr_wal`, 1222 and `connection_state` values 1223* replication (enterprise): DR secondary clusters can now be recovered by the `replication/dr/secondary/recover` 1224 API 1225* replication (enterprise): We now allow for an alternate means to create a Disaster Recovery token, by using a batch 1226 token that is created with an ACL that allows for access to one or more of the DR endpoints. 1227* secrets/database/mongodb: Switched internal MongoDB driver to mongo-driver [[GH-8140](https://github.com/hashicorp/vault/pull/8140)] 1228* secrets/database/mongodb: Add support for x509 client authorization to MongoDB [[GH-8329](https://github.com/hashicorp/vault/pull/8329)] 1229* secrets/database/oracle: Add support for static credential rotation [[GH-26](https://github.com/hashicorp/vault-plugin-database-oracle/pull/26)] 1230* secrets/consul: Add support to specify TLS options per Consul backend [[GH-4800](https://github.com/hashicorp/vault/pull/4800)] 1231* secrets/gcp: Allow specifying the TTL for a service key [[GH-54](https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/54)] 1232* secrets/gcp: Add support for rotating root keys [[GH-53](https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/53)] 1233* secrets/gcp: Handle version 3 policies for Resource Manager IAM requests [[GH-77](https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/77)] 1234* secrets/nomad: Add support to specify TLS options per Nomad backend [[GH-8083](https://github.com/hashicorp/vault/pull/8083)] 1235* secrets/ssh: Allowed users can now be templated with identity information [[GH-7548](https://github.com/hashicorp/vault/pull/7548)] 1236* secrets/transit: Adding RSA3072 key support [[GH-8151](https://github.com/hashicorp/vault/pull/8151)] 1237* storage/consul: Vault returns now a more descriptive error message when only a client cert or 1238 a client key has been provided [[GH-4930]](https://github.com/hashicorp/vault/pull/8084) 1239* storage/raft: Nodes in the raft cluster can all be given possible leader 1240 addresses for them to continuously try and join one of them, thus automating 1241 the process of join to a greater extent [[GH-7856](https://github.com/hashicorp/vault/pull/7856)] 1242* storage/raft: Fix a potential deadlock that could occur on leadership transition [[GH-8547](https://github.com/hashicorp/vault/pull/8547)] 1243* storage/raft: Refresh TLS keyring on snapshot restore [[GH-8546](https://github.com/hashicorp/vault/pull/8546)] 1244* storage/etcd: Bumped etcd client API SDK [[GH-7931](https://github.com/hashicorp/vault/pull/7931) & [GH-4961](https://github.com/hashicorp/vault/pull/4961) & [GH-4349](https://github.com/hashicorp/vault/pull/4349) & [GH-7582](https://github.com/hashicorp/vault/pull/7582)] 1245* ui: Make Transit Key actions more prominent [[GH-8304](https://github.com/hashicorp/vault/pull/8304)] 1246* ui: Add Core Usage Metrics [[GH-8347](https://github.com/hashicorp/vault/pull/8347)] 1247* ui: Add refresh Namespace list on the Namespace dropdown, and redesign of Namespace dropdown menu [[GH-8442](https://github.com/hashicorp/vault/pull/8442)] 1248* ui: Update transit actions to codeblocks & automatically encode plaintext unless indicated [[GH-8462](https://github.com/hashicorp/vault/pull/8462)] 1249* ui: Display the results of transit key actions in a modal window [[GH-8462](https://github.com/hashicorp/vault/pull/8575)] 1250* ui: Transit key version styling updates & ability to copy key from dropdown [[GH-8480](https://github.com/hashicorp/vault/pull/8480)] 1251 1252BUG FIXES: 1253 1254* agent: Fix issue where TLS options are ignored for agent template feature [[GH-7889](https://github.com/hashicorp/vault/pull/7889)] 1255* auth/jwt: Use lower case role names for `default_role` to match the `role` case convention [[GH-100](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/100)] 1256* auth/ldap: Fix a bug where the UPNDOMAIN parameter was wrongly used to lookup the group 1257 membership of the given user [[GH-6325]](https://github.com/hashicorp/vault/pull/8333) 1258* cli: Support autocompletion for nested mounts [[GH-8303](https://github.com/hashicorp/vault/pull/8303)] 1259* cli: Fix CLI namespace autocompletion [[GH-8315](https://github.com/hashicorp/vault/pull/8315)] 1260* identity: Fix incorrect caching of identity token JWKS responses [[GH-8412](https://github.com/hashicorp/vault/pull/8412)] 1261* metrics/stackdriver: Fix issue that prevents the stackdriver metrics library to create unnecessary stackdriver descriptors [[GH-8073](https://github.com/hashicorp/vault/pull/8073)] 1262* replication (enterprise): Fix issue causing cubbyholes in namespaces on performance secondaries to not work. 1263* replication (enterprise): Unmounting a dynamic secrets backend could sometimes lead to replication errors. Change the order of operations to prevent that. 1264* seal (enterprise): Fix seal migration when transactional seal wrap backend is in use. 1265* secrets/database/influxdb: Fix potential panic if connection to the InfluxDB database cannot be established [[GH-8282](https://github.com/hashicorp/vault/pull/8282)] 1266* secrets/database/mysql: Ensures default static credential rotation statements are used [[GH-8240](https://github.com/hashicorp/vault/pull/8240)] 1267* secrets/database/mysql: Fix inconsistent query parameter names: {{name}} or {{username}} for 1268 different queries. Now it allows for either for backwards compatibility [[GH-8240](https://github.com/hashicorp/vault/pull/8240)] 1269* secrets/database/postgres: Fix inconsistent query parameter names: {{name}} or {{username}} for 1270 different queries. Now it allows for either for backwards compatibility [[GH-8240](https://github.com/hashicorp/vault/pull/8240)] 1271* secrets/pki: Support FQDNs in DNS Name [[GH-8288](https://github.com/hashicorp/vault/pull/8288)] 1272* storage/raft: Allow seal migration to be performed on Vault clusters using raft storage [[GH-8103](https://github.com/hashicorp/vault/pull/8103)] 1273* telemetry: Prometheus requests on standby nodes will now return an error instead of forwarding 1274 the request to the active node [[GH-8280](https://github.com/hashicorp/vault/pull/8280)] 1275* ui: Fix broken popup menu on the transit secrets list page [[GH-8348](https://github.com/hashicorp/vault/pull/8348)] 1276* ui: Update headless Chrome flag to fix `yarn run test:oss` [[GH-8035](https://github.com/hashicorp/vault/pull/8035)] 1277* ui: Update CLI to accept empty strings as param value to reset previously-set values 1278* ui: Fix bug where error states don't clear when moving between action tabs on Transit [[GH-8354](https://github.com/hashicorp/vault/pull/8354)] 1279 1280## 1.3.10 1281### August 27th, 2020 1282 1283NOTE: 1284 1285All security content from 1.5.2, 1.5.1, 1.4.5, 1.4.4, 1.3.9, 1.3.8, 1.2.6, and 1.2.5 has been made fully open source, and the git tags for 1.5.3, 1.4.6, 1.3.10, and 1.2.7 will build correctly for open source users. 1286 1287BUG FIXES: 1288 1289* auth/aws: Made header handling for IAM authentication more robust 1290 1291## 1.3.9.1 1292### August 21st, 2020 1293### Enterprise Only 1294 1295NOTE: 1296 1297Includes correct license in the HSM binary. 1298 1299## 1.3.9 1300### August 20th, 2020 1301 1302NOTE: 1303 1304OSS binaries of 1.5.1, 1.4.4, 1.3.8, and 1.2.5 were built without the Vault UI. Enterprise binaries are not affected. 1305 1306KNOWN ISSUES: 1307 1308* AWS IAM logins may return an error depending on the headers sent with the request. 1309 For more details and a workaround, see the [1.3.9 Upgrade Guide](https://www.vaultproject.io/docs/upgrading/upgrade-to-1.3.9) 1310* In versions 1.2.6, 1.3.9, 1.4.5, and 1.5.2, enterprise licenses on the HSM build were not incorporated correctly - enterprise 1311 customers should use 1.2.6.1, 1.3.9.1, 1.4.5.1, and 1.5.2.1. 1312 1313## 1.3.8 1314### August 20th, 2020 1315 1316SECURITY: 1317 1318* When using the IAM AWS Auth Method, under certain circumstances, values Vault uses to validate identities and roles can be manipulated and bypassed. This vulnerability affects Vault and Vault Enterprise 0.7.1 and newer and is fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1 (CVE-2020-16250) (Discovered by Felix Wilhelm of Google Project Zero) 1319* When using the GCP GCE Auth Method, under certain circumstances, values Vault uses to validate GCE VMs can be manipulated and bypassed. This vulnerability affects Vault and Vault Enterprise 0.8.3 and newer and is fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1 (CVE-2020-16251) (Discovered by Felix Wilhelm of Google Project Zero) 1320 1321KNOWN ISSUES: 1322 1323* OSS binaries of 1.5.1, 1.4.4, 1.3.8, and 1.2.5 were built without the Vault UI. Enterprise binaries are not affected. 1324* AWS IAM logins may return an error depending on the headers sent with the request. 1325 For more details and a workaround, see the [1.3.8 Upgrade Guide](https://www.vaultproject.io/docs/upgrading/upgrade-to-1.3.8) 1326 1327## 1.3.7 1328### July 2nd, 2020 1329 1330BUG FIXES: 1331 1332* seal: (enterprise) Fix issue causing stored seal and recovery keys to be mistaken as sealwrapped values 1333* secrets/aws: Fix issue where performance standbys weren't able to generate STS credentials after an IAM access key rotation in AWS and root IAM credential update in Vault [[GH-9363](https://github.com/hashicorp/vault/pull/9363)] 1334 1335## 1.3.6 (May 21st, 2020) 1336 1337SECURITY: 1338* core: proxy environment variables are now redacted before being logged, in case the URLs include a username:password. This vulnerability, CVE-2020-13223, is fixed in 1.3.6 and 1.4.2, but affects 1.4 and 1.4.1, as well as older versions of Vault [[GH-9022](https://github.com/hashicorp/vault/pull/9022)] 1339 1340BUG FIXES: 1341 1342* auth/aws: Fix token renewal issues caused by the metadata changes in 1.3.5 [[GH-8991](https://github.com/hashicorp/vault/pull/8991)] 1343* replication: Fix mount filter bug that allowed replication filters to hide local mounts on a performance secondary 1344 1345## 1.3.5 (April 28th, 2020) 1346 1347CHANGES: 1348 1349* auth/aws: The default set of metadata fields added in 1.3.2 has been changed to `account_id` and `auth_type` [[GH-8783](https://github.com/hashicorp/vault/pull/8783)] 1350 1351IMPROVEMENTS: 1352 1353* auth/aws: The set of metadata stored during login is now configurable [[GH-8783](https://github.com/hashicorp/vault/pull/8783)] 1354 1355## 1.3.4 (March 19th, 2020) 1356 1357SECURITY: 1358 1359* A vulnerability was identified in Vault and Vault Enterprise such that, under certain circumstances, an Entity's Group membership may inadvertently include Groups the Entity no longer has permissions to. This vulnerability, CVE-2020-10660, affects Vault and Vault Enterprise versions 0.9.0 and newer, and is fixed in 1.3.4. [[GH-8606](https://github.com/hashicorp/vault/pull/8606)] 1360* A vulnerability was identified in Vault Enterprise such that, under certain circumstances, existing nested-path policies may give access to Namespaces created after-the-fact. This vulnerability, CVE-2020-10661, affects Vault Enterprise versions 0.11 and newer, and is fixed in 1.3.4. 1361 1362## 1.3.3 (March 5th, 2020) 1363 1364BUG FIXES: 1365 1366* approle: Fix excessive locking during tidy, which could potentially block new approle logins for long enough to cause an outage [[GH-8418](https://github.com/hashicorp/vault/pull/8418)] 1367* cli: Fix issue where Raft snapshots from standby nodes created an empty backup file [[GH-8097](https://github.com/hashicorp/vault/pull/8097)] 1368* identity: Fix incorrect caching of identity token JWKS responses [[GH-8412](https://github.com/hashicorp/vault/pull/8412)] 1369* kmip: role read now returns tls_client_ttl 1370* kmip: fix panic when templateattr not provided in rekey request 1371* secrets/database/influxdb: Fix potential panic if connection to the InfluxDB database cannot be established [[GH-8282](https://github.com/hashicorp/vault/pull/8282)] 1372* storage/mysql: Fix potential crash when using MySQL as coordination for high availability [[GH-8300](https://github.com/hashicorp/vault/pull/8300)] 1373* storage/raft: Fix potential crash when using Raft as coordination for high availability [[GH-8356](https://github.com/hashicorp/vault/pull/8356)] 1374* ui: Fix missing License menu item [[GH-8230](https://github.com/hashicorp/vault/pull/8230)] 1375* ui: Fix bug where default auth method on login is defaulted to auth method that is listing-visibility=unauth instead of “other” [[GH-8218](https://github.com/hashicorp/vault/pull/8218)] 1376* ui: Fix bug where KMIP details were not shown in the UI Wizard [[GH-8255](https://github.com/hashicorp/vault/pull/8255)] 1377* ui: Show Error messages on Auth Configuration page when you hit permission errors [[GH-8500](https://github.com/hashicorp/vault/pull/8500)] 1378* ui: Remove duplicate form inputs for the GitHub config [[GH-8519](https://github.com/hashicorp/vault/pull/8519)] 1379* ui: Correct HMAC capitalization [[GH-8528](https://github.com/hashicorp/vault/pull/8528)] 1380* ui: Fix danger message in DR [[GH-8555](https://github.com/hashicorp/vault/pull/8555)] 1381* ui: Fix certificate field for LDAP config [[GH-8573](https://github.com/hashicorp/vault/pull/8573)] 1382 1383## 1.3.2 (January 22nd, 2020) 1384 1385SECURITY: 1386 * When deleting a namespace on Vault Enterprise, in certain circumstances, the deletion 1387 process will fail to revoke dynamic secrets for a mount in that namespace. This will 1388 leave any dynamic secrets in remote systems alive and will fail to clean them up. This 1389 vulnerability, CVE-2020-7220, affects Vault Enterprise 0.11.0 and newer. 1390 1391IMPROVEMENTS: 1392 * auth/aws: Add aws metadata to identity alias [[GH-7985](https://github.com/hashicorp/vault/pull/7985)] 1393 * auth/kubernetes: Allow both names and namespaces to be set to "*" [[GH-78](https://github.com/hashicorp/vault-plugin-auth-kubernetes/pull/78)] 1394 1395BUG FIXES: 1396 1397* auth/azure: Fix Azure compute client to use correct base URL [[GH-8072](https://github.com/hashicorp/vault/pull/8072)] 1398* auth/ldap: Fix renewal of tokens without configured policies that are 1399 generated by an LDAP login [[GH-8072](https://github.com/hashicorp/vault/pull/8072)] 1400* auth/okta: Fix renewal of tokens without configured policies that are 1401 generated by an Okta login [[GH-8072](https://github.com/hashicorp/vault/pull/8072)] 1402* core: Fix seal migration error when attempting to migrate from auto unseal to shamir [[GH-8172](https://github.com/hashicorp/vault/pull/8172)] 1403* core: Fix seal migration config issue when migrating from auto unseal to auto unseal [[GH-8172](https://github.com/hashicorp/vault/pull/8172)] 1404* plugin: Fix issue where a plugin unwrap request potentially used an expired token [[GH-8058](https://github.com/hashicorp/vault/pull/8058)] 1405* replication: Fix issue where a forwarded request from a performance/standby node could run into 1406 a timeout 1407* secrets/database: Fix issue where a manual static role rotation could potentially panic [[GH-8098](https://github.com/hashicorp/vault/pull/8098)] 1408* secrets/database: Fix issue where a manual root credential rotation request is not forwarded 1409 to the primary node [[GH-8125](https://github.com/hashicorp/vault/pull/8125)] 1410* secrets/database: Fix issue where a manual static role rotation request is not forwarded 1411 to the primary node [[GH-8126](https://github.com/hashicorp/vault/pull/8126)] 1412* secrets/database/mysql: Fix issue where special characters for a MySQL password were encoded [[GH-8040](https://github.com/hashicorp/vault/pull/8040)] 1413* ui: Fix deleting namespaces [[GH-8132](https://github.com/hashicorp/vault/pull/8132)] 1414* ui: Fix Error handler on kv-secret edit and kv-secret view pages [[GH-8133](https://github.com/hashicorp/vault/pull/8133)] 1415* ui: Fix OIDC callback to check storage [[GH-7929](https://github.com/hashicorp/vault/pull/7929)]. 1416* ui: Change `.box-radio` height to min-height to prevent overflow issues [[GH-8065](https://github.com/hashicorp/vault/pull/8065)] 1417 1418## 1.3.1 (December 18th, 2019) 1419 1420IMPROVEMENTS: 1421 1422* agent: Add ability to set `exit-after-auth` via the CLI [[GH-7920](https://github.com/hashicorp/vault/pull/7920)] 1423* auth/ldap: Add a `request_timeout` configuration option to prevent connection 1424 requests from hanging [[GH-7909](https://github.com/hashicorp/vault/pull/7909)] 1425* auth/kubernetes: Add audience to tokenreview API request for Kube deployments where issuer 1426 is not Kube. [[GH-74](https://github.com/hashicorp/vault/pull/74)] 1427* secrets/ad: Add a `request_timeout` configuration option to prevent connection 1428 requests from hanging [[GH-59](https://github.com/hashicorp/vault-plugin-secrets-ad/pull/59)] 1429* storage/postgresql: Add support for setting `connection_url` from enviornment 1430 variable `VAULT_PG_CONNECTION_URL` [[GH-7937](https://github.com/hashicorp/vault/pull/7937)] 1431* telemetry: Add `enable_hostname_label` option to telemetry stanza [[GH-7902](https://github.com/hashicorp/vault/pull/7902)] 1432* telemetry: Add accept header check for prometheus mime type [[GH-7958](https://github.com/hashicorp/vault/pull/7958)] 1433 1434BUG FIXES: 1435 1436* agent: Fix issue where Agent exits before all templates are rendered when 1437 using and `exit_after_auth` [[GH-7899](https://github.com/hashicorp/vault/pull/7899)] 1438* auth/aws: Fixes region-related issues when using a custom `sts_endpoint` by adding 1439 a `sts_region` parameter [[GH-7922](https://github.com/hashicorp/vault/pull/7922)] 1440* auth/token: Fix panic when getting batch tokens on a performance standby from a role 1441 that does not exist [[GH-8027](https://github.com/hashicorp/vault/pull/8027)] 1442* core: Improve warning message for lease TTLs [[GH-7901](https://github.com/hashicorp/vault/pull/7901)] 1443* identity: Fix identity token panic during invalidation [[GH-8043](https://github.com/hashicorp/vault/pull/8043)] 1444* plugin: Fix a panic that could occur if a mount/auth entry was unable to 1445 mount the plugin backend and a request that required the system view to be 1446 retrieved was made [[GH-7991](https://github.com/hashicorp/vault/pull/7991)] 1447* replication: Add `generate-public-key` endpoint to list of allowed endpoints 1448 for existing DR secondaries 1449* secrets/gcp: Fix panic if bindings aren't provided in roleset create/update. [[GH-56](https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/56)] 1450* secrets/pki: Prevent generating certificate on performance standby when storing 1451 [[GH-7904](https://github.com/hashicorp/vault/pull/7904)] 1452* secrets/transit: Prevent restoring keys to new names that are sub paths [[GH-7998](https://github.com/hashicorp/vault/pull/7998)] 1453* storage/s3: Fix a bug in configurable S3 paths that was preventing use of S3 as 1454 a source during `operator migrate` operations [[GH-7966](https://github.com/hashicorp/vault/pull/7966)] 1455* ui: Ensure secrets with a period in their key can be viewed and copied [[GH-7926](https://github.com/hashicorp/vault/pull/7926)] 1456* ui: Fix status menu after demotion [[GH-7997](https://github.com/hashicorp/vault/pull/7997)] 1457* ui: Fix select dropdowns in Safari when running Mojave [[GH-8023](https://github.com/hashicorp/vault/pull/8023)] 1458 1459## 1.3 (November 14th, 2019) 1460 1461CHANGES: 1462 1463 * Secondary cluster activation: There has been a change to the way that activating 1464 performance and DR secondary clusters works when using public keys for 1465 encryption of the parameters rather than a wrapping token. This flow was 1466 experimental and never documented. It is now officially supported and 1467 documented but is not backwards compatible with older Vault releases. 1468 * Cluster cipher suites: On its cluster port, Vault will no longer advertise 1469 the full TLS 1.2 cipher suite list by default. Although this port is only 1470 used for Vault-to-Vault communication and would always pick a strong cipher, 1471 it could cause false flags on port scanners and other security utilities 1472 that assumed insecure ciphers were being used. The previous behavior can be 1473 achieved by setting the value of the (undocumented) `cluster_cipher_suites` 1474 config flag to `tls12`. 1475 * API/Agent Renewal behavior: The API now allows multiple options for how it 1476 deals with renewals. The legacy behavior in the Agent/API is for the renewer 1477 (now called the lifetime watcher) to exit on a renew error, leading to a 1478 reauthentication. The new default behavior is for the lifetime watcher to 1479 ignore 5XX errors and simply retry as scheduled, using the existing lease 1480 duration. It is also possible, within custom code, to disable renewals 1481 entirely, which allows the lifetime watcher to simply return when it 1482 believes it is time for your code to renew or reauthenticate. 1483 1484FEATURES: 1485 1486 * **Vault Debug**: A new top-level subcommand, `debug`, is added that allows 1487 operators to retrieve debugging information related to a particular Vault 1488 node. Operators can use this simple workflow to capture triaging information, 1489 which can then be consumed programmatically or by support and engineering teams. 1490 It has the abilitity to probe for config, host, metrics, pprof, server status, 1491 and replication status. 1492 * **Recovery Mode**: Vault server can be brought up in recovery mode to resolve 1493 outages caused due to data store being in bad state. This is a privileged mode 1494 that allows `sys/raw` API calls to perform surgical corrections to the data 1495 store. Bad storage state can be caused by bugs. However, this is usually 1496 observed when known (and fixed) bugs are hit by older versions of Vault. 1497 * **Entropy Augmentation (Enterprise)**: Vault now supports sourcing entropy from 1498 external source for critical security parameters. Currently an HSM that 1499 supports PKCS#11 is the only supported source. 1500 * **Active Directory Secret Check-In/Check-Out**: In the Active Directory secrets 1501 engine, users or applications can check out a service account for use, and its 1502 password will be rotated when it's checked back in. 1503 * **Vault Agent Template**: Vault Agent now supports rendering templates containing 1504 Vault secrets to disk, similar to Consul Template [[GH-7652](https://github.com/hashicorp/vault/pull/7652)] 1505 * **Transit Key Type Support**: Signing and verification is now supported with the P-384 1506 (secp384r1) and P-521 (secp521r1) ECDSA curves [[GH-7551](https://github.com/hashicorp/vault/pull/7551)] and encryption and 1507 decryption is now supported via AES128-GCM96 [[GH-7555](https://github.com/hashicorp/vault/pull/7555)] 1508 * **SSRF Protection for Vault Agent**: Vault Agent has a configuration option to 1509 require a specific header before allowing requests [[GH-7627](https://github.com/hashicorp/vault/pull/7627)] 1510 * **AWS Auth Method Root Rotation**: The credential used by the AWS auth method can 1511 now be rotated, to ensure that only Vault knows the credentials it is using [[GH-7131](https://github.com/hashicorp/vault/pull/7131)] 1512 * **New UI Features**: The UI now supports managing users and groups for the 1513 Userpass, Cert, Okta, and Radius auth methods. 1514 * **Shamir with Stored Master Key**: The on disk format for Shamir seals has changed, 1515 allowing for a secondary cluster using Shamir downstream from a primary cluster 1516 using Auto Unseal. [[GH-7694](https://github.com/hashicorp/vault/pull/7694)] 1517 * **Stackdriver Metrics Sink**: Vault can now send metrics to 1518 [Stackdriver](https://cloud.google.com/stackdriver/). See the [configuration 1519 documentation](https://www.vaultproject.io/docs/config/index.html) for 1520 details. [[GH-6957](https://github.com/hashicorp/vault/pull/6957)] 1521 * **Filtered Paths Replication (Enterprise)**: Based on the predecessor Filtered Mount Replication, 1522 Filtered Paths Replication allows now filtering of namespaces in addition to mounts. 1523 With this feature, Filtered Mount Replication should be considered deprecated. 1524 * **Token Renewal via Accessor**: Tokens can now be renewed via the accessor value through 1525 the new `auth/token/renew-accessor` endpoint if the caller's token has 1526 permission to access that endpoint. 1527 * **Improved Integrated Storage (Beta)**: Improved raft write performance, added support for 1528 non-voter nodes, along with UI support for: using raft storage, joining a raft cluster, 1529 and downloading and restoring a snapshot. 1530 1531IMPROVEMENTS: 1532 1533 * agent: Add ability to set the TLS SNI name used by Agent [[GH-7519](https://github.com/hashicorp/vault/pull/7519)] 1534 * agent & api: Change default renewer behavior to ignore 5XX errors [[GH-7733](https://github.com/hashicorp/vault/pull/7733)] 1535 * auth/jwt: The redirect callback host may now be specified for CLI logins 1536 [[GH-71](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/71)] 1537 * auth/jwt: Bound claims may now contain boolean values [[GH-73](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/73)] 1538 * auth/jwt: CLI logins can now open the browser when running in WSL [[GH-77](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/77)] 1539 * core: Exit ScanView if context has been cancelled [[GH-7419](https://github.com/hashicorp/vault/pull/7419)] 1540 * core: re-encrypt barrier and recovery keys if the unseal key is updated 1541 [[GH-7493](https://github.com/hashicorp/vault/pull/7493)] 1542 * core: Don't advertise the full set of TLS 1.2 cipher suites on the cluster 1543 port, even though only strong ciphers were used [[GH-7487](https://github.com/hashicorp/vault/pull/7487)] 1544 * core (enterprise): Add background seal re-wrap 1545 * core/metrics: Add config parameter to allow unauthenticated sys/metrics 1546 access. [[GH-7550](https://github.com/hashicorp/vault/pull/7550)] 1547 * metrics: Upgrade DataDog library to improve performance [[GH-7794](https://github.com/hashicorp/vault/pull/7794)] 1548 * replication (enterprise): Write-Ahead-Log entries will not duplicate the 1549 data belonging to the encompassing physical entries of the transaction, 1550 thereby improving the performance and storage capacity. 1551 * replication (enterprise): Added more replication metrics 1552 * replication (enterprise): Reindex process now compares subpages for a more 1553 accurate indexing process. 1554 * replication (enterprise): Reindex API now accepts a new `skip_flush` 1555 parameter indicating all the changes should not be flushed while the tree is 1556 locked. 1557 * secrets/aws: The root config can now be read [[GH-7245](https://github.com/hashicorp/vault/pull/7245)] 1558 * secrets/aws: Role paths may now contain the '@' character [[GH-7553](https://github.com/hashicorp/vault/pull/7553)] 1559 * secrets/database/cassandra: Add ability to skip verfication of connection 1560 [[GH-7614](https://github.com/hashicorp/vault/pull/7614)] 1561 * secrets/gcp: Fix panic during rollback if the roleset has been deleted 1562 [[GH-52](https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/52)] 1563 * storage/azure: Add config parameter to Azure storage backend to allow 1564 specifying the ARM endpoint [[GH-7567](https://github.com/hashicorp/vault/pull/7567)] 1565 * storage/cassandra: Improve storage efficiency by eliminating unnecessary 1566 copies of value data [[GH-7199](https://github.com/hashicorp/vault/pull/7199)] 1567 * storage/raft: Improve raft write performance by utilizing FSM Batching 1568 [[GH-7527](https://github.com/hashicorp/vault/pull/7527)] 1569 * storage/raft: Add support for non-voter nodes [[GH-7634](https://github.com/hashicorp/vault/pull/7634)] 1570 * sys: Add a new `sys/host-info` endpoint for querying information about 1571 the host [[GH-7330](https://github.com/hashicorp/vault/pull/7330)] 1572 * sys: Add a new set of endpoints under `sys/pprof/` that allows profiling 1573 information to be extracted [[GH-7473](https://github.com/hashicorp/vault/pull/7473)] 1574 * sys: Add endpoint that counts the total number of active identity entities 1575 [[GH-7541](https://github.com/hashicorp/vault/pull/7541)] 1576 * sys: `sys/seal-status` now has a `storage_type` field denoting what type of 1577 storage 1578 the cluster is configured to use 1579 * sys: Add a new `sys/internal/counters/tokens` endpoint, that counts the 1580 total number of active service token accessors in the shared token storage. 1581 [[GH-7541](https://github.com/hashicorp/vault/pull/7541)] 1582 * sys/config: Add a new endpoint under `sys/config/state/sanitized` that 1583 returns the configuration state of the server. It excludes config values 1584 from `storage`, `ha_storage`, and `seal` stanzas and some values 1585 from `telemetry` due to potential sensitive entries in those fields. 1586 * ui: when using raft storage, you can now join a raft cluster, download a 1587 snapshot, and restore a snapshot from the UI [[GH-7410](https://github.com/hashicorp/vault/pull/7410)] 1588 * ui: clarify when secret version is deleted in the secret version history 1589 dropdown [[GH-7714](https://github.com/hashicorp/vault/pull/7714)] 1590 1591BUG FIXES: 1592 1593 * agent: Fix a data race on the token value for inmemsink [[GH-7707](https://github.com/hashicorp/vault/pull/7707)] 1594 * api: Fix Go API using lease revocation via URL instead of body [[GH-7777](https://github.com/hashicorp/vault/pull/7777)] 1595 * api: Allow setting a function to control retry behavior [[GH-7331](https://github.com/hashicorp/vault/pull/7331)] 1596 * auth/gcp: Fix a bug where region information in instance groups names could 1597 cause an authorization attempt to fail [[GH-74](https://github.com/hashicorp/vault-plugin-auth-gcp/pull/74)] 1598 * cli: Fix a bug where a token of an unknown format (e.g. in ~/.vault-token) 1599 could cause confusing error messages during `vault login` [[GH-7508](https://github.com/hashicorp/vault/pull/7508)] 1600 * cli: Fix a bug where the `namespace list` command with JSON formatting 1601 always returned an empty object [[GH-7705](https://github.com/hashicorp/vault/pull/7705)] 1602 * cli: Command timeouts are now always specified solely by the 1603 `VAULT_CLIENT_TIMEOUT` value. [[GH-7469](https://github.com/hashicorp/vault/pull/7469)] 1604 * core: Don't allow registering a non-root zero TTL token lease. This is purely 1605 defense in depth as the lease would be revoked immediately anyways, but 1606 there's no real reason to allow registration. [[GH-7524](https://github.com/hashicorp/vault/pull/7524)] 1607 * core: Correctly revoke the token that's present in the response auth from a 1608 auth/token/ request if there's partial failure during the process. [[GH-7835](https://github.com/hashicorp/vault/pull/7835)] 1609 * identity (enterprise): Fixed identity case sensitive loading in secondary 1610 cluster [[GH-7327](https://github.com/hashicorp/vault/pull/7327)] 1611 * identity: Ensure only replication primary stores the identity case sensitivity state [[GH-7820](https://github.com/hashicorp/vault/pull/7820)] 1612 * raft: Fixed VAULT_CLUSTER_ADDR env being ignored at startup [[GH-7619](https://github.com/hashicorp/vault/pull/7619)] 1613 * secrets/pki: Don't allow duplicate SAN names in issued certs [[GH-7605](https://github.com/hashicorp/vault/pull/7605)] 1614 * sys/health: Pay attention to the values provided for `standbyok` and 1615 `perfstandbyok` rather than simply using their presence as a key to flip on 1616 that behavior [[GH-7323](https://github.com/hashicorp/vault/pull/7323)] 1617 * ui: using the `wrapped_token` query param will work with `redirect_to` and 1618 will automatically log in as intended [[GH-7398](https://github.com/hashicorp/vault/pull/7398)] 1619 * ui: fix an error when initializing from the UI using PGP keys [[GH-7542](https://github.com/hashicorp/vault/pull/7542)] 1620 * ui: show all active kv v2 secret versions even when `delete_version_after` is configured [[GH-7685](https://github.com/hashicorp/vault/pull/7685)] 1621 * ui: Ensure that items in the top navigation link to pages that users have access to [[GH-7590](https://github.com/hashicorp/vault/pull/7590)] 1622 1623## 1.2.7 1624### August 27th, 2020 1625 1626NOTE: 1627 1628All security content from 1.5.2, 1.5.1, 1.4.5, 1.4.4, 1.3.9, 1.3.8, 1.2.6, and 1.2.5 has been made fully open source, and the git tags for 1.5.3, 1.4.6, 1.3.10, and 1.2.7 will build correctly for open source users. 1629 1630BUG FIXES: 1631 1632* auth/aws: Made header handling for IAM authentication more robust 1633 1634## 1.2.6.1 1635### August 21st, 2020 1636### Enterprise Only 1637 1638NOTE: 1639 1640Includes correct license in the HSM binary. 1641 1642## 1.2.6 1643### August 20th, 2020 1644 1645NOTE: 1646 1647OSS binaries of 1.5.1, 1.4.4, 1.3.8, and 1.2.5 were built without the Vault UI. Enterprise binaries are not affected. 1648 1649KNOWN ISSUES: 1650 1651* AWS IAM logins may return an error depending on the headers sent with the request. 1652 For more details and a workaround, see the [1.2.6 Upgrade Guide](https://www.vaultproject.io/docs/upgrading/upgrade-to-1.2.6) 1653* In versions 1.2.6, 1.3.9, 1.4.5, and 1.5.2, enterprise licenses on the HSM build were not incorporated correctly - enterprise 1654 customers should use 1.2.6.1, 1.3.9.1, 1.4.5.1, and 1.5.2.1. 1655 1656## 1.2.5 1657### August 20th, 2020 1658 1659SECURITY: 1660 1661 * When using the IAM AWS Auth Method, under certain circumstances, values Vault uses to validate identities and roles can be manipulated and bypassed. This vulnerability affects Vault and Vault Enterprise 0.7.1 and newer and is fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1 (CVE-2020-16250) (Discovered by Felix Wilhelm of Google Project Zero) 1662 * When using the GCP GCE Auth Method, under certain circumstances, values Vault uses to validate GCE VMs can be manipulated and bypassed. This vulnerability affects Vault and Vault Enterprise 0.8.3 and newer and is fixed in 1.2.5, 1.3.8, 1.4.4, and 1.5.1 (CVE-2020-16251) (Discovered by Felix Wilhelm of Google Project Zero) 1663 1664KNOWN ISSUES: 1665 1666* OSS binaries of 1.5.1, 1.4.4, 1.3.8, and 1.2.5 were built without the Vault UI. Enterprise binaries are not affected. 1667* AWS IAM logins may return an error depending on the headers sent with the request. 1668 For more details and a workaround, see the [1.2.5 Upgrade Guide](https://www.vaultproject.io/docs/upgrading/upgrade-to-1.2.5) 1669 1670BUG FIXES: 1671* seal: (enterprise) Fix issue causing stored seal and recovery keys to be mistaken as sealwrapped values 1672 1673## 1.2.4 (November 7th, 2019) 1674 1675SECURITY: 1676 1677 * In a non-root namespace, revocation of a token scoped to a non-root 1678 namespace did not trigger the expected revocation of dynamic secret leases 1679 associated with that token. As a result, dynamic secret leases in non-root 1680 namespaces may outlive the token that created them. This vulnerability, 1681 CVE-2019-18616, affects Vault Enterprise 0.11.0 and newer. 1682 * Disaster Recovery secondary clusters did not delete already-replicated data 1683 after a mount filter has been created on an upstream Performance secondary 1684 cluster. As a result, encrypted secrets may remain replicated on a Disaster 1685 Recovery secondary cluster after application of a mount filter excluding 1686 those secrets from replication. This vulnerability, CVE-2019-18617, affects 1687 Vault Enterprise 0.8 and newer. 1688 * Update version of Go to 1.12.12 to fix Go bug golang.org/issue/34960 which 1689 corresponds to CVE-2019-17596. 1690 1691CHANGES: 1692 1693 * auth/aws: If a custom `sts_endpoint` is configured, Vault Agent and the CLI 1694 should provide the corresponding region via the `region` parameter (which 1695 already existed as a CLI parameter, and has now been added to Agent). The 1696 automatic region detection added to the CLI and Agent in 1.2 has been removed. 1697 1698IMPROVEMENTS: 1699 1700 * cli: Ignore existing token during CLI login [[GH-7508](https://github.com/hashicorp/vault/pull/7508)] 1701 * core: Log proxy settings from environment on startup [[GH-7528](https://github.com/hashicorp/vault/pull/7528)] 1702 * core: Cache whether we've been initialized to reduce load on storage [[GH-7549](https://github.com/hashicorp/vault/pull/7549)] 1703 1704BUG FIXES: 1705 1706 * agent: Fix handling of gzipped responses [[GH-7470](https://github.com/hashicorp/vault/pull/7470)] 1707 * cli: Fix panic when pgp keys list is empty [[GH-7546](https://github.com/hashicorp/vault/pull/7546)] 1708 * cli: Command timeouts are now always specified solely by the 1709 `VAULT_CLIENT_TIMEOUT` value. [[GH-7469](https://github.com/hashicorp/vault/pull/7469)] 1710 * core: add hook for initializing seals for migration [[GH-7666](https://github.com/hashicorp/vault/pull/7666)] 1711 * core (enterprise): Migrating from one auto unseal method to another never 1712 worked on enterprise, now it does. 1713 * identity: Add required field `response_types_supported` to identity token 1714 `.well-known/openid-configuration` response [[GH-7533](https://github.com/hashicorp/vault/pull/7533)] 1715 * identity: Fixed nil pointer panic when merging entities [[GH-7712](https://github.com/hashicorp/vault/pull/7712)] 1716 * replication (Enterprise): Fix issue causing performance standbys nodes 1717 disconnecting when under high loads. 1718 * secrets/azure: Fix panic that could occur if client retries timeout [[GH-7793](https://github.com/hashicorp/vault/pull/7793)] 1719 * secrets/database: Fix bug in combined DB secrets engine that can result in 1720 writes to static-roles endpoints timing out [[GH-7518](https://github.com/hashicorp/vault/pull/7518)] 1721 * secrets/pki: Improve tidy to continue when value is nil [[GH-7589](https://github.com/hashicorp/vault/pull/7589)] 1722 * ui (Enterprise): Allow kv v2 secrets that are gated by Control Groups to be 1723 viewed in the UI [[GH-7504](https://github.com/hashicorp/vault/pull/7504)] 1724 1725## 1.2.3 (September 12, 2019) 1726 1727FEATURES: 1728 1729* **Oracle Cloud (OCI) Integration**: Vault now support using Oracle Cloud for 1730 storage, auto unseal, and authentication. 1731 1732IMPROVEMENTS: 1733 1734 * auth/jwt: Groups claim matching now treats a string response as a single 1735 element list [[GH-63](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/63)] 1736 * auth/kubernetes: enable better support for projected tokens API by allowing 1737 user to specify issuer [[GH-65](https://github.com/hashicorp/vault/pull/65)] 1738 * auth/pcf: The PCF auth plugin was renamed to the CF auth plugin, maintaining 1739 full backwards compatibility [[GH-7346](https://github.com/hashicorp/vault/pull/7346)] 1740 * replication: Premium packages now come with unlimited performance standby 1741 nodes 1742 1743BUG FIXES: 1744 1745 * agent: Allow batch tokens and other non-renewable tokens to be used for 1746 agent operations [[GH-7441](https://github.com/hashicorp/vault/pull/7441)] 1747 * auth/jwt: Fix an error where newer (v1.2) token_* configuration parameters 1748 were not being applied to tokens generated using the OIDC login flow 1749 [[GH-67](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/67)] 1750 * raft: Fix an incorrect JSON tag on `leader_ca_cert` in the join request [[GH-7393](https://github.com/hashicorp/vault/pull/7393)] 1751 * seal/transit: Allow using Vault Agent for transit seal operations [[GH-7441](https://github.com/hashicorp/vault/pull/7441)] 1752 * storage/couchdb: Fix a file descriptor leak [[GH-7345](https://github.com/hashicorp/vault/pull/7345)] 1753 * ui: Fix a bug where the status menu would disappear when trying to revoke a 1754 token [[GH-7337](https://github.com/hashicorp/vault/pull/7337)] 1755 * ui: Fix a regression that prevented input of custom items in search-select 1756 [[GH-7338](https://github.com/hashicorp/vault/pull/7338)] 1757 * ui: Fix an issue with the namespace picker being unable to render nested 1758 namespaces named with numbers and sorting of namespaces in the picker 1759 [[GH-7333](https://github.com/hashicorp/vault/pull/7333)] 1760 1761## 1.2.2 (August 15, 2019) 1762 1763CHANGES: 1764 1765 * auth/pcf: The signature format has been updated to use the standard Base64 1766 encoding instead of the URL-safe variant. Signatures created using the 1767 previous format will continue to be accepted [PCF-27] 1768 * core: The http response code returned when an identity token key is not found 1769 has been changed from 400 to 404 1770 1771IMPROVEMENTS: 1772 1773 * identity: Remove 512 entity limit for groups [[GH-7317](https://github.com/hashicorp/vault/pull/7317)] 1774 1775BUG FIXES: 1776 1777 * auth/approle: Fix an error where an empty `token_type` string was not being 1778 correctly handled as `TokenTypeDefault` [[GH-7273](https://github.com/hashicorp/vault/pull/7273)] 1779 * auth/radius: Fix panic when logging in [[GH-7286](https://github.com/hashicorp/vault/pull/7286)] 1780 * ui: the string-list widget will now honor multiline input [[GH-7254](https://github.com/hashicorp/vault/pull/7254)] 1781 * ui: various visual bugs in the KV interface were addressed [[GH-7307](https://github.com/hashicorp/vault/pull/7307)] 1782 * ui: fixed incorrect URL to access help in LDAP auth [[GH-7299](https://github.com/hashicorp/vault/pull/7299)] 1783 1784## 1.2.1 (August 6th, 2019) 1785 1786BUG FIXES: 1787 1788 * agent: Fix a panic on creds pulling in some error conditions in `aws` and 1789 `alicloud` auth methods [[GH-7238](https://github.com/hashicorp/vault/pull/7238)] 1790 * auth/approle: Fix error reading role-id on a role created pre-1.2 [[GH-7231](https://github.com/hashicorp/vault/pull/7231)] 1791 * auth/token: Fix sudo check in non-root namespaces on create [[GH-7224](https://github.com/hashicorp/vault/pull/7224)] 1792 * core: Fix health checks with perfstandbyok=true returning the wrong status 1793 code [[GH-7240](https://github.com/hashicorp/vault/pull/7240)] 1794 * ui: The web CLI will now parse input as a shell string, with special 1795 characters escaped [[GH-7206](https://github.com/hashicorp/vault/pull/7206)] 1796 * ui: The UI will now redirect to a page after authentication [[GH-7088](https://github.com/hashicorp/vault/pull/7088)] 1797 * ui (Enterprise): The list of namespaces is now cleared when logging 1798 out [[GH-7186](https://github.com/hashicorp/vault/pull/7186)] 1799 1800## 1.2.0 (July 30th, 2019) 1801 1802CHANGES: 1803 1804 * Token store roles use new, common token fields for the values 1805 that overlap with other auth backends. `period`, `explicit_max_ttl`, and 1806 `bound_cidrs` will continue to work, with priority being given to the 1807 `token_` prefixed versions of those parameters. They will also be returned 1808 when doing a read on the role if they were used to provide values initially; 1809 however, in Vault 1.4 if `period` or `explicit_max_ttl` is zero they will no 1810 longer be returned. (`explicit_max_ttl` was already not returned if empty.) 1811 * Due to underlying changes in Go version 1.12 and Go > 1.11.5, Vault is now 1812 stricter about what characters it will accept in path names. Whereas before 1813 it would filter out unprintable characters (and this could be turned off), 1814 control characters and other invalid characters are now rejected within Go's 1815 HTTP library before the request is passed to Vault, and this cannot be 1816 disabled. To continue using these (e.g. for already-written paths), they 1817 must be properly percent-encoded (e.g. `\r` becomes `%0D`, `\x00` becomes 1818 `%00`, and so on). 1819 * The user-configured regions on the AWSKMS seal stanza will now be preferred 1820 over regions set in the enclosing environment. This is a _breaking_ change. 1821 * All values in audit logs now are omitted if they are empty. This helps 1822 reduce the size of audit log entries by not reproducing keys in each entry 1823 that commonly don't contain any value, which can help in cases where audit 1824 log entries are above the maximum UDP packet size and others. 1825 * Both PeriodicFunc and WALRollback functions will be called if both are 1826 provided. Previously WALRollback would only be called if PeriodicFunc was 1827 not set. See [[GH-6717](https://github.com/hashicorp/vault/pull/6717)] for 1828 details. 1829 * Vault now uses Go's official dependency management system, Go Modules, to 1830 manage dependencies. As a result to both reduce transitive dependencies for 1831 API library users and plugin authors, and to work around various conflicts, 1832 we have moved various helpers around, mostly under an `sdk/` submodule. A 1833 couple of functions have also moved from plugin helper code to the `api/` 1834 submodule. If you are a plugin author, take a look at some of our official 1835 plugins and the paths they are importing for guidance. 1836 * AppRole uses new, common token fields for values that overlap 1837 with other auth backends. `period` and `policies` will continue to work, 1838 with priority being given to the `token_` prefixed versions of those 1839 parameters. They will also be returned when doing a read on the role if they 1840 were used to provide values initially. 1841 * In AppRole, `"default"` is no longer automatically added to the `policies` 1842 parameter. This was a no-op since it would always be added anyways by 1843 Vault's core; however, this can now be explicitly disabled with the new 1844 `token_no_default_policy` field. 1845 * In AppRole, `bound_cidr_list` is no longer returned when reading a role 1846 * rollback: Rollback will no longer display log messages when it runs; it will 1847 only display messages on error. 1848 * Database plugins will now default to 4 `max_open_connections` 1849 rather than 2. 1850 1851FEATURES: 1852 1853 * **Integrated Storage**: Vault 1.2 includes a _tech preview_ of a new way to 1854 manage storage directly within a Vault cluster. This new integrated storage 1855 solution is based on the Raft protocol which is also used to back HashiCorp 1856 Consul and HashiCorp Nomad. 1857 * **Combined DB credential rotation**: Alternative mode for the Combined DB 1858 Secret Engine to automatically rotate existing database account credentials 1859 and set Vault as the source of truth for credentials. 1860 * **Identity Tokens**: Vault's Identity system can now generate OIDC-compliant 1861 ID tokens. These customizable tokens allow encapsulating a signed, verifiable 1862 snapshot of identity information and metadata. They can be use by other 1863 applications—even those without Vault authorization—as a way of establishing 1864 identity based on a Vault entity. 1865 * **Pivotal Cloud Foundry plugin**: New auth method using Pivotal Cloud 1866 Foundry certificates for Vault authentication. 1867 * **ElasticSearch database plugin**: New ElasticSearch database plugin issues 1868 unique, short-lived ElasticSearch credentials. 1869 * **New UI Features**: An HTTP Request Volume Page and new UI for editing LDAP 1870 Users and Groups have been added. 1871 * **HA support for Postgres**: PostgreSQL versions >= 9.5 may now but used as 1872 and HA storage backend. 1873 * **KMIP secrets engine (Enterprise)**: Allows Vault to operate as a KMIP 1874 Server, seamlessly brokering cryptographic operations for traditional 1875 infrastructure. 1876 * Common Token Fields: Auth methods now use common fields for controlling 1877 token behavior, making it easier to understand configuration across methods. 1878 * **Vault API explorer**: The Vault UI now includes an embedded API explorer 1879 where you can browse the endpoints avaliable to you and make requests. To try 1880 it out, open the Web CLI and type `api`. 1881 1882IMPROVEMENTS: 1883 1884 * agent: Allow EC2 nonce to be passed in [[GH-6953](https://github.com/hashicorp/vault/pull/6953)] 1885 * agent: Add optional `namespace` parameter, which sets the default namespace 1886 for the auto-auth functionality [[GH-6988](https://github.com/hashicorp/vault/pull/6988)] 1887 * agent: Add cert auto-auth method [[GH-6652](https://github.com/hashicorp/vault/pull/6652)] 1888 * api: Add support for passing data to delete operations via `DeleteWithData` 1889 [[GH-7139](https://github.com/hashicorp/vault/pull/7139)] 1890 * audit/file: Dramatically speed up file operations by changing 1891 locking/marshaling order [[GH-7024](https://github.com/hashicorp/vault/pull/7024)] 1892 * auth/jwt: A JWKS endpoint may now be configured for signature verification [[GH-43](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/43)] 1893 * auth/jwt: A new `verbose_oidc_logging` role parameter has been added to help 1894 troubleshoot OIDC configuration [[GH-57](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/57)] 1895 * auth/jwt: `bound_claims` will now match received claims that are lists if any element 1896 of the list is one of the expected values [[GH-50](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/50)] 1897 * auth/jwt: Leeways for `nbf` and `exp` are now configurable, as is clock skew 1898 leeway [[GH-53](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/53)] 1899 * auth/kubernetes: Allow service names/namespaces to be configured as globs 1900 [[GH-58](https://github.com/hashicorp/vault-plugin-auth-kubernetes/pull/58)] 1901 * auth/token: Allow the support of the identity system for the token backend 1902 via token roles [[GH-6267](https://github.com/hashicorp/vault/pull/6267)] 1903 * auth/token: Add a large set of token configuration options to token store 1904 roles [[GH-6662](https://github.com/hashicorp/vault/pull/6662)] 1905 * cli: `path-help` now allows `-format=json` to be specified, which will 1906 output OpenAPI [[GH-7006](https://github.com/hashicorp/vault/pull/7006)] 1907 * cli: Add support for passing parameters to `vault delete` operations 1908 [[GH-7139](https://github.com/hashicorp/vault/pull/7139)] 1909 * cli: Add a log-format CLI flag that can specify either "standard" or "json" 1910 for the log format for the `vault server`command. [[GH-6840](https://github.com/hashicorp/vault/pull/6840)] 1911 * cli: Add `-dev-no-store-token` to allow dev servers to not store the 1912 generated token at the tokenhelper location [[GH-7104](https://github.com/hashicorp/vault/pull/7104)] 1913 * identity: Allow a group alias' canonical ID to be modified 1914 * namespaces: Namespaces can now be created and deleted from performance 1915 replication secondaries 1916 * plugins: Change the default for `max_open_connections` for DB plugins to 4 1917 [[GH-7093](https://github.com/hashicorp/vault/pull/7093)] 1918 * replication: Client TLS authentication is now supported when enabling or 1919 updating a replication secondary 1920 * secrets/database: Cassandra operations will now cancel on client timeout 1921 [[GH-6954](https://github.com/hashicorp/vault/pull/6954)] 1922 * secrets/kv: Add optional `delete_version_after` parameter, which takes a 1923 duration and can be set on the mount and/or the metadata for a specific key 1924 [[GH-7005](https://github.com/hashicorp/vault/pull/7005)] 1925 * storage/postgres: LIST now performs better on large datasets [[GH-6546](https://github.com/hashicorp/vault/pull/6546)] 1926 * storage/s3: A new `path` parameter allows selecting the path within a bucket 1927 for Vault data [[GH-7157](https://github.com/hashicorp/vault/pull/7157)] 1928 * ui: KV v1 and v2 will now gracefully degrade allowing a write without read 1929 workflow in the UI [[GH-6570](https://github.com/hashicorp/vault/pull/6570)] 1930 * ui: Many visual improvements with the addition of Toolbars [[GH-6626](https://github.com/hashicorp/vault/pull/6626)], the restyling 1931 of the Confirm Action component [[GH-6741](https://github.com/hashicorp/vault/pull/6741)], and using a new set of glyphs for our 1932 Icon component [[GH-6736](https://github.com/hashicorp/vault/pull/6736)] 1933 * ui: Lazy loading parts of the application so that the total initial payload is 1934 smaller [[GH-6718](https://github.com/hashicorp/vault/pull/6718)] 1935 * ui: Tabbing to auto-complete in filters will first complete a common prefix if there 1936 is one [[GH-6759](https://github.com/hashicorp/vault/pull/6759)] 1937 * ui: Removing jQuery from the application makes the initial JS payload smaller [[GH-6768](https://github.com/hashicorp/vault/pull/6768)] 1938 1939BUG FIXES: 1940 1941 * audit: Log requests and responses due to invalid wrapping token provided 1942 [[GH-6541](https://github.com/hashicorp/vault/pull/6541)] 1943 * audit: Fix bug preventing request counter queries from working with auditing 1944 enabled [[GH-6767](https://github.com/hashicorp/vault/pull/6767) 1945 * auth/aws: AWS Roles are now upgraded and saved to the latest version just 1946 after the AWS credential plugin is mounted. [[GH-7025](https://github.com/hashicorp/vault/pull/7025)] 1947 * auth/aws: Fix a case where a panic could stem from a malformed assumed-role ARN 1948 when parsing this value [[GH-6917](https://github.com/hashicorp/vault/pull/6917)] 1949 * auth/aws: Fix an error complaining about a read-only view that could occur 1950 during updating of a role when on a performance replication secondary 1951 [[GH-6926](https://github.com/hashicorp/vault/pull/6926)] 1952 * auth/jwt: Fix a regression introduced in 1.1.1 that disabled checking of client_id 1953 for OIDC logins [[GH-54](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/54)] 1954 * auth/jwt: Fix a panic during OIDC CLI logins that could occur if the Vault server 1955 response is empty [[GH-55](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/55)] 1956 * auth/jwt: Fix issue where OIDC logins might intermittently fail when using 1957 performance standbys [[GH-61](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/61)] 1958 * identity: Fix a case where modifying aliases of an entity could end up 1959 moving the entity into the wrong namespace 1960 * namespaces: Fix a behavior (currently only known to be benign) where we 1961 wouldn't delete policies through the official functions before wiping the 1962 namespaces on deletion 1963 * secrets/database: Escape username/password before using in connection URL 1964 [[GH-7089](https://github.com/hashicorp/vault/pull/7089)] 1965 * secrets/pki: Forward revocation requests to active node when on a 1966 performance standby [[GH-7173](https://github.com/hashicorp/vault/pull/7173)] 1967 * ui: Fix timestamp on some transit keys [[GH-6827](https://github.com/hashicorp/vault/pull/6827)] 1968 * ui: Show Entities and Groups in Side Navigation [[GH-7138](https://github.com/hashicorp/vault/pull/7138)] 1969 * ui: Ensure dropdown updates selected item on HTTP Request Metrics page 1970 1971## 1.1.4/1.1.5 (July 25th/30th, 2019) 1972 1973NOTE: 1974 1975Although 1.1.4 was tagged, we realized very soon after the tag was publicly 1976pushed that an intended fix was accidentally left out. As a result, 1.1.4 was 1977not officially announced and 1.1.5 should be used as the release after 1.1.3. 1978 1979IMPROVEMENTS: 1980 1981 * identity: Allow a group alias' canonical ID to be modified 1982 * namespaces: Improve namespace deletion performance [[GH-6939](https://github.com/hashicorp/vault/pull/6939)] 1983 * namespaces: Namespaces can now be created and deleted from performance 1984 replication secondaries 1985 1986BUG FIXES: 1987 1988 * api: Add backwards compat support for API env vars [[GH-7135](https://github.com/hashicorp/vault/pull/7135)] 1989 * auth/aws: Fix a case where a panic could stem from a malformed assumed-role 1990 ARN when parsing this value [[GH-6917](https://github.com/hashicorp/vault/pull/6917)] 1991 * auth/ldap: Add `use_pre111_group_cn_behavior` flag to allow recovering from 1992 a regression caused by a bug fix starting in 1.1.1 [[GH-7208](https://github.com/hashicorp/vault/pull/7208)] 1993 * auth/aws: Use a role cache to avoid separate locking paths [[GH-6926](https://github.com/hashicorp/vault/pull/6926)] 1994 * core: Fix a deadlock if a panic happens during request handling [[GH-6920](https://github.com/hashicorp/vault/pull/6920)] 1995 * core: Fix an issue that may cause key upgrades to not be cleaned up properly 1996 [[GH-6949](https://github.com/hashicorp/vault/pull/6949)] 1997 * core: Don't shutdown if key upgrades fail due to canceled context [[GH-7070](https://github.com/hashicorp/vault/pull/7070)] 1998 * core: Fix panic caused by handling requests while vault is inactive 1999 * identity: Fix reading entity and groups that have spaces in their names 2000 [[GH-7055](https://github.com/hashicorp/vault/pull/7055)] 2001 * identity: Ensure entity alias operations properly verify namespace [[GH-6886](https://github.com/hashicorp/vault/pull/6886)] 2002 * mfa: Fix a nil pointer panic that could occur if invalid Duo credentials 2003 were supplied 2004 * replication: Forward step-down on perf standbys to match HA behavior 2005 * replication: Fix various read only storage errors on performance standbys 2006 * replication: Stop forwarding before stopping replication to eliminate some 2007 possible bad states 2008 * secrets/database: Allow cassandra queries to be cancled [[GH-6954](https://github.com/hashicorp/vault/pull/6954)] 2009 * storage/consul: Fix a regression causing vault to not connect to consul over 2010 unix sockets [[GH-6859](https://github.com/hashicorp/vault/pull/6859)] 2011 * ui: Fix saving of TTL and string array fields generated by Open API [[GH-7094](https://github.com/hashicorp/vault/pull/7094)] 2012 2013## 1.1.3 (June 5th, 2019) 2014 2015IMPROVEMENTS: 2016 2017 * agent: Now supports proxying request query parameters [[GH-6772](https://github.com/hashicorp/vault/pull/6772)] 2018 * core: Mount table output now includes a UUID indicating the storage path [[GH-6633](https://github.com/hashicorp/vault/pull/6633)] 2019 * core: HTTP server timeout values are now configurable [[GH-6666](https://github.com/hashicorp/vault/pull/6666)] 2020 * replication: Improve performance of the reindex operation on secondary clusters 2021 when mount filters are in use 2022 * replication: Replication status API now returns the state and progress of a reindex 2023 2024BUG FIXES: 2025 2026 * api: Return the Entity ID in the secret output [[GH-6819](https://github.com/hashicorp/vault/pull/6819)] 2027 * auth/jwt: Consider bound claims when considering if there is at least one 2028 bound constraint [[GH-49](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/49)] 2029 * auth/okta: Fix handling of group names containing slashes [[GH-6665](https://github.com/hashicorp/vault/pull/6665)] 2030 * cli: Add deprecated stored-shares flag back to the init command [[GH-6677](https://github.com/hashicorp/vault/pull/6677)] 2031 * cli: Fix a panic when the KV command would return no data [[GH-6675](https://github.com/hashicorp/vault/pull/6675)] 2032 * cli: Fix issue causing CLI list operations to not return proper format when 2033 there is an empty response [[GH-6776](https://github.com/hashicorp/vault/pull/6776)] 2034 * core: Correctly honor non-HMAC request keys when auditing requests [[GH-6653](https://github.com/hashicorp/vault/pull/6653)] 2035 * core: Fix the `x-vault-unauthenticated` value in OpenAPI for a number of 2036 endpoints [[GH-6654](https://github.com/hashicorp/vault/pull/6654)] 2037 * core: Fix issue where some OpenAPI parameters were incorrectly listed as 2038 being sent as a header [[GH-6679](https://github.com/hashicorp/vault/pull/6679)] 2039 * core: Fix issue that would allow duplicate mount names to be used [[GH-6771](https://github.com/hashicorp/vault/pull/6771)] 2040 * namespaces: Fix behavior when using `root` instead of `root/` as the 2041 namespace header value 2042 * pki: fix a panic when a client submits a null value [[GH-5679](https://github.com/hashicorp/vault/pull/5679)] 2043 * replication: Properly update mount entry cache on a secondary to apply all 2044 new values after a tune 2045 * replication: Properly close connection on bootstrap error 2046 * replication: Fix an issue causing startup problems if a namespace policy 2047 wasn't replicated properly 2048 * replication: Fix longer than necessary WAL replay during an initial reindex 2049 * replication: Fix error during mount filter invalidation on DR secondary clusters 2050 * secrets/ad: Make time buffer configurable [AD-35] 2051 * secrets/gcp: Check for nil config when getting credentials [[GH-35](https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/35)] 2052 * secrets/gcp: Fix error checking in some cases where the returned value could 2053 be 403 instead of 404 [[GH-37](https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/37)] 2054 * secrets/gcpkms: Disable key rotation when deleting a key [[GH-10](https://github.com/hashicorp/vault-plugin-secrets-gcpkms/pull/10)] 2055 * storage/consul: recognize `https://` address even if schema not specified 2056 [[GH-6602](https://github.com/hashicorp/vault/pull/6602)] 2057 * storage/dynamodb: Fix an issue where a deleted lock key in DynamoDB (HA) 2058 could cause constant switching of the active node [[GH-6637](https://github.com/hashicorp/vault/pull/6637)] 2059 * storage/dynamodb: Eliminate a high-CPU condition that could occur if an 2060 error was received from the DynamoDB API [[GH-6640](https://github.com/hashicorp/vault/pull/6640)] 2061 * storage/gcs: Correctly use configured chunk size values [[GH-6655](https://github.com/hashicorp/vault/pull/6655)] 2062 * storage/mssql: Use the correct database when pre-created schemas exist 2063 [[GH-6356](https://github.com/hashicorp/vault/pull/6356)] 2064 * ui: Fix issue with select arrows on drop down menus [[GH-6627](https://github.com/hashicorp/vault/pull/6627)] 2065 * ui: Fix an issue where sensitive input values weren't being saved to the 2066 server [[GH-6586](https://github.com/hashicorp/vault/pull/6586)] 2067 * ui: Fix web cli parsing when using quoted values [[GH-6755](https://github.com/hashicorp/vault/pull/6755)] 2068 * ui: Fix a namespace workflow mapping identities from external namespaces by 2069 allowing arbitrary input in search-select component [[GH-6728](https://github.com/hashicorp/vault/pull/6728)] 2070 2071## 1.1.2 (April 18th, 2019) 2072 2073This is a bug fix release containing the two items below. It is otherwise 2074unchanged from 1.1.1. 2075 2076BUG FIXES: 2077 2078 * auth/okta: Fix a potential dropped error [[GH-6592](https://github.com/hashicorp/vault/pull/6592)] 2079 * secrets/kv: Fix a regression on upgrade where a KVv2 mount could fail to be 2080 mounted on unseal if it had previously been mounted but not written to 2081 [[GH-31](https://github.com/hashicorp/vault-plugin-secrets-kv/pull/31)] 2082 2083## 1.1.1 (April 11th, 2019) 2084 2085SECURITY: 2086 2087 * Given: (a) performance replication is enabled; (b) performance standbys are 2088 in use on the performance replication secondary cluster; and (c) mount 2089 filters are in use, if a mount that was previously available to a secondary 2090 is updated to be filtered out, although the data would be removed from the 2091 secondary cluster, the in-memory cache of the data would not be purged on 2092 the performance standby nodes. As a result, the previously-available data 2093 could still be read from memory if it was ever read from disk, and if this 2094 included mount configuration data this could result in token or lease 2095 issuance. The issue is fixed in this release; in prior releases either an 2096 active node changeover (such as a step-down) or a restart of the standby 2097 nodes is sufficient to cause the performance standby nodes to clear their 2098 cache. A CVE is in the process of being issued; the number is 2099 CVE-2019-11075. 2100 * Roles in the JWT Auth backend using the OIDC login flow (i.e. role_type of 2101 “oidc”) were not enforcing bound_cidrs restrictions, if any were configured 2102 for the role. This issue did not affect roles of type “jwt”. 2103 2104CHANGES: 2105 2106 * auth/jwt: Disallow logins of role_type "oidc" via the `/login` path [[GH-38](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/38)] 2107 * core/acl: New ordering defines which policy wins when there are multiple 2108 inexact matches and at least one path contains `+`. `+*` is now illegal in 2109 policy paths. The previous behavior simply selected any matching 2110 segment-wildcard path that matched. [[GH-6532](https://github.com/hashicorp/vault/pull/6532)] 2111 * replication: Due to technical limitations, mounting and unmounting was not 2112 previously possible from a performance secondary. These have been resolved, 2113 and these operations may now be run from a performance secondary. 2114 2115IMPROVEMENTS: 2116 2117 * agent: Allow AppRole auto-auth without a secret-id [[GH-6324](https://github.com/hashicorp/vault/pull/6324)] 2118 * auth/gcp: Cache clients to improve performance and reduce open file usage 2119 * auth/jwt: Bounds claims validiation will now allow matching the received 2120 claims against a list of expected values [[GH-41](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/41)] 2121 * secret/gcp: Cache clients to improve performance and reduce open file usage 2122 * replication: Mounting/unmounting/remounting/mount-tuning is now supported 2123 from a performance secondary cluster 2124 * ui: Suport for authentication via the RADIUS auth method [[GH-6488](https://github.com/hashicorp/vault/pull/6488)] 2125 * ui: Navigating away from secret list view will clear any page-specific 2126 filter that was applied [[GH-6511](https://github.com/hashicorp/vault/pull/6511)] 2127 * ui: Improved the display when OIDC auth errors [[GH-6553](https://github.com/hashicorp/vault/pull/6553)] 2128 2129BUG FIXES: 2130 2131 * agent: Allow auto-auth to be used with caching without having to define any 2132 sinks [[GH-6468](https://github.com/hashicorp/vault/pull/6468)] 2133 * agent: Disallow some nonsensical config file combinations [[GH-6471](https://github.com/hashicorp/vault/pull/6471)] 2134 * auth/ldap: Fix CN check not working if CN was not all in uppercase [[GH-6518](https://github.com/hashicorp/vault/pull/6518)] 2135 * auth/jwt: The CLI helper for OIDC logins will now open the browser to the correct 2136 URL when running on Windows [[GH-37](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/37)] 2137 * auth/jwt: Fix OIDC login issue where configured TLS certs weren't being used [[GH-40](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/40)] 2138 * auth/jwt: Fix an issue where the `oidc_scopes` parameter was not being included in 2139 the response to a role read request [[GH-35](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/35)] 2140 * core: Fix seal migration case when migrating to Shamir and a seal block 2141 wasn't explicitly specified [[GH-6455](https://github.com/hashicorp/vault/pull/6455)] 2142 * core: Fix unwrapping when using namespaced wrapping tokens [[GH-6536](https://github.com/hashicorp/vault/pull/6536)] 2143 * core: Fix incorrect representation of required properties in OpenAPI output 2144 [[GH-6490](https://github.com/hashicorp/vault/pull/6490)] 2145 * core: Fix deadlock that could happen when using the UI [[GH-6560](https://github.com/hashicorp/vault/pull/6560)] 2146 * identity: Fix updating groups removing existing members [[GH-6527](https://github.com/hashicorp/vault/pull/6527)] 2147 * identity: Properly invalidate group alias in performance secondary [[GH-6564](https://github.com/hashicorp/vault/pull/6564)] 2148 * identity: Use namespace context when loading entities and groups to ensure 2149 merging of duplicate entries works properly [[GH-6563](https://github.com/hashicorp/vault/pull/6563)] 2150 * replication: Fix performance standby election failure [[GH-6561](https://github.com/hashicorp/vault/pull/6561)] 2151 * replication: Fix mount filter invalidation on performance standby nodes 2152 * replication: Fix license reloading on performance standby nodes 2153 * replication: Fix handling of control groups on performance standby nodes 2154 * replication: Fix some forwarding scenarios with request bodies using 2155 performance standby nodes [[GH-6538](https://github.com/hashicorp/vault/pull/6538)] 2156 * secret/gcp: Fix roleset binding when using JSON [[GH-27](https://github.com/hashicorp/vault-plugin-secrets-gcp/pull/27)] 2157 * secret/pki: Use `uri_sans` param in when not using CSR parameters [[GH-6505](https://github.com/hashicorp/vault/pull/6505)] 2158 * storage/dynamodb: Fix a race condition possible in HA configurations that could 2159 leave the cluster without a leader [[GH-6512](https://github.com/hashicorp/vault/pull/6512)] 2160 * ui: Fix an issue where in production builds OpenAPI model generation was 2161 failing, causing any form using it to render labels with missing fields [[GH-6474](https://github.com/hashicorp/vault/pull/6474)] 2162 * ui: Fix issue nav-hiding when moving between namespaces [[GH-6473](https://github.com/hashicorp/vault/pull/6473)] 2163 * ui: Secrets will always show in the nav regardless of access to cubbyhole [[GH-6477](https://github.com/hashicorp/vault/pull/6477)] 2164 * ui: fix SSH OTP generation [[GH-6540](https://github.com/hashicorp/vault/pull/6540)] 2165 * ui: add polyfill to load UI in IE11 [[GH-6567](https://github.com/hashicorp/vault/pull/6567)] 2166 * ui: Fix issue where some elements would fail to work properly if using ACLs 2167 with segment-wildcard paths (`/+/` segments) [[GH-6525](https://github.com/hashicorp/vault/pull/6525)] 2168 2169## 1.1.0 (March 18th, 2019) 2170 2171CHANGES: 2172 2173 * auth/jwt: The `groups_claim_delimiter_pattern` field has been removed. If the 2174 groups claim is not at the top level, it can now be specified as a 2175 [JSONPointer](https://tools.ietf.org/html/rfc6901). 2176 * auth/jwt: Roles now have a "role type" parameter with a default type of 2177 "oidc". To configure new JWT roles, a role type of "jwt" must be explicitly 2178 specified. 2179 * cli: CLI commands deprecated in 0.9.2 are now removed. Please see the CLI 2180 help/warning output in previous versions of Vault for updated commands. 2181 * core: Vault no longer automatically mounts a K/V backend at the "secret/" 2182 path when initializing Vault 2183 * core: Vault's cluster port will now be open at all times on HA standby nodes 2184 * plugins: Vault no longer supports running netRPC plugins. These were 2185 deprecated in favor of gRPC based plugins and any plugin built since 0.9.4 2186 defaults to gRPC. Older plugins may need to be recompiled against the latest 2187 Vault dependencies. 2188 2189FEATURES: 2190 2191 * **Vault Agent Caching**: Vault Agent can now be configured to act as a 2192 caching proxy to Vault. Clients can send requests to Vault Agent and the 2193 request will be proxied to the Vault server and cached locally in Agent. 2194 Currently Agent will cache generated leases and tokens and keep them 2195 renewed. The proxy can also use the Auto Auth feature so clients do not need 2196 to authenticate to Vault, but rather can make requests to Agent and have 2197 Agent fully manage token lifecycle. 2198 * **OIDC Redirect Flow Support**: The JWT auth backend now supports OIDC 2199 roles. These allow authentication via an OIDC-compliant provider via the 2200 user's browser. The login may be initiated from the Vault UI or through 2201 the `vault login` command. 2202 * **ACL Path Wildcard**: ACL paths can now use the `+` character to enable 2203 wild card matching for a single directory in the path definition. 2204 * **Transit Auto Unseal**: Vault can now be configured to use the Transit 2205 Secret Engine in another Vault cluster as an auto unseal provider. 2206 2207IMPROVEMENTS: 2208 2209 * auth/jwt: A default role can be set. It will be used during JWT/OIDC logins if 2210 a role is not specified. 2211 * auth/jwt: Arbitrary claims data can now be copied into token & alias metadata. 2212 * auth/jwt: An arbitrary set of bound claims can now be configured for a role. 2213 * auth/jwt: The name "oidc" has been added as an alias for the jwt backend. Either 2214 name may be specified in the `auth enable` command. 2215 * command/server: A warning will be printed when 'tls_cipher_suites' includes a 2216 blacklisted cipher suite or all cipher suites are blacklisted by the HTTP/2 2217 specification [[GH-6300](https://github.com/hashicorp/vault/pull/6300)] 2218 * core/metrics: Prometheus pull support using a new sys/metrics endpoint. [[GH-5308](https://github.com/hashicorp/vault/pull/5308)] 2219 * core: On non-windows platforms a SIGUSR2 will make the server log a dump of 2220 all running goroutines' stack traces for debugging purposes [[GH-6240](https://github.com/hashicorp/vault/pull/6240)] 2221 * replication: The initial replication indexing process on newly initialized or upgraded 2222 clusters now runs asynchronously 2223 * sentinel: Add token namespace id and path, available in rules as 2224 token.namespace.id and token.namespace.path 2225 * ui: The UI is now leveraging OpenAPI definitions to pull in fields for various forms. 2226 This means, it will not be necessary to add fields on the go and JS sides in the future. 2227 [[GH-6209](https://github.com/hashicorp/vault/pull/6209)] 2228 2229BUG FIXES: 2230 2231 * auth/jwt: Apply `bound_claims` validation across all login paths 2232 * auth/jwt: Update `bound_audiences` validation during non-OIDC logins to accept 2233 any matched audience, as documented and handled in OIDC logins [[GH-30](https://github.com/hashicorp/vault-plugin-auth-jwt/pull/30)] 2234 * auth/token: Fix issue where empty values for token role update call were 2235 ignored [[GH-6314](https://github.com/hashicorp/vault/pull/6314)] 2236 * core: The `operator migrate` command will no longer hang on empty key names 2237 [[GH-6371](https://github.com/hashicorp/vault/pull/6371)] 2238 * identity: Fix a panic at login when external group has a nil alias [[GH-6230](https://github.com/hashicorp/vault/pull/6230)] 2239 * namespaces: Clear out identity store items upon namespace deletion 2240 * replication/perfstandby: Fixed a bug causing performance standbys to wait 2241 longer than necessary after forwarding a write to the active node 2242 * replication/mountfilter: Fix a deadlock that could occur when mount filters 2243 were updated [[GH-6426](https://github.com/hashicorp/vault/pull/6426)] 2244 * secret/kv: Fix issue where a v1→v2 upgrade could run on a performance 2245 standby when using a local mount 2246 * secret/ssh: Fix for a bug where attempting to delete the last ssh role 2247 in the zeroaddress configuration could fail [[GH-6390](https://github.com/hashicorp/vault/pull/6390)] 2248 * secret/totp: Uppercase provided keys so they don't fail base32 validation 2249 [[GH-6400](https://github.com/hashicorp/vault/pull/6400)] 2250 * secret/transit: Multiple HMAC, Sign or Verify operations can now be 2251 performed with one API call using the new `batch_input` parameter [[GH-5875](https://github.com/hashicorp/vault/pull/5875)] 2252 * sys: `sys/internal/ui/mounts` will no longer return secret or auth mounts 2253 that have been filtered. Similarly, `sys/internal/ui/mount/:path` will 2254 return a error response if a filtered mount path is requested. [[GH-6412](https://github.com/hashicorp/vault/pull/6412)] 2255 * ui: Fix for a bug where you couldn't access the data tab after clicking on 2256 wrap details on the unwrap page [[GH-6404](https://github.com/hashicorp/vault/pull/6404)] 2257 * ui: Fix an issue where the policies tab was erroneously hidden [[GH-6301](https://github.com/hashicorp/vault/pull/6301)] 2258 * ui: Fix encoding issues with kv interfaces [[GH-6294](https://github.com/hashicorp/vault/pull/6294)] 2259 2260## 1.0.3.1 (March 14th, 2019) (Enterprise Only) 2261 2262SECURITY: 2263 2264 * A regression was fixed in replication mount filter code introduced in Vault 2265 1.0 that caused the underlying filtered data to be replicated to 2266 secondaries. This data was not accessible to users via Vault's API but via a 2267 combination of privileged configuration file changes/Vault commands it could 2268 be read. Upgrading to this version or 1.1 will fix this issue and cause the 2269 replicated data to be deleted from filtered secondaries. More information 2270 was sent to customer contacts on file. 2271 2272## 1.0.3 (February 12th, 2019) 2273 2274CHANGES: 2275 2276 * New AWS authentication plugin mounts will default to using the generated 2277 role ID as the Identity alias name. This applies to both EC2 and IAM auth. 2278 Existing mounts that explicitly set this value will not be affected but 2279 mounts that specified no preference will switch over on upgrade. 2280 * The default policy now allows a token to look up its associated identity 2281 entity either by name or by id [[GH-6105](https://github.com/hashicorp/vault/pull/6105)] 2282 * The Vault UI's navigation and onboarding wizard now only displays items that 2283 are permitted in a users' policy [[GH-5980](https://github.com/hashicorp/vault/pull/5980), [GH-6094](https://github.com/hashicorp/vault/pull/6094)] 2284 * An issue was fixed that caused recovery keys to not work on secondary 2285 clusters when using a different unseal mechanism/key than the primary. This 2286 would be hit if the cluster was rekeyed or initialized after 1.0. We recommend 2287 rekeying the recovery keys on the primary cluster if you meet the above 2288 requirements. 2289 2290FEATURES: 2291 2292 * **cURL Command Output**: CLI commands can now use the `-output-curl-string` 2293 flag to print out an equivalent cURL command. 2294 * **Response Headers From Plugins**: Plugins can now send back headers that 2295 will be included in the response to a client. The set of allowed headers can 2296 be managed by the operator. 2297 2298IMPROVEMENTS: 2299 2300 * auth/aws: AWS EC2 authentication can optionally create entity aliases by 2301 role ID [[GH-6133](https://github.com/hashicorp/vault/pull/6133)] 2302 * auth/jwt: The supported set of signing algorithms is now configurable [JWT 2303 plugin [GH-16](https://github.com/hashicorp/vault/pull/16)] 2304 * core: When starting from an uninitialized state, HA nodes will now attempt 2305 to auto-unseal using a configured auto-unseal mechanism after the active 2306 node initializes Vault [[GH-6039](https://github.com/hashicorp/vault/pull/6039)] 2307 * secret/database: Add socket keepalive option for Cassandra [[GH-6201](https://github.com/hashicorp/vault/pull/6201)] 2308 * secret/ssh: Add signed key constraints, allowing enforcement of key types 2309 and minimum key sizes [[GH-6030](https://github.com/hashicorp/vault/pull/6030)] 2310 * secret/transit: ECDSA signatures can now be marshaled in JWS-compatible 2311 fashion [[GH-6077](https://github.com/hashicorp/vault/pull/6077)] 2312 * storage/etcd: Support SRV service names [[GH-6087](https://github.com/hashicorp/vault/pull/6087)] 2313 * storage/aws: Support specifying a KMS key ID for server-side encryption 2314 [[GH-5996](https://github.com/hashicorp/vault/pull/5996)] 2315 2316BUG FIXES: 2317 2318 * core: Fix a rare case where a standby whose connection is entirely torn down 2319 to the active node, then reconnects to the same active node, may not 2320 successfully resume operation [[GH-6167](https://github.com/hashicorp/vault/pull/6167)] 2321 * cors: Don't duplicate headers when they're written [[GH-6207](https://github.com/hashicorp/vault/pull/6207)] 2322 * identity: Persist merged entities only on the primary [[GH-6075](https://github.com/hashicorp/vault/pull/6075)] 2323 * replication: Fix a potential race when a token is created and then used with 2324 a performance standby very quickly, before an associated entity has been 2325 replicated. If the entity is not found in this scenario, the request will 2326 forward to the active node. 2327 * replication: Fix issue where recovery keys would not work on secondary 2328 clusters if using a different unseal mechanism than the primary. 2329 * replication: Fix a "failed to register lease" error when using performance 2330 standbys 2331 * storage/postgresql: The `Get` method will now return an Entry object with 2332 the `Key` member correctly populated with the full path that was requested 2333 instead of just the last path element [[GH-6044](https://github.com/hashicorp/vault/pull/6044)] 2334 2335## 1.0.2 (January 15th, 2019) 2336 2337SECURITY: 2338 2339 * When creating a child token from a parent with `bound_cidrs`, the list of 2340 CIDRs would not be propagated to the child token, allowing the child token 2341 to be used from any address. 2342 2343CHANGES: 2344 2345 * secret/aws: Role now returns `credential_type` instead of `credential_types` 2346 to match role input. If a legacy role that can supply more than one 2347 credential type, they will be concatenated with a `,`. 2348 * physical/dynamodb, autoseal/aws: Instead of Vault performing environment 2349 variable handling, and overriding static (config file) values if found, we 2350 use the default AWS SDK env handling behavior, which also looks for 2351 deprecated values. If you were previously providing both config values and 2352 environment values, please ensure the config values are unset if you want to 2353 use environment values. 2354 * Namespaces (Enterprise): Providing "root" as the header value for 2355 `X-Vault-Namespace` will perform the request on the root namespace. This is 2356 equivalent to providing an empty value. Creating a namespace called "root" in 2357 the root namespace is disallowed. 2358 2359FEATURES: 2360 2361 * **InfluxDB Database Plugin**: Use Vault to dynamically create and manage InfluxDB 2362 users 2363 2364IMPROVEMENTS: 2365 2366 * auth/aws: AWS EC2 authentication can optionally create entity aliases by 2367 image ID [[GH-5846](https://github.com/hashicorp/vault/pull/5846)] 2368 * autoseal/gcpckms: Reduce the required permissions for the GCPCKMS autounseal 2369 [[GH-5999](https://github.com/hashicorp/vault/pull/5999)] 2370 * physical/foundationdb: TLS support added. [[GH-5800](https://github.com/hashicorp/vault/pull/5800)] 2371 2372BUG FIXES: 2373 2374 * api: Fix a couple of places where we were using the `LIST` HTTP verb 2375 (necessary to get the right method into the wrapping lookup function) and 2376 not then modifying it to a `GET`; although this is officially the verb Vault 2377 uses for listing and it's fully legal to use custom verbs, since many WAFs 2378 and API gateways choke on anything outside of RFC-standardized verbs we fall 2379 back to `GET` [[GH-6026](https://github.com/hashicorp/vault/pull/6026)] 2380 * autoseal/aws: Fix reading session tokens when AWS access key/secret key are 2381 also provided [[GH-5965](https://github.com/hashicorp/vault/pull/5965)] 2382 * command/operator/rekey: Fix help output showing `-delete-backup` when it 2383 should show `-backup-delete` [[GH-5981](https://github.com/hashicorp/vault/pull/5981)] 2384 * core: Fix bound_cidrs not being propagated to child tokens 2385 * replication: Correctly forward identity entity creation that originates from 2386 performance standby nodes (Enterprise) 2387 * secret/aws: Make input `credential_type` match the output type (string, not 2388 array) [[GH-5972](https://github.com/hashicorp/vault/pull/5972)] 2389 * secret/cubbyhole: Properly cleanup cubbyhole after token revocation [[GH-6006](https://github.com/hashicorp/vault/pull/6006)] 2390 * secret/pki: Fix reading certificates on windows with the file storage backend [[GH-6013](https://github.com/hashicorp/vault/pull/6013)] 2391 * ui (enterprise): properly display perf-standby count on the license page [[GH-5971](https://github.com/hashicorp/vault/pull/5971)] 2392 * ui: fix disappearing nested secrets and go to the nearest parent when deleting 2393 a secret - [[GH-5976](https://github.com/hashicorp/vault/pull/5976)] 2394 * ui: fix error where deleting an item via the context menu would fail if the 2395 item name contained dots [[GH-6018](https://github.com/hashicorp/vault/pull/6018)] 2396 * ui: allow saving of kv secret after an errored save attempt [[GH-6022](https://github.com/hashicorp/vault/pull/6022)] 2397 * ui: fix display of kv-v1 secret containing a key named "keys" [[GH-6023](https://github.com/hashicorp/vault/pull/6023)] 2398 2399## 1.0.1 (December 14th, 2018) 2400 2401SECURITY: 2402 2403 * Update version of Go to 1.11.3 to fix Go bug 2404 https://github.com/golang/go/issues/29233 which corresponds to 2405 CVE-2018-16875 2406 * Database user revocation: If a client has configured custom revocation 2407 statements for a role with a value of `""`, that statement would be executed 2408 verbatim, resulting in a lack of actual revocation but success for the 2409 operation. Vault will now strip empty statements from any provided; as a 2410 result if an empty statement is provided, it will behave as if no statement 2411 is provided, falling back to the default revocation statement. 2412 2413CHANGES: 2414 2415 * secret/database: On role read, empty statements will be returned as empty 2416 slices instead of potentially being returned as JSON null values. This makes 2417 it more in line with other parts of Vault and makes it easier for statically 2418 typed languages to interpret the values. 2419 2420IMPROVEMENTS: 2421 2422 * cli: Strip iTerm extra characters from password manager input [[GH-5837](https://github.com/hashicorp/vault/pull/5837)] 2423 * command/server: Setting default kv engine to v1 in -dev mode can now be 2424 specified via -dev-kv-v1 [[GH-5919](https://github.com/hashicorp/vault/pull/5919)] 2425 * core: Add operationId field to OpenAPI output [[GH-5876](https://github.com/hashicorp/vault/pull/5876)] 2426 * ui: Added ability to search for Group and Policy IDs when creating Groups 2427 and Entities instead of typing them in manually 2428 2429BUG FIXES: 2430 2431 * auth/azure: Cache azure authorizer [15] 2432 * auth/gcp: Remove explicit project for service account in GCE authorizer [[GH-58](https://github.com/hashicorp/vault-plugin-auth-gcp/pull/58)] 2433 * cli: Show correct stored keys/threshold for autoseals [[GH-5910](https://github.com/hashicorp/vault/pull/5910)] 2434 * cli: Fix backwards compatibility fallback when listing plugins [[GH-5913](https://github.com/hashicorp/vault/pull/5913)] 2435 * core: Fix upgrades when the seal config had been created on early versions 2436 of vault [[GH-5956](https://github.com/hashicorp/vault/pull/5956)] 2437 * namespaces: Correctly reload the proper mount when tuning or reloading the 2438 mount [[GH-5937](https://github.com/hashicorp/vault/pull/5937)] 2439 * secret/azure: Cache azure authorizer [19] 2440 * secret/database: Strip empty statements on user input [[GH-5955](https://github.com/hashicorp/vault/pull/5955)] 2441 * secret/gcpkms: Add path for retrieving the public key [[GH-5](https://github.com/hashicorp/vault-plugin-secrets-gcpkms/pull/5)] 2442 * secret/pki: Fix panic that could occur during tidy operation when malformed 2443 data was found [[GH-5931](https://github.com/hashicorp/vault/pull/5931)] 2444 * secret/pki: Strip empty line in ca_chain output [[GH-5779](https://github.com/hashicorp/vault/pull/5779)] 2445 * ui: Fixed a bug where the web CLI was not usable via the `fullscreen` 2446 command - [[GH-5909](https://github.com/hashicorp/vault/pull/5909)] 2447 * ui: Fix a bug where you couldn't write a jwt auth method config [[GH-5936](https://github.com/hashicorp/vault/pull/5936)] 2448 2449## 0.11.6 (December 14th, 2018) 2450 2451This release contains the three security fixes from 1.0.0 and 1.0.1 and the 2452following bug fixes from 1.0.0/1.0.1: 2453 2454 * namespaces: Correctly reload the proper mount when tuning or reloading the 2455 mount [[GH-5937](https://github.com/hashicorp/vault/pull/5937)] 2456 * replication/perfstandby: Fix audit table upgrade on standbys [[GH-5811](https://github.com/hashicorp/vault/pull/5811)] 2457 * replication/perfstandby: Fix redirect on approle update [[GH-5820](https://github.com/hashicorp/vault/pull/5820)] 2458 * secrets/kv: Fix issue where storage version would get incorrectly downgraded 2459 [[GH-5809](https://github.com/hashicorp/vault/pull/5809)] 2460 2461It is otherwise identical to 0.11.5. 2462 2463## 1.0.0 (December 3rd, 2018) 2464 2465SECURITY: 2466 2467 * When debugging a customer incident we discovered that in the case of 2468 malformed data from an autoseal mechanism, Vault's master key could be 2469 logged in Vault's server log. For this to happen, the data would need to be 2470 modified by the autoseal mechanism after being submitted to it by Vault but 2471 prior to encryption, or after decryption, prior to it being returned to 2472 Vault. To put it another way, it requires the data that Vault submits for 2473 encryption to not match the data returned after decryption. It is not 2474 sufficient for the autoseal mechanism to return an error, and it cannot be 2475 triggered by an outside attacker changing the on-disk ciphertext as all 2476 autoseal mechanisms use authenticated encryption. We do not believe that 2477 this is generally a cause for concern; since it involves the autoseal 2478 mechanism returning bad data to Vault but with no error, in a working Vault 2479 configuration this code path should never be hit, and if hitting this issue 2480 Vault will not be unsealing properly anyways so it will be obvious what is 2481 happening and an immediate rekey of the master key can be performed after 2482 service is restored. We have filed for a CVE (CVE-2018-19786) and a CVSS V3 2483 score of 5.2 has been assigned. 2484 2485CHANGES: 2486 2487 * Tokens are now prefixed by a designation to indicate what type of token they 2488 are. Service tokens start with `s.` and batch tokens start with `b.`. 2489 Existing tokens will still work (they are all of service type and will be 2490 considered as such). Prefixing allows us to be more efficient when consuming 2491 a token, which keeps the critical path of requests faster. 2492 * Paths within `auth/token` that allow specifying a token or accessor in the 2493 URL have been removed. These have been deprecated since March 2016 and 2494 undocumented, but were retained for backwards compatibility. They shouldn't 2495 be used due to the possibility of those paths being logged, so at this point 2496 they are simply being removed. 2497 * Vault will no longer accept updates when the storage key has invalid UTF-8 2498 character encoding [[GH-5819](https://github.com/hashicorp/vault/pull/5819)] 2499 * Mount/Auth tuning the `options` map on backends will now upsert any provided 2500 values, and keep any of the existing values in place if not provided. The 2501 options map itself cannot be unset once it's set, but the keypairs within the 2502 map can be unset if an empty value is provided, with the exception of the 2503 `version` keypair which is handled differently for KVv2 purposes. 2504 * Agent no longer automatically reauthenticates when new credentials are 2505 detected. It's not strictly necessary and in some cases was causing 2506 reauthentication much more often than intended. 2507 * HSM Regenerate Key Support Removed: Vault no longer supports destroying and 2508 regenerating encryption keys on an HSM; it only supports creating them. 2509 Although this has never been a source of a customer incident, it is simply a 2510 code path that is too trivial to activate, especially by mistyping 2511 `regenerate_key` instead of `generate_key`. 2512 * Barrier Config Upgrade (Enterprise): When upgrading from Vault 0.8.x, the 2513 seal type in the barrier config storage entry will be upgraded from 2514 "hsm-auto" to "awskms" or "pkcs11" upon unseal if using AWSKMS or HSM seals. 2515 If performing seal migration, the barrier config should first be upgraded 2516 prior to starting migration. 2517 * Go API client uses pooled HTTP client: The Go API client now uses a 2518 connection-pooling HTTP client by default. For CLI operations this makes no 2519 difference but it should provide significant performance benefits for those 2520 writing custom clients using the Go API library. As before, this can be 2521 changed to any custom HTTP client by the caller. 2522 * Builtin Secret Engines and Auth Methods are integrated deeper into the 2523 plugin system. The plugin catalog can now override builtin plugins with 2524 custom versions of the same name. Additionally the plugin system now 2525 requires a plugin `type` field when configuring plugins, this can be "auth", 2526 "database", or "secret". 2527 2528FEATURES: 2529 2530 * **Auto-Unseal in Open Source**: Cloud-based auto-unseal has been migrated 2531 from Enterprise to Open Source. We've created a migrator to allow migrating 2532 between Shamir seals and auto unseal methods. 2533 * **Batch Tokens**: Batch tokens trade off some features of service tokens for no 2534 storage overhead, and in most cases can be used across performance 2535 replication clusters. 2536 * **Replication Speed Improvements**: We've worked hard to speed up a lot of 2537 operations when using Vault Enterprise Replication. 2538 * **GCP KMS Secrets Engine**: This new secrets engine provides a Transit-like 2539 pattern to keys stored within GCP Cloud KMS. 2540 * **AppRole support in Vault Agent Auto-Auth**: You can now use AppRole 2541 credentials when having Agent automatically authenticate to Vault 2542 * **OpenAPI Support**: Descriptions of mounted backends can be served directly 2543 from Vault 2544 * **Kubernetes Projected Service Account Tokens**: Projected Service Account 2545 Tokens are now supported in Kubernetes auth 2546 * **Response Wrapping in UI**: Added ability to wrap secrets and easily copy 2547 the wrap token or secret JSON in the UI 2548 2549IMPROVEMENTS: 2550 2551 * agent: Support for configuring the location of the kubernetes service account 2552 [[GH-5725](https://github.com/hashicorp/vault/pull/5725)] 2553 * auth/token: New tokens are indexed in storage HMAC-SHA256 instead of SHA1 2554 * secret/totp: Allow @ character to be part of key name [[GH-5652](https://github.com/hashicorp/vault/pull/5652)] 2555 * secret/consul: Add support for new policy based tokens added in Consul 1.4 2556 [[GH-5586](https://github.com/hashicorp/vault/pull/5586)] 2557 * ui: Improve the token auto-renew warning, and automatically begin renewal 2558 when a user becomes active again [[GH-5662](https://github.com/hashicorp/vault/pull/5662)] 2559 * ui: The unbundled UI page now has some styling [[GH-5665](https://github.com/hashicorp/vault/pull/5665)] 2560 * ui: Improved banner and popup design [[GH-5672](https://github.com/hashicorp/vault/pull/5672)] 2561 * ui: Added token type to auth method mount config [[GH-5723](https://github.com/hashicorp/vault/pull/5723)] 2562 * ui: Display additonal wrap info when unwrapping. [[GH-5664](https://github.com/hashicorp/vault/pull/5664)] 2563 * ui: Empty states have updated styling and link to relevant actions and 2564 documentation [[GH-5758](https://github.com/hashicorp/vault/pull/5758)] 2565 * ui: Allow editing of KV V2 data when a token doesn't have capabilities to 2566 read secret metadata [[GH-5879](https://github.com/hashicorp/vault/pull/5879)] 2567 2568BUG FIXES: 2569 2570 * agent: Fix auth when multiple redirects [[GH-5814](https://github.com/hashicorp/vault/pull/5814)] 2571 * cli: Restore the `-policy-override` flag [[GH-5826](https://github.com/hashicorp/vault/pull/5826)] 2572 * core: Fix rekey progress reset which did not happen under certain 2573 circumstances. [[GH-5743](https://github.com/hashicorp/vault/pull/5743)] 2574 * core: Migration from autounseal to shamir will clean up old keys [[GH-5671](https://github.com/hashicorp/vault/pull/5671)] 2575 * identity: Update group memberships when entity is deleted [[GH-5786](https://github.com/hashicorp/vault/pull/5786)] 2576 * replication/perfstandby: Fix audit table upgrade on standbys [[GH-5811](https://github.com/hashicorp/vault/pull/5811)] 2577 * replication/perfstandby: Fix redirect on approle update [[GH-5820](https://github.com/hashicorp/vault/pull/5820)] 2578 * secrets/azure: Fix valid roles being rejected for duplicate ids despite 2579 having distinct scopes 2580 [[GH-16](https://github.com/hashicorp/vault-plugin-secrets-azure/pull/16)] 2581 * storage/gcs: Send md5 of values to GCS to avoid potential corruption 2582 [[GH-5804](https://github.com/hashicorp/vault/pull/5804)] 2583 * secrets/kv: Fix issue where storage version would get incorrectly downgraded 2584 [[GH-5809](https://github.com/hashicorp/vault/pull/5809)] 2585 * secrets/kv: Disallow empty paths on a `kv put` while accepting empty paths 2586 for all other operations for backwards compatibility 2587 [[GH-19](https://github.com/hashicorp/vault-plugin-secrets-kv/pull/19)] 2588 * ui: Allow for secret creation in kv v2 when cas_required=true [[GH-5823](https://github.com/hashicorp/vault/pull/5823)] 2589 * ui: Fix dr secondary operation token generation via the ui [[GH-5818](https://github.com/hashicorp/vault/pull/5818)] 2590 * ui: Fix the PKI context menu so that items load [[GH-5824](https://github.com/hashicorp/vault/pull/5824)] 2591 * ui: Update DR Secondary Token generation command [[GH-5857](https://github.com/hashicorp/vault/pull/5857)] 2592 * ui: Fix pagination bug where controls would be rendered once for each 2593 item when viewing policies [[GH-5866](https://github.com/hashicorp/vault/pull/5866)] 2594 * ui: Fix bug where `sys/leases/revoke` required 'sudo' capability to show 2595 the revoke button in the UI [[GH-5647](https://github.com/hashicorp/vault/pull/5647)] 2596 * ui: Fix issue where certain pages wouldn't render in a namespace [[GH-5692](https://github.com/hashicorp/vault/pull/5692)] 2597 2598## 0.11.5 (November 13th, 2018) 2599 2600BUG FIXES: 2601 2602 * agent: Fix issue when specifying two file sinks [[GH-5610](https://github.com/hashicorp/vault/pull/5610)] 2603 * auth/userpass: Fix minor timing issue that could leak the presence of a 2604 username [[GH-5614](https://github.com/hashicorp/vault/pull/5614)] 2605 * autounseal/alicloud: Fix issue interacting with the API (Enterprise) 2606 * autounseal/azure: Fix key version tracking (Enterprise) 2607 * cli: Fix panic that could occur if parameters were not provided [[GH-5603](https://github.com/hashicorp/vault/pull/5603)] 2608 * core: Fix buggy behavior if trying to remount into a namespace 2609 * identity: Fix duplication of entity alias entity during alias transfer 2610 between entities [[GH-5733](https://github.com/hashicorp/vault/pull/5733)] 2611 * namespaces: Fix tuning of auth mounts in a namespace 2612 * ui: Fix bug where editing secrets as JSON doesn't save properly [[GH-5660](https://github.com/hashicorp/vault/pull/5660)] 2613 * ui: Fix issue where IE 11 didn't render the UI and also had a broken form 2614 when trying to use tool/hash [[GH-5714](https://github.com/hashicorp/vault/pull/5714)] 2615 2616## 0.11.4 (October 23rd, 2018) 2617 2618CHANGES: 2619 2620 * core: HA lock file is no longer copied during `operator migrate` [[GH-5503](https://github.com/hashicorp/vault/pull/5503)]. 2621 We've categorized this as a change, but generally this can be considered 2622 just a bug fix, and no action is needed. 2623 2624FEATURES: 2625 2626 * **Transit Key Trimming**: Keys in transit secret engine can now be trimmed to 2627 remove older unused key versions 2628 * **Web UI support for KV Version 2**: Browse, delete, undelete and destroy 2629 individual secret versions in the UI 2630 * **Azure Existing Service Principal Support**: Credentials can now be generated 2631 against an existing service principal 2632 2633IMPROVEMENTS: 2634 2635 * core: Add last WAL in leader/health output for easier debugging [[GH-5523](https://github.com/hashicorp/vault/pull/5523)] 2636 * identity: Identity names will now be handled case insensitively by default. 2637 This includes names of entities, aliases and groups [[GH-5404](https://github.com/hashicorp/vault/pull/5404)] 2638 * secrets/aws: Added role-option max_sts_ttl to cap TTL for AWS STS 2639 credentials [[GH-5500](https://github.com/hashicorp/vault/pull/5500)] 2640 * secret/database: Allow Cassandra user to be non-superuser so long as it has 2641 role creation permissions [[GH-5402](https://github.com/hashicorp/vault/pull/5402)] 2642 * secret/radius: Allow setting the NAS Identifier value in the generated 2643 packet [[GH-5465](https://github.com/hashicorp/vault/pull/5465)] 2644 * secret/ssh: Allow usage of JSON arrays when setting zero addresses [[GH-5528](https://github.com/hashicorp/vault/pull/5528)] 2645 * secret/transit: Allow trimming unused keys [[GH-5388](https://github.com/hashicorp/vault/pull/5388)] 2646 * ui: Support KVv2 [[GH-5547](https://github.com/hashicorp/vault/pull/5547)], [[GH-5563](https://github.com/hashicorp/vault/pull/5563)] 2647 * ui: Allow viewing and updating Vault license via the UI 2648 * ui: Onboarding will now display your progress through the chosen tutorials 2649 * ui: Dynamic secret backends obfuscate sensitive data by default and 2650 visibility is toggleable 2651 2652BUG FIXES: 2653 2654 * agent: Fix potential hang during agent shutdown [[GH-5026](https://github.com/hashicorp/vault/pull/5026)] 2655 * auth/ldap: Fix listing of users/groups that contain slashes [[GH-5537](https://github.com/hashicorp/vault/pull/5537)] 2656 * core: Fix memory leak during some expiration calls [[GH-5505](https://github.com/hashicorp/vault/pull/5505)] 2657 * core: Fix generate-root operations requiring empty `otp` to be provided 2658 instead of an empty body [[GH-5495](https://github.com/hashicorp/vault/pull/5495)] 2659 * identity: Remove lookup check during alias removal from entity [[GH-5524](https://github.com/hashicorp/vault/pull/5524)] 2660 * secret/pki: Fix TTL/MaxTTL check when using `sign-verbatim` [[GH-5549](https://github.com/hashicorp/vault/pull/5549)] 2661 * secret/pki: Fix regression in 0.11.2+ causing the NotBefore value of 2662 generated certificates to be set to the Unix epoch if the role value was not 2663 set, instead of using the default of 30 seconds [[GH-5481](https://github.com/hashicorp/vault/pull/5481)] 2664 * storage/mysql: Use `varbinary` instead of `varchar` when creating HA tables 2665 [[GH-5529](https://github.com/hashicorp/vault/pull/5529)] 2666 2667## 0.11.3 (October 8th, 2018) 2668 2669SECURITY: 2670 2671 * Revocation: A regression in 0.11.2 (OSS) and 0.11.0 (Enterprise) caused 2672 lease IDs containing periods (`.`) to not be revoked properly. Upon startup 2673 when revocation is tried again these should now revoke successfully. 2674 2675IMPROVEMENTS: 2676 2677 * auth/ldap: Listing of users and groups return absolute paths [[GH-5537](https://github.com/hashicorp/vault/pull/5537)] 2678 * secret/pki: OID SANs can now specify `*` to allow any value [[GH-5459](https://github.com/hashicorp/vault/pull/5459)] 2679 2680BUG FIXES: 2681 2682 * auth/ldap: Fix panic if specific values were given to be escaped [[GH-5471](https://github.com/hashicorp/vault/pull/5471)] 2683 * cli/auth: Fix panic if `vault auth` was given no parameters [[GH-5473](https://github.com/hashicorp/vault/pull/5473)] 2684 * secret/database/mongodb: Fix panic that could occur at high load [[GH-5463](https://github.com/hashicorp/vault/pull/5463)] 2685 * secret/pki: Fix CA generation not allowing OID SANs [[GH-5459](https://github.com/hashicorp/vault/pull/5459)] 2686 2687## 0.11.2 (October 2nd, 2018) 2688 2689CHANGES: 2690 2691 * `sys/seal-status` now includes an `initialized` boolean in the output. If 2692 Vault is not initialized, it will return a `200` with this value set `false` 2693 instead of a `400`. 2694 * `passthrough_request_headers` will now deny certain headers from being 2695 provided to backends based on a global denylist. 2696 * Token Format: Tokens are now represented as a base62 value; tokens in 2697 namespaces will have the namespace identifier appended. (This appeared in 2698 Enterprise in 0.11.0, but is only in OSS in 0.11.2.) 2699 2700FEATURES: 2701 2702 * **AWS Secret Engine Root Credential Rotation**: The credential used by the AWS 2703 secret engine can now be rotated, to ensure that only Vault knows the 2704 credentials it is using [[GH-5140](https://github.com/hashicorp/vault/pull/5140)] 2705 * **Storage Backend Migrator**: A new `operator migrate` command allows offline 2706 migration of data between two storage backends 2707 * **AliCloud KMS Auto Unseal and Seal Wrap Support (Enterprise)**: AliCloud KMS can now be used a support seal for 2708 Auto Unseal and Seal Wrapping 2709 2710BUG FIXES: 2711 2712 * auth/okta: Fix reading deprecated `token` parameter if a token was 2713 previously set in the configuration [[GH-5409](https://github.com/hashicorp/vault/pull/5409)] 2714 * core: Re-add deprecated capabilities information for now [[GH-5360](https://github.com/hashicorp/vault/pull/5360)] 2715 * core: Fix handling of cyclic token relationships [[GH-4803](https://github.com/hashicorp/vault/pull/4803)] 2716 * storage/mysql: Fix locking on MariaDB [[GH-5343](https://github.com/hashicorp/vault/pull/5343)] 2717 * replication: Fix DR API when using a token [[GH-5398](https://github.com/hashicorp/vault/pull/5398)] 2718 * identity: Ensure old group alias is removed when a new one is written [[GH-5350](https://github.com/hashicorp/vault/pull/5350)] 2719 * storage/alicloud: Don't call uname on package init [[GH-5358](https://github.com/hashicorp/vault/pull/5358)] 2720 * secrets/jwt: Fix issue where request context would be canceled too early 2721 * ui: fix need to have update for aws iam creds generation [GF-5294] 2722 * ui: fix calculation of token expiry [[GH-5435](https://github.com/hashicorp/vault/pull/5435)] 2723 2724IMPROVEMENTS: 2725 2726 * auth/aws: The identity alias name can now configured to be either IAM unique 2727 ID of the IAM Principal, or ARN of the caller identity [[GH-5247](https://github.com/hashicorp/vault/pull/5247)] 2728 * auth/cert: Add allowed_organizational_units support [[GH-5252](https://github.com/hashicorp/vault/pull/5252)] 2729 * cli: Format TTLs for non-secret responses [[GH-5367](https://github.com/hashicorp/vault/pull/5367)] 2730 * identity: Support operating on entities and groups by their names [[GH-5355](https://github.com/hashicorp/vault/pull/5355)] 2731 * plugins: Add `env` parameter when registering plugins to the catalog to allow 2732 operators to include environment variables during plugin execution. [[GH-5359](https://github.com/hashicorp/vault/pull/5359)] 2733 * secrets/aws: WAL Rollback improvements [[GH-5202](https://github.com/hashicorp/vault/pull/5202)] 2734 * secrets/aws: Allow specifying STS role-default TTLs [[GH-5138](https://github.com/hashicorp/vault/pull/5138)] 2735 * secrets/pki: Add configuration support for setting NotBefore [[GH-5325](https://github.com/hashicorp/vault/pull/5325)] 2736 * core: Support for passing the Vault token via an Authorization Bearer header [[GH-5397](https://github.com/hashicorp/vault/pull/5397)] 2737 * replication: Reindex process now runs in the background and does not block other 2738 vault operations 2739 * storage/zookeeper: Enable TLS based communication with Zookeeper [[GH-4856](https://github.com/hashicorp/vault/pull/4856)] 2740 * ui: you can now init a cluster with a seal config [[GH-5428](https://github.com/hashicorp/vault/pull/5428)] 2741 * ui: added the option to force promote replication clusters [[GH-5438](https://github.com/hashicorp/vault/pull/5438)] 2742 * replication: Allow promotion of a secondary when data is syncing with a "force" flag 2743 2744## 0.11.1.1 (September 17th, 2018) (Enterprise Only) 2745 2746BUG FIXES: 2747 2748 * agent: Fix auth handler-based wrapping of output tokens [[GH-5316](https://github.com/hashicorp/vault/pull/5316)] 2749 * core: Properly store the replication checkpoint file if it's larger than the 2750 storage engine's per-item limit 2751 * core: Improve WAL deletion rate 2752 * core: Fix token creation on performance standby nodes 2753 * core: Fix unwrapping inside a namespace 2754 * core: Always forward tidy operations from performance standby nodes 2755 2756IMPROVEMENTS: 2757 2758 * auth/aws: add support for key/value pairs or JSON values for 2759 `iam_request_headers` with IAM auth method [[GH-5320](https://github.com/hashicorp/vault/pull/5320)] 2760 * auth/aws, secret/aws: Throttling errors from the AWS API will now be 2761 reported as 502 errors by Vault, along with the original error [[GH-5270](https://github.com/hashicorp/vault/pull/5270)] 2762 * replication: Start fetching during a sync from where it previously errored 2763 2764## 0.11.1 (September 6th, 2018) 2765 2766SECURITY: 2767 2768 * Random Byte Reading in Barrier: Prior to this release, Vault was not 2769 properly checking the error code when reading random bytes for the IV for 2770 AES operations in its cryptographic barrier. Specifically, this means that 2771 such an IV could potentially be zero multiple times, causing nonce re-use 2772 and weakening the security of the key. On most platforms this should never 2773 happen because reading from kernel random sources is non-blocking and always 2774 successful, but there may be platform-specific behavior that has not been 2775 accounted for. (Vault has tests to check exactly this, and the tests have 2776 never seen nonce re-use.) 2777 2778FEATURES: 2779 2780 * AliCloud Agent Support: Vault Agent can now authenticate against the 2781 AliCloud auth method. 2782 * UI: Enable AliCloud auth method and Azure secrets engine via the UI. 2783 2784IMPROVEMENTS: 2785 2786 * core: Logging level for most logs (not including secrets/auth plugins) can 2787 now be changed on-the-fly via `SIGHUP`, reading the desired value from 2788 Vault's config file [[GH-5280](https://github.com/hashicorp/vault/pull/5280)] 2789 2790BUG FIXES: 2791 2792 * core: Ensure we use a background context when stepping down [[GH-5290](https://github.com/hashicorp/vault/pull/5290)] 2793 * core: Properly check error return from random byte reading [[GH-5277](https://github.com/hashicorp/vault/pull/5277)] 2794 * core: Re-add `sys/` top-route injection for now [[GH-5241](https://github.com/hashicorp/vault/pull/5241)] 2795 * core: Policies stored in minified JSON would return an error [[GH-5229](https://github.com/hashicorp/vault/pull/5229)] 2796 * core: Evaluate templated policies in capabilities check [[GH-5250](https://github.com/hashicorp/vault/pull/5250)] 2797 * identity: Update MemDB with identity group alias while loading groups [[GH-5289](https://github.com/hashicorp/vault/pull/5289)] 2798 * secrets/database: Fix nil pointer when revoking some leases [[GH-5262](https://github.com/hashicorp/vault/pull/5262)] 2799 * secrets/pki: Fix sign-verbatim losing extra Subject attributes [[GH-5245](https://github.com/hashicorp/vault/pull/5245)] 2800 * secrets/pki: Remove certificates from store when tidying revoked 2801 certificates and simplify API [[GH-5231](https://github.com/hashicorp/vault/pull/5231)] 2802 * ui: JSON editor will not coerce input to an object, and will now show an 2803 error about Vault expecting an object [[GH-5271](https://github.com/hashicorp/vault/pull/5271)] 2804 * ui: authentication form will now default to any methods that have been tuned 2805 to show up for unauthenticated users [[GH-5281](https://github.com/hashicorp/vault/pull/5281)] 2806 2807 2808## 0.11.0 (August 28th, 2018) 2809 2810DEPRECATIONS/CHANGES: 2811 2812 * Request Timeouts: A default request timeout of 90s is now enforced. This 2813 setting can be overwritten in the config file. If you anticipate requests 2814 taking longer than 90s this setting should be updated before upgrading. 2815 * (NOTE: will be re-added into 0.11.1 as it broke more than anticipated. There 2816 will be some further guidelines around when this will be removed again.) 2817 * `sys/` Top Level Injection: For the last two years for backwards 2818 compatibility data for various `sys/` routes has been injected into both the 2819 Secret's Data map and into the top level of the JSON response object. 2820 However, this has some subtle issues that pop up from time to time and is 2821 becoming increasingly complicated to maintain, so it's finally being 2822 removed. 2823 * Path Fallback for List Operations: For a very long time Vault has 2824 automatically adjusted `list` operations to always end in a `/`, as list 2825 operations operates on prefixes, so all list operations by definition end 2826 with `/`. This was done server-side so affects all clients. However, this 2827 has also led to a lot of confusion for users writing policies that assume 2828 that the path that they use in the CLI is the path used internally. Starting 2829 in 0.11, ACL policies gain a new fallback rule for listing: they will use a 2830 matching path ending in `/` if available, but if not found, they will look 2831 for the same path without a trailing `/`. This allows putting `list` 2832 capabilities in the same path block as most other capabilities for that 2833 path, while not providing any extra access if `list` wasn't actually 2834 provided there. 2835 * Performance Standbys On By Default: If you flavor/license of Vault 2836 Enterprise supports Performance Standbys, they are on by default. You can 2837 disable this behavior per-node with the `disable_performance_standby` 2838 configuration flag. 2839 * AWS Secret Engine Roles: The AWS Secret Engine roles are now explicit about 2840 the type of AWS credential they are generating; this reduces reduce 2841 ambiguity that existed previously as well as enables new features for 2842 specific credential types. Writing role data and generating credentials 2843 remain backwards compatible; however, the data returned when reading a 2844 role's configuration has changed in backwards-incompatible ways. Anything 2845 that depended on reading role data from the AWS secret engine will break 2846 until it is updated to work with the new format. 2847 * Token Format (Enterprise): Tokens are now represented as a base62 value; 2848 tokens in namespaces will have the namespace identifier appended. 2849 2850FEATURES: 2851 2852 * **Namespaces (Enterprise)**: A set of features within Vault Enterprise 2853 that allows Vault environments to support *Secure Multi-tenancy* within a 2854 single Vault Enterprise infrastructure. Through namespaces, Vault 2855 administrators can support tenant isolation for teams and individuals as 2856 well as empower those individuals to self-manage their own tenant 2857 environment. 2858 * **Performance Standbys (Enterprise)**: Standby nodes can now service 2859 requests that do not modify storage. This provides near-horizontal scaling 2860 of a cluster in some workloads, and is the intra-cluster analogue of 2861 the existing Performance Replication feature, which replicates to distinct 2862 clusters in other datacenters, geos, etc. 2863 * **AliCloud OSS Storage**: AliCloud OSS can now be used for Vault storage. 2864 * **AliCloud Auth Plugin**: AliCloud's identity services can now be used to 2865 grant access to Vault. See the [plugin 2866 repository](https://github.com/hashicorp/vault-plugin-auth-alicloud) for 2867 more information. 2868 * **Azure Secrets Plugin**: There is now a plugin (pulled in to Vault) that 2869 allows generating credentials to allow access to Azure. See the [plugin 2870 repository](https://github.com/hashicorp/vault-plugin-secrets-azure) for 2871 more information. 2872 * **HA Support for MySQL Storage**: MySQL storage now supports HA. 2873 * **ACL Templating**: ACL policies can now be templated using identity Entity, 2874 Groups, and Metadata. 2875 * **UI Onboarding wizards**: The Vault UI can provide contextual help and 2876 guidance, linking out to relevant links or guides on vaultproject.io for 2877 various workflows in Vault. 2878 2879IMPROVEMENTS: 2880 2881 * agent: Add `exit_after_auth` to be able to use the Agent for a single 2882 authentication [[GH-5013](https://github.com/hashicorp/vault/pull/5013)] 2883 * auth/approle: Add ability to set token bound CIDRs on individual Secret IDs 2884 [[GH-5034](https://github.com/hashicorp/vault/pull/5034)] 2885 * cli: Add support for passing parameters to `vault read` operations [[GH-5093](https://github.com/hashicorp/vault/pull/5093)] 2886 * secrets/aws: Make credential types more explicit [[GH-4360](https://github.com/hashicorp/vault/pull/4360)] 2887 * secrets/nomad: Support for longer token names [[GH-5117](https://github.com/hashicorp/vault/pull/5117)] 2888 * secrets/pki: Allow disabling CRL generation [[GH-5134](https://github.com/hashicorp/vault/pull/5134)] 2889 * storage/azure: Add support for different Azure environments [[GH-4997](https://github.com/hashicorp/vault/pull/4997)] 2890 * storage/file: Sort keys in list responses [[GH-5141](https://github.com/hashicorp/vault/pull/5141)] 2891 * storage/mysql: Support special characters in database and table names. 2892 2893BUG FIXES: 2894 2895 * auth/jwt: Always validate `aud` claim even if `bound_audiences` isn't set 2896 (IOW, error in this case) 2897 * core: Prevent Go's HTTP library from interspersing logs in a different 2898 format and/or interleaved [[GH-5135](https://github.com/hashicorp/vault/pull/5135)] 2899 * identity: Properly populate `mount_path` and `mount_type` on group lookup 2900 [[GH-5074](https://github.com/hashicorp/vault/pull/5074)] 2901 * identity: Fix persisting alias metadata [[GH-5188](https://github.com/hashicorp/vault/pull/5188)] 2902 * identity: Fix carryover issue from previously fixed race condition that 2903 could cause Vault not to start up due to two entities referencing the same 2904 alias. These entities are now merged. [[GH-5000](https://github.com/hashicorp/vault/pull/5000)] 2905 * replication: Fix issue causing some pages not to flush to storage 2906 * secrets/database: Fix inability to update custom SQL statements on 2907 database roles. [[GH-5080](https://github.com/hashicorp/vault/pull/5080)] 2908 * secrets/pki: Disallow putting the CA's serial on its CRL. While technically 2909 legal, doing so inherently means the CRL can't be trusted anyways, so it's 2910 not useful and easy to footgun. [[GH-5134](https://github.com/hashicorp/vault/pull/5134)] 2911 * storage/gcp,spanner: Fix data races [[GH-5081](https://github.com/hashicorp/vault/pull/5081)] 2912 2913## 0.10.4 (July 25th, 2018) 2914 2915SECURITY: 2916 2917 * Control Groups: The associated Identity entity with a request was not being 2918 properly persisted. As a result, the same authorizer could provide more than 2919 one authorization. 2920 2921DEPRECATIONS/CHANGES: 2922 2923 * Revocations of dynamic secrets leases are now queued/asynchronous rather 2924 than synchronous. This allows Vault to take responsibility for revocation 2925 even if the initial attempt fails. The previous synchronous behavior can be 2926 attained via the `-sync` CLI flag or `sync` API parameter. When in 2927 synchronous mode, if the operation results in failure it is up to the user 2928 to retry. 2929 * CLI Retries: The CLI will no longer retry commands on 5xx errors. This was a 2930 source of confusion to users as to why Vault would "hang" before returning a 2931 5xx error. The Go API client still defaults to two retries. 2932 * Identity Entity Alias metadata: You can no longer manually set metadata on 2933 entity aliases. All alias data (except the canonical entity ID it refers to) 2934 is intended to be managed by the plugin providing the alias information, so 2935 allowing it to be set manually didn't make sense. 2936 2937FEATURES: 2938 2939 * **JWT/OIDC Auth Method**: The new `jwt` auth method accepts JWTs and either 2940 validates signatures locally or uses OIDC Discovery to fetch the current set 2941 of keys for signature validation. Various claims can be specified for 2942 validation (in addition to the cryptographic signature) and a user and 2943 optional groups claim can be used to provide Identity information. 2944 * **FoundationDB Storage**: You can now use FoundationDB for storing Vault 2945 data. 2946 * **UI Control Group Workflow (enterprise)**: The UI will now detect control 2947 group responses and provides a workflow to view the status of the request 2948 and to authorize requests. 2949 * **Vault Agent (Beta)**: Vault Agent is a daemon that can automatically 2950 authenticate for you across a variety of authentication methods, provide 2951 tokens to clients, and keep the tokens renewed, reauthenticating as 2952 necessary. 2953 2954IMPROVEMENTS: 2955 2956 * auth/azure: Add support for virtual machine scale sets 2957 * auth/gcp: Support multiple bindings for region, zone, and instance group 2958 * cli: Add subcommands for interacting with the plugin catalog [[GH-4911](https://github.com/hashicorp/vault/pull/4911)] 2959 * cli: Add a `-description` flag to secrets and auth tune subcommands to allow 2960 updating an existing secret engine's or auth method's description. This 2961 change also allows the description to be unset by providing an empty string. 2962 * core: Add config flag to disable non-printable character check [[GH-4917](https://github.com/hashicorp/vault/pull/4917)] 2963 * core: A `max_request_size` parameter can now be set per-listener to adjust 2964 the maximum allowed size per request [[GH-4824](https://github.com/hashicorp/vault/pull/4824)] 2965 * core: Add control group request endpoint to default policy [[GH-4904](https://github.com/hashicorp/vault/pull/4904)] 2966 * identity: Identity metadata is now passed through to plugins [[GH-4967](https://github.com/hashicorp/vault/pull/4967)] 2967 * replication: Add additional saftey checks and logging when replication is 2968 in a bad state 2969 * secrets/kv: Add support for using `-field=data` to KVv2 when using `vault 2970 kv` [[GH-4895](https://github.com/hashicorp/vault/pull/4895)] 2971 * secrets/pki: Add the ability to tidy revoked but unexpired certificates 2972 [[GH-4916](https://github.com/hashicorp/vault/pull/4916)] 2973 * secrets/ssh: Allow Vault to work with single-argument SSH flags [[GH-4825](https://github.com/hashicorp/vault/pull/4825)] 2974 * secrets/ssh: SSH executable path can now be configured in the CLI [[GH-4937](https://github.com/hashicorp/vault/pull/4937)] 2975 * storage/swift: Add additional configuration options [[GH-4901](https://github.com/hashicorp/vault/pull/4901)] 2976 * ui: Choose which auth methods to show to unauthenticated users via 2977 `listing_visibility` in the auth method edit forms [[GH-4854](https://github.com/hashicorp/vault/pull/4854)] 2978 * ui: Authenticate users automatically by passing a wrapped token to the UI via 2979 the new `wrapped_token` query parameter [[GH-4854](https://github.com/hashicorp/vault/pull/4854)] 2980 2981BUG FIXES: 2982 2983 * api: Fix response body being cleared too early [[GH-4987](https://github.com/hashicorp/vault/pull/4987)] 2984 * auth/approle: Fix issue with tidy endpoint that would unnecessarily remove 2985 secret accessors [[GH-4981](https://github.com/hashicorp/vault/pull/4981)] 2986 * auth/aws: Fix updating `max_retries` [[GH-4980](https://github.com/hashicorp/vault/pull/4980)] 2987 * auth/kubernetes: Trim trailing whitespace when sending JWT 2988 * cli: Fix parsing of environment variables for integer flags [[GH-4925](https://github.com/hashicorp/vault/pull/4925)] 2989 * core: Fix returning 500 instead of 503 if a rekey is attempted when Vault is 2990 sealed [[GH-4874](https://github.com/hashicorp/vault/pull/4874)] 2991 * core: Fix issue releasing the leader lock in some circumstances [[GH-4915](https://github.com/hashicorp/vault/pull/4915)] 2992 * core: Fix a panic that could happen if the server was shut down while still 2993 starting up 2994 * core: Fix deadlock that would occur if a leadership loss occurs at the same 2995 time as a seal operation [[GH-4932](https://github.com/hashicorp/vault/pull/4932)] 2996 * core: Fix issue with auth mounts failing to renew tokens due to policies 2997 changing [[GH-4960](https://github.com/hashicorp/vault/pull/4960)] 2998 * auth/radius: Fix issue where some radius logins were being canceled too early 2999 [[GH-4941](https://github.com/hashicorp/vault/pull/4941)] 3000 * core: Fix accidental seal of vault of we lose leadership during startup 3001 [[GH-4924](https://github.com/hashicorp/vault/pull/4924)] 3002 * core: Fix standby not being able to forward requests larger than 4MB 3003 [[GH-4844](https://github.com/hashicorp/vault/pull/4844)] 3004 * core: Avoid panic while processing group memberships [[GH-4841](https://github.com/hashicorp/vault/pull/4841)] 3005 * identity: Fix a race condition creating aliases [[GH-4965](https://github.com/hashicorp/vault/pull/4965)] 3006 * plugins: Fix being unable to send very large payloads to or from plugins 3007 [[GH-4958](https://github.com/hashicorp/vault/pull/4958)] 3008 * physical/azure: Long list responses would sometimes be truncated [[GH-4983](https://github.com/hashicorp/vault/pull/4983)] 3009 * replication: Allow replication status requests to be processed while in 3010 merkle sync 3011 * replication: Ensure merkle reindex flushes all changes to storage immediately 3012 * replication: Fix a case where a network interruption could cause a secondary 3013 to be unable to reconnect to a primary 3014 * secrets/pki: Fix permitted DNS domains performing improper validation 3015 [[GH-4863](https://github.com/hashicorp/vault/pull/4863)] 3016 * secrets/database: Fix panic during DB creds revocation [[GH-4846](https://github.com/hashicorp/vault/pull/4846)] 3017 * ui: Fix usage of cubbyhole backend in the UI [[GH-4851](https://github.com/hashicorp/vault/pull/4851)] 3018 * ui: Fix toggle state when a secret is JSON-formatted [[GH-4913](https://github.com/hashicorp/vault/pull/4913)] 3019 * ui: Fix coercion of falsey values to empty string when editing secrets as 3020 JSON [[GH-4977](https://github.com/hashicorp/vault/pull/4977)] 3021 3022## 0.10.3 (June 20th, 2018) 3023 3024DEPRECATIONS/CHANGES: 3025 3026 * In the audit log and in client responses, policies are now split into three 3027 parameters: policies that came only from tokens, policies that came only 3028 from Identity, and the combined set. Any previous location of policies via 3029 the API now contains the full, combined set. 3030 * When a token is tied to an Identity entity and the entity is deleted, the 3031 token will no longer be usable, regardless of the validity of the token 3032 itself. 3033 * When authentication succeeds but no policies were defined for that specific 3034 user, most auth methods would allow a token to be generated but a few would 3035 reject the authentication, namely `ldap`, `okta`, and `radius`. Since the 3036 `default` policy is added by Vault's core, this would incorrectly reject 3037 valid authentications before they would in fact be granted policies. This 3038 inconsistency has been addressed; valid authentications for these methods 3039 now succeed even if no policy was specifically defined in that method for 3040 that user. 3041 3042FEATURES: 3043 3044 * Root Rotation for Active Directory: You can now command Vault to rotate the 3045 configured root credentials used in the AD secrets engine, to ensure that 3046 only Vault knows the credentials it's using. 3047 * URI SANs in PKI: You can now configure URI Subject Alternate Names in the 3048 `pki` backend. Roles can limit which SANs are allowed via globbing. 3049 * `kv rollback` Command: You can now use `vault kv rollback` to roll a KVv2 3050 path back to a previous non-deleted/non-destroyed version. The previous 3051 version becomes the next/newest version for the path. 3052 * Token Bound CIDRs in AppRole: You can now add CIDRs to which a token 3053 generated from AppRole will be bound. 3054 3055IMPROVEMENTS: 3056 3057 * approle: Return 404 instead of 202 on invalid role names during POST 3058 operations [[GH-4778](https://github.com/hashicorp/vault/pull/4778)] 3059 * core: Add idle and initial header read/TLS handshake timeouts to connections 3060 to ensure server resources are cleaned up [[GH-4760](https://github.com/hashicorp/vault/pull/4760)] 3061 * core: Report policies in token, identity, and full sets [[GH-4747](https://github.com/hashicorp/vault/pull/4747)] 3062 * secrets/databases: Add `create`/`update` distinction for connection 3063 configurations [[GH-3544](https://github.com/hashicorp/vault/pull/3544)] 3064 * secrets/databases: Add `create`/`update` distinction for role configurations 3065 [[GH-3544](https://github.com/hashicorp/vault/pull/3544)] 3066 * secrets/databases: Add best-effort revocation logic for use when a role has 3067 been deleted [[GH-4782](https://github.com/hashicorp/vault/pull/4782)] 3068 * secrets/kv: Add `kv rollback` [[GH-4774](https://github.com/hashicorp/vault/pull/4774)] 3069 * secrets/pki: Add URI SANs support [[GH-4675](https://github.com/hashicorp/vault/pull/4675)] 3070 * secrets/ssh: Allow standard SSH command arguments to be used, without 3071 requiring username@hostname syntax [[GH-4710](https://github.com/hashicorp/vault/pull/4710)] 3072 * storage/consul: Add context support so that requests are cancelable 3073 [[GH-4739](https://github.com/hashicorp/vault/pull/4739)] 3074 * sys: Added `hidden` option to `listing_visibility` field on `sys/mounts` 3075 API [[GH-4827](https://github.com/hashicorp/vault/pull/4827)] 3076 * ui: Secret values are obfuscated by default and visibility is toggleable [[GH-4422](https://github.com/hashicorp/vault/pull/4422)] 3077 3078BUG FIXES: 3079 3080 * auth/approle: Fix panic due to metadata being nil [[GH-4719](https://github.com/hashicorp/vault/pull/4719)] 3081 * auth/aws: Fix delete path for tidy operations [[GH-4799](https://github.com/hashicorp/vault/pull/4799)] 3082 * core: Optimizations to remove some speed regressions due to the 3083 security-related changes in 0.10.2 3084 * storage/dynamodb: Fix errors seen when reading existing DynamoDB data [[GH-4721](https://github.com/hashicorp/vault/pull/4721)] 3085 * secrets/database: Fix default MySQL root rotation statement [[GH-4748](https://github.com/hashicorp/vault/pull/4748)] 3086 * secrets/gcp: Fix renewal for GCP account keys 3087 * secrets/kv: Fix writing to the root of a KVv2 mount from `vault kv` commands 3088 incorrectly operating on a root+mount path instead of being an error 3089 [[GH-4726](https://github.com/hashicorp/vault/pull/4726)] 3090 * seal/pkcs11: Add `CKK_SHA256_HMAC` to the search list when finding HMAC 3091 keys, fixing lookup on some Thales devices 3092 * replication: Fix issue enabling replication when a non-auth mount and auth 3093 mount have the same name 3094 * auth/kubernetes: Fix issue verifying ECDSA signed JWTs 3095 * ui: add missing edit mode for auth method configs [[GH-4770](https://github.com/hashicorp/vault/pull/4770)] 3096 3097## 0.10.2 (June 6th, 2018) 3098 3099SECURITY: 3100 3101 * Tokens: A race condition was identified that could occur if a token's 3102 lease expired while Vault was not running. In this case, when Vault came 3103 back online, sometimes it would properly revoke the lease but other times it 3104 would not, leading to a Vault token that no longer had an expiration and had 3105 essentially unlimited lifetime. This race was per-token, not all-or-nothing 3106 for all tokens that may have expired during Vault's downtime. We have fixed 3107 the behavior and put extra checks in place to help prevent any similar 3108 future issues. In addition, the logic we have put in place ensures that such 3109 lease-less tokens can no longer be used (unless they are root tokens that 3110 never had an expiration to begin with). 3111 * Convergent Encryption: The version 2 algorithm used in `transit`'s 3112 convergent encryption feature is susceptible to offline 3113 plaintext-confirmation attacks. As a result, we are introducing a version 3 3114 algorithm that mitigates this. If you are currently using convergent 3115 encryption, we recommend upgrading, rotating your encryption key (the new 3116 key version will use the new algorithm), and rewrapping your data (the 3117 `rewrap` endpoint can be used to allow a relatively non-privileged user to 3118 perform the rewrapping while never divulging the plaintext). 3119 * AppRole case-sensitive role name secret-id leaking: When using a mixed-case 3120 role name via AppRole, deleting a secret-id via accessor or other operations 3121 could end up leaving the secret-id behind and valid but without an accessor. 3122 This has now been fixed, and we have put checks in place to prevent these 3123 secret-ids from being used. 3124 3125DEPRECATIONS/CHANGES: 3126 3127 * PKI duration return types: The PKI backend now returns durations (e.g. when 3128 reading a role) as an integer number of seconds instead of a Go-style 3129 string, in line with how the rest of Vault's API returns durations. 3130 3131FEATURES: 3132 3133 * Active Directory Secrets Engine: A new `ad` secrets engine has been created 3134 which allows Vault to rotate and provide credentials for configured AD 3135 accounts. 3136 * Rekey Verification: Rekey operations can now require verification. This 3137 turns on a two-phase process where the existing key shares authorize 3138 generating a new master key, and a threshold of the new, returned key shares 3139 must be provided to verify that they have been successfully received in 3140 order for the actual master key to be rotated. 3141 * CIDR restrictions for `cert`, `userpass`, and `kubernetes` auth methods: 3142 You can now limit authentication to specific CIDRs; these will also be 3143 encoded in resultant tokens to limit their use. 3144 * Vault UI Browser CLI: The UI now supports usage of read/write/list/delete 3145 commands in a CLI that can be accessed from the nav bar. Complex inputs such 3146 as JSON files are not currently supported. This surfaces features otherwise 3147 unsupported in Vault's UI. 3148 * Azure Key Vault Auto Unseal/Seal Wrap Support (Enterprise): Azure Key Vault 3149 can now be used a support seal for Auto Unseal and Seal Wrapping. 3150 3151IMPROVEMENTS: 3152 3153 * api: Close renewer's doneCh when the renewer is stopped, so that programs 3154 expecting a final value through doneCh behave correctly [[GH-4472](https://github.com/hashicorp/vault/pull/4472)] 3155 * auth/cert: Break out `allowed_names` into component parts and add 3156 `allowed_uri_sans` [[GH-4231](https://github.com/hashicorp/vault/pull/4231)] 3157 * auth/ldap: Obfuscate error messages pre-bind for greater security [[GH-4700](https://github.com/hashicorp/vault/pull/4700)] 3158 * cli: `vault login` now supports a `-no-print` flag to suppress printing 3159 token information but still allow storing into the token helper [[GH-4454](https://github.com/hashicorp/vault/pull/4454)] 3160 * core/pkcs11 (enterprise): Add support for CKM_AES_CBC_PAD, CKM_RSA_PKCS, and 3161 CKM_RSA_PKCS_OAEP mechanisms 3162 * core/pkcs11 (enterprise): HSM slots can now be selected by token label 3163 instead of just slot number 3164 * core/token: Optimize token revocation by removing unnecessary list call 3165 against the storage backend when calling revoke-orphan on tokens [[GH-4465](https://github.com/hashicorp/vault/pull/4465)] 3166 * core/token: Refactor token revocation logic to not block on the call when 3167 underlying leases are pending revocation by moving the expiration logic to 3168 the expiration manager [[GH-4512](https://github.com/hashicorp/vault/pull/4512)] 3169 * expiration: Allow revoke-prefix and revoke-force to work on single leases as 3170 well as prefixes [[GH-4450](https://github.com/hashicorp/vault/pull/4450)] 3171 * identity: Return parent group info when reading a group [[GH-4648](https://github.com/hashicorp/vault/pull/4648)] 3172 * identity: Provide more contextual key information when listing entities, 3173 groups, and aliases 3174 * identity: Passthrough EntityID to backends [[GH-4663](https://github.com/hashicorp/vault/pull/4663)] 3175 * identity: Adds ability to request entity information through system view 3176 [GH_4681] 3177 * secret/pki: Add custom extended key usages [[GH-4667](https://github.com/hashicorp/vault/pull/4667)] 3178 * secret/pki: Add custom PKIX serial numbers [[GH-4694](https://github.com/hashicorp/vault/pull/4694)] 3179 * secret/ssh: Use hostname instead of IP in OTP mode, similar to CA mode 3180 [[GH-4673](https://github.com/hashicorp/vault/pull/4673)] 3181 * storage/file: Attempt in some error conditions to do more cleanup [[GH-4684](https://github.com/hashicorp/vault/pull/4684)] 3182 * ui: wrapping lookup now distplays the path [[GH-4644](https://github.com/hashicorp/vault/pull/4644)] 3183 * ui: Identity interface now has more inline actions to make editing and adding 3184 aliases to an entity or group easier [[GH-4502](https://github.com/hashicorp/vault/pull/4502)] 3185 * ui: Identity interface now lists groups by name [[GH-4655](https://github.com/hashicorp/vault/pull/4655)] 3186 * ui: Permission denied errors still render the sidebar in the Access section 3187 [[GH-4658](https://github.com/hashicorp/vault/pull/4658)] 3188 * replication: Improve performance of index page flushes and WAL garbage 3189 collecting 3190 3191BUG FIXES: 3192 3193 * auth/approle: Make invalid role_id a 400 error instead of 500 [[GH-4470](https://github.com/hashicorp/vault/pull/4470)] 3194 * auth/cert: Fix Identity alias using serial number instead of common name 3195 [[GH-4475](https://github.com/hashicorp/vault/pull/4475)] 3196 * cli: Fix panic running `vault token capabilities` with multiple paths 3197 [[GH-4552](https://github.com/hashicorp/vault/pull/4552)] 3198 * core: When using the `use_always` option with PROXY protocol support, do not 3199 require `authorized_addrs` to be set [[GH-4065](https://github.com/hashicorp/vault/pull/4065)] 3200 * core: Fix panic when certain combinations of policy paths and allowed/denied 3201 parameters were used [[GH-4582](https://github.com/hashicorp/vault/pull/4582)] 3202 * secret/gcp: Make `bound_region` able to use short names 3203 * secret/kv: Fix response wrapping for KV v2 [[GH-4511](https://github.com/hashicorp/vault/pull/4511)] 3204 * secret/kv: Fix address flag not being honored correctly [[GH-4617](https://github.com/hashicorp/vault/pull/4617)] 3205 * secret/pki: Fix `safety_buffer` for tidy being allowed to be negative, 3206 clearing all certs [[GH-4641](https://github.com/hashicorp/vault/pull/4641)] 3207 * secret/pki: Fix `key_type` not being allowed to be set to `any` [[GH-4595](https://github.com/hashicorp/vault/pull/4595)] 3208 * secret/pki: Fix path length parameter being ignored when using 3209 `use_csr_values` and signing an intermediate CA cert [[GH-4459](https://github.com/hashicorp/vault/pull/4459)] 3210 * secret/ssh: Only append UserKnownHostsFile to args when configured with a 3211 value [[GH-4674](https://github.com/hashicorp/vault/pull/4674)] 3212 * storage/dynamodb: Fix listing when one child is left within a nested path 3213 [[GH-4570](https://github.com/hashicorp/vault/pull/4570)] 3214 * storage/gcs: Fix swallowing an error on connection close [[GH-4691](https://github.com/hashicorp/vault/pull/4691)] 3215 * ui: Fix HMAC algorithm in transit [[GH-4604](https://github.com/hashicorp/vault/pull/4604)] 3216 * ui: Fix unwrap of auth responses via the UI's unwrap tool [[GH-4611](https://github.com/hashicorp/vault/pull/4611)] 3217 * ui (enterprise): Fix parsing of version string that blocked some users from seeing 3218 enterprise-specific pages in the UI [[GH-4547](https://github.com/hashicorp/vault/pull/4547)] 3219 * ui: Fix incorrect capabilities path check when viewing policies [[GH-4566](https://github.com/hashicorp/vault/pull/4566)] 3220 * replication: Fix error while running plugins on a newly created replication 3221 secondary 3222 * replication: Fix issue with token store lookups after a secondary's mount table 3223 is invalidated. 3224 * replication: Improve startup time when a large merkle index is in use. 3225 * replication: Fix panic when storage becomes unreachable during unseal. 3226 3227## 0.10.1/0.9.7 (April 25th, 2018) 3228 3229The following two items are in both 0.9.7 and 0.10.1. They only affect 3230Enterprise, and as such 0.9.7 is an Enterprise-only release: 3231 3232SECURITY: 3233 3234 * EGPs: A regression affecting 0.9.6 and 0.10.0 causes EGPs to not be applied 3235 correctly if an EGP is updated in a running Vault after initial write or 3236 after it is loaded on unseal. This has been fixed. 3237 3238BUG FIXES: 3239 3240 * Fixed an upgrade issue affecting performance secondaries when migrating from 3241 a version that did not include Identity to one that did. 3242 3243All other content in this release is for 0.10.1 only. 3244 3245DEPRECATIONS/CHANGES: 3246 3247 * `vault kv` and Vault versions: In 0.10.1 some issues with `vault kv` against 3248 v1 K/V engine mounts are fixed. However, using 0.10.1 for both the server 3249 and CLI versions is required. 3250 * Mount information visibility: Users that have access to any path within a 3251 mount can now see information about that mount, such as its type and 3252 options, via some API calls. 3253 * Identity and Local Mounts: Local mounts would allow creating Identity 3254 entities but these would not be able to be used successfully (even locally) 3255 in replicated scenarios. We have now disallowed entities and groups from 3256 being created for local mounts in the first place. 3257 3258FEATURES: 3259 3260 * X-Forwarded-For support: `X-Forwarded-For` headers can now be used to set the 3261 client IP seen by Vault. See the [TCP listener configuration 3262 page](https://www.vaultproject.io/docs/configuration/listener/tcp.html) for 3263 details. 3264 * CIDR IP Binding for Tokens: Tokens now support being bound to specific 3265 CIDR(s) for usage. Currently this is implemented in Token Roles; usage can be 3266 expanded to other authentication backends over time. 3267 * `vault kv patch` command: A new `kv patch` helper command that allows 3268 modifying only some values in existing data at a K/V path, but uses 3269 check-and-set to ensure that this modification happens safely. 3270 * AppRole Local Secret IDs: Roles can now be configured to generate secret IDs 3271 local to the cluster. This enables performance secondaries to generate and 3272 consume secret IDs without contacting the primary. 3273 * AES-GCM Support for PKCS#11 [BETA] (Enterprise): For supporting HSMs, 3274 AES-GCM can now be used in lieu of AES-CBC/HMAC-SHA256. This has currently 3275 only been fully tested on AWS CloudHSM. 3276 * Auto Unseal/Seal Wrap Key Rotation Support (Enterprise): Auto Unseal 3277 mechanisms, including PKCS#11 HSMs, now support rotation of encryption keys, 3278 and migration between key and encryption types, such as from AES-CBC to 3279 AES-GCM, can be performed at the same time (where supported). 3280 3281IMPROVEMENTS: 3282 3283 * auth/approle: Support for cluster local secret IDs. This enables secondaries 3284 to generate secret IDs without contacting the primary [[GH-4427](https://github.com/hashicorp/vault/pull/4427)] 3285 * auth/token: Add to the token lookup response, the policies inherited due to 3286 identity associations [[GH-4366](https://github.com/hashicorp/vault/pull/4366)] 3287 * auth/token: Add CIDR binding to token roles [[GH-815](https://github.com/hashicorp/vault/pull/815)] 3288 * cli: Add `vault kv patch` [[GH-4432](https://github.com/hashicorp/vault/pull/4432)] 3289 * core: Add X-Forwarded-For support [[GH-4380](https://github.com/hashicorp/vault/pull/4380)] 3290 * core: Add token CIDR-binding support [[GH-815](https://github.com/hashicorp/vault/pull/815)] 3291 * identity: Add the ability to disable an entity. Disabling an entity does not 3292 revoke associated tokens, but while the entity is disabled they cannot be 3293 used. [[GH-4353](https://github.com/hashicorp/vault/pull/4353)] 3294 * physical/consul: Allow tuning of session TTL and lock wait time [[GH-4352](https://github.com/hashicorp/vault/pull/4352)] 3295 * replication: Dynamically adjust WAL cleanup over a period of time based on 3296 the rate of writes committed 3297 * secret/ssh: Update dynamic key install script to use shell locking to avoid 3298 concurrent modifications [[GH-4358](https://github.com/hashicorp/vault/pull/4358)] 3299 * ui: Access to `sys/mounts` is no longer needed to use the UI - the list of 3300 engines will show you the ones you implicitly have access to (because you have 3301 access to to secrets in those engines) [[GH-4439](https://github.com/hashicorp/vault/pull/4439)] 3302 3303BUG FIXES: 3304 3305 * cli: Fix `vault kv` backwards compatibility with KV v1 engine mounts 3306 [[GH-4430](https://github.com/hashicorp/vault/pull/4430)] 3307 * identity: Persist entity memberships in external identity groups across 3308 mounts [[GH-4365](https://github.com/hashicorp/vault/pull/4365)] 3309 * identity: Fix error preventing authentication using local mounts on 3310 performance secondary replication clusters [[GH-4407](https://github.com/hashicorp/vault/pull/4407)] 3311 * replication: Fix issue causing secondaries to not connect properly to a 3312 pre-0.10 primary until the primary was upgraded 3313 * secret/gcp: Fix panic on rollback when a roleset wasn't created properly 3314 [[GH-4344](https://github.com/hashicorp/vault/pull/4344)] 3315 * secret/gcp: Fix panic on renewal 3316 * ui: Fix IE11 form submissions in a few parts of the application [[GH-4378](https://github.com/hashicorp/vault/pull/4378)] 3317 * ui: Fix IE file saving on policy pages and init screens [[GH-4376](https://github.com/hashicorp/vault/pull/4376)] 3318 * ui: Fixed an issue where the AWS secret backend would show the wrong menu 3319 [[GH-4371](https://github.com/hashicorp/vault/pull/4371)] 3320 * ui: Fixed an issue where policies with commas would not render in the 3321 interface properly [[GH-4398](https://github.com/hashicorp/vault/pull/4398)] 3322 * ui: Corrected the saving of mount tune ttls for auth methods [[GH-4431](https://github.com/hashicorp/vault/pull/4431)] 3323 * ui: Credentials generation no longer checks capabilities before making 3324 api calls. This should fix needing "update" capabilites to read IAM 3325 credentials in the AWS secrets engine [[GH-4446](https://github.com/hashicorp/vault/pull/4446)] 3326 3327## 0.10.0 (April 10th, 2018) 3328 3329SECURITY: 3330 3331 * Log sanitization for Combined Database Secret Engine: In certain failure 3332 scenarios with incorrectly formatted connection urls, the raw connection 3333 errors were being returned to the user with the configured database 3334 credentials. Errors are now sanitized before being returned to the user. 3335 3336DEPRECATIONS/CHANGES: 3337 3338 * Database plugin compatibility: The database plugin interface was enhanced to 3339 support some additional functionality related to root credential rotation 3340 and supporting templated URL strings. The changes were made in a 3341 backwards-compatible way and all builtin plugins were updated with the new 3342 features. Custom plugins not built into Vault will need to be upgraded to 3343 support templated URL strings and root rotation. Additionally, the 3344 Initialize method was deprecated in favor of a new Init method that supports 3345 configuration modifications that occur in the plugin back to the primary 3346 data store. 3347 * Removal of returned secret information: For a long time Vault has returned 3348 configuration given to various secret engines and auth methods with secret 3349 values (such as secret API keys or passwords) still intact, and with a 3350 warning to the user on write that anyone with read access could see the 3351 secret. This was mostly done to make it easy for tools like Terraform to 3352 judge whether state had drifted. However, it also feels quite un-Vault-y to 3353 do this and we've never felt very comfortable doing so. In 0.10 we have gone 3354 through and removed this behavior from the various backends; fields which 3355 contained secret values are simply no longer returned on read. We are 3356 working with the Terraform team to make changes to their provider to 3357 accommodate this as best as possible, and users of other tools may have to 3358 make adjustments, but in the end we felt that the ends did not justify the 3359 means and we needed to prioritize security over operational convenience. 3360 * LDAP auth method case sensitivity: We now treat usernames and groups 3361 configured locally for policy assignment in a case insensitive fashion by 3362 default. Existing configurations will continue to work as they do now; 3363 however, the next time a configuration is written `case_sensitive_names` 3364 will need to be explicitly set to `true`. 3365 * TTL handling within core: All lease TTL handling has been centralized within 3366 the core of Vault to ensure consistency across all backends. Since this was 3367 previously delegated to individual backends, there may be some slight 3368 differences in TTLs generated from some backends. 3369 * Removal of default `secret/` mount: In 0.12 we will stop mounting `secret/` 3370 by default at initialization time (it will still be available in `dev` 3371 mode). 3372 3373FEATURES: 3374 3375 * OSS UI: The Vault UI is now fully open-source. Similarly to the CLI, some 3376 features are only available with a supporting version of Vault, but the code 3377 base is entirely open. 3378 * Versioned K/V: The `kv` backend has been completely revamped, featuring 3379 flexible versioning of values, check-and-set protections, and more. A new 3380 `vault kv` subcommand allows friendly interactions with it. Existing mounts 3381 of the `kv` backend can be upgraded to the new versioned mode (downgrades 3382 are not currently supported). The old "passthrough" mode is still the 3383 default for new mounts; versioning can be turned on by setting the 3384 `-version=2` flag for the `vault secrets enable` command. 3385 * Database Root Credential Rotation: Database configurations can now rotate 3386 their own configured admin/root credentials, allowing configured credentials 3387 for a database connection to be rotated immediately after sending them into 3388 Vault, invalidating the old credentials and ensuring only Vault knows the 3389 actual valid values. 3390 * Azure Authentication Plugin: There is now a plugin (pulled in to Vault) that 3391 allows authenticating Azure machines to Vault using Azure's Managed Service 3392 Identity credentials. See the [plugin 3393 repository](https://github.com/hashicorp/vault-plugin-auth-azure) for more 3394 information. 3395 * GCP Secrets Plugin: There is now a plugin (pulled in to Vault) that allows 3396 generating secrets to allow access to GCP. See the [plugin 3397 repository](https://github.com/hashicorp/vault-plugin-secrets-gcp) for more 3398 information. 3399 * Selective Audit HMACing of Request and Response Data Keys: HMACing in audit 3400 logs can be turned off for specific keys in the request input map and 3401 response `data` map on a per-mount basis. 3402 * Passthrough Request Headers: Request headers can now be selectively passed 3403 through to backends on a per-mount basis. This is useful in various cases 3404 when plugins are interacting with external services. 3405 * HA for Google Cloud Storage: The GCS storage type now supports HA. 3406 * UI support for identity: Add and edit entities, groups, and their associated 3407 aliases. 3408 * UI auth method support: Enable, disable, and configure all of the built-in 3409 authentication methods. 3410 * UI (Enterprise): View and edit Sentinel policies. 3411 3412IMPROVEMENTS: 3413 3414 * core: Centralize TTL generation for leases in core [[GH-4230](https://github.com/hashicorp/vault/pull/4230)] 3415 * identity: API to update group-alias by ID [[GH-4237](https://github.com/hashicorp/vault/pull/4237)] 3416 * secret/cassandra: Update Cassandra storage delete function to not use batch 3417 operations [[GH-4054](https://github.com/hashicorp/vault/pull/4054)] 3418 * storage/mysql: Allow setting max idle connections and connection lifetime 3419 [[GH-4211](https://github.com/hashicorp/vault/pull/4211)] 3420 * storage/gcs: Add HA support [[GH-4226](https://github.com/hashicorp/vault/pull/4226)] 3421 * ui: Add Nomad to the list of available secret engines 3422 * ui: Adds ability to set static headers to be returned by the UI 3423 3424BUG FIXES: 3425 3426 * api: Fix retries not working [[GH-4322](https://github.com/hashicorp/vault/pull/4322)] 3427 * auth/gcp: Invalidate clients on config change 3428 * auth/token: Revoke-orphan and tidy operations now correctly cleans up the 3429 parent prefix entry in the underlying storage backend. These operations also 3430 mark corresponding child tokens as orphans by removing the parent/secondary 3431 index from the entries. [[GH-4193](https://github.com/hashicorp/vault/pull/4193)] 3432 * command: Re-add `-mfa` flag and migrate to OSS binary [[GH-4223](https://github.com/hashicorp/vault/pull/4223)] 3433 * core: Fix issue occurring from mounting two auth backends with the same path 3434 with one mount having `auth/` in front [[GH-4206](https://github.com/hashicorp/vault/pull/4206)] 3435 * mfa: Invalidation of MFA configurations (Enterprise) 3436 * replication: Fix a panic on some non-64-bit platforms 3437 * replication: Fix invalidation of policies on performance secondaries 3438 * secret/pki: When tidying if a value is unexpectedly nil, delete it and move 3439 on [[GH-4214](https://github.com/hashicorp/vault/pull/4214)] 3440 * storage/s3: Fix panic if S3 returns no Content-Length header [[GH-4222](https://github.com/hashicorp/vault/pull/4222)] 3441 * ui: Fixed an issue where the UI was checking incorrect paths when operating 3442 on transit keys. Capabilities are now checked when attempting to encrypt / 3443 decrypt, etc. 3444 * ui: Fixed IE 11 layout issues and JS errors that would stop the application 3445 from running. 3446 * ui: Fixed the link that gets rendered when a user doesn't have permissions 3447 to view the root of a secret engine. The link now sends them back to the list 3448 of secret engines. 3449 * replication: Fix issue with DR secondaries when using mount specified local 3450 paths. 3451 * cli: Fix an issue where generating a dr operation token would not output the 3452 token [[GH-4328](https://github.com/hashicorp/vault/pull/4328)] 3453 3454## 0.9.6 (March 20th, 2018) 3455 3456DEPRECATIONS/CHANGES: 3457 3458 * The AWS authentication backend now allows binds for inputs as either a 3459 comma-delimited string or a string array. However, to keep consistency with 3460 input and output, when reading a role the binds will now be returned as 3461 string arrays rather than strings. 3462 * In order to prefix-match IAM role and instance profile ARNs in AWS auth 3463 backend, you now must explicitly opt-in by adding a `*` to the end of the 3464 ARN. Existing configurations will be upgraded automatically, but when 3465 writing a new role configuration the updated behavior will be used. 3466 3467FEATURES: 3468 3469 * Replication Activation Enhancements: When activating a replication 3470 secondary, a public key can now be fetched first from the target cluster. 3471 This public key can be provided to the primary when requesting the 3472 activation token. If provided, the public key will be used to perform a 3473 Diffie-Hellman key exchange resulting in a shared key that encrypts the 3474 contents of the activation token. The purpose is to protect against 3475 accidental disclosure of the contents of the token if unwrapped by the wrong 3476 party, given that the contents of the token are highly sensitive. If 3477 accidentally unwrapped, the contents of the token are not usable by the 3478 unwrapping party. It is important to note that just as a malicious operator 3479 could unwrap the contents of the token, a malicious operator can pretend to 3480 be a secondary and complete the Diffie-Hellman exchange on their own; this 3481 feature provides defense in depth but still requires due diligence around 3482 replication activation, including multiple eyes on the commands/tokens and 3483 proper auditing. 3484 3485IMPROVEMENTS: 3486 3487 * api: Update renewer grace period logic. It no longer is static, but rather 3488 dynamically calculates one based on the current lease duration after each 3489 renew. [[GH-4090](https://github.com/hashicorp/vault/pull/4090)] 3490 * auth/approle: Allow array input for bound_cidr_list [4078] 3491 * auth/aws: Allow using lists in role bind parameters [[GH-3907](https://github.com/hashicorp/vault/pull/3907)] 3492 * auth/aws: Allow binding by EC2 instance IDs [[GH-3816](https://github.com/hashicorp/vault/pull/3816)] 3493 * auth/aws: Allow non-prefix-matched IAM role and instance profile ARNs 3494 [[GH-4071](https://github.com/hashicorp/vault/pull/4071)] 3495 * auth/ldap: Set a very large size limit on queries [[GH-4169](https://github.com/hashicorp/vault/pull/4169)] 3496 * core: Log info notifications of revoked leases for all leases/reasons, not 3497 just expirations [[GH-4164](https://github.com/hashicorp/vault/pull/4164)] 3498 * physical/couchdb: Removed limit on the listing of items [[GH-4149](https://github.com/hashicorp/vault/pull/4149)] 3499 * secret/pki: Support certificate policies [[GH-4125](https://github.com/hashicorp/vault/pull/4125)] 3500 * secret/pki: Add ability to have CA:true encoded into intermediate CSRs, to 3501 improve compatibility with some ADFS scenarios [[GH-3883](https://github.com/hashicorp/vault/pull/3883)] 3502 * secret/transit: Allow selecting signature algorithm as well as hash 3503 algorithm when signing/verifying [[GH-4018](https://github.com/hashicorp/vault/pull/4018)] 3504 * server: Make sure `tls_disable_client_cert` is actually a true value rather 3505 than just set [[GH-4049](https://github.com/hashicorp/vault/pull/4049)] 3506 * storage/dynamodb: Allow specifying max retries for dynamo client [[GH-4115](https://github.com/hashicorp/vault/pull/4115)] 3507 * storage/gcs: Allow specifying chunk size for transfers, which can reduce 3508 memory utilization [[GH-4060](https://github.com/hashicorp/vault/pull/4060)] 3509 * sys/capabilities: Add the ability to use multiple paths for capability 3510 checking [[GH-3663](https://github.com/hashicorp/vault/pull/3663)] 3511 3512BUG FIXES: 3513 3514 * auth/aws: Fix honoring `max_ttl` when a corresponding role `ttl` is not also 3515 set [[GH-4107](https://github.com/hashicorp/vault/pull/4107)] 3516 * auth/okta: Fix honoring configured `max_ttl` value [[GH-4110](https://github.com/hashicorp/vault/pull/4110)] 3517 * auth/token: If a periodic token being issued has a period greater than the 3518 max_lease_ttl configured on the token store mount, truncate it. This matches 3519 renewal behavior; before it was inconsistent between issuance and renewal. 3520 [[GH-4112](https://github.com/hashicorp/vault/pull/4112)] 3521 * cli: Improve error messages around `vault auth help` when there is no CLI 3522 helper for a particular method [[GH-4056](https://github.com/hashicorp/vault/pull/4056)] 3523 * cli: Fix autocomplete installation when using Fish as the shell [[GH-4094](https://github.com/hashicorp/vault/pull/4094)] 3524 * secret/database: Properly honor mount-tuned max TTL [[GH-4051](https://github.com/hashicorp/vault/pull/4051)] 3525 * secret/ssh: Return `key_bits` value when reading a role [[GH-4098](https://github.com/hashicorp/vault/pull/4098)] 3526 * sys: When writing policies on a performance replication secondary, properly 3527 forward requests to the primary [[GH-4129](https://github.com/hashicorp/vault/pull/4129)] 3528 3529## 0.9.5 (February 26th, 2018) 3530 3531IMPROVEMENTS: 3532 3533 * auth: Allow sending default_lease_ttl and max_lease_ttl values when enabling 3534 auth methods. [[GH-4019](https://github.com/hashicorp/vault/pull/4019)] 3535 * secret/database: Add list functionality to `database/config` endpoint 3536 [[GH-4026](https://github.com/hashicorp/vault/pull/4026)] 3537 * physical/consul: Allow setting a specific service address [[GH-3971](https://github.com/hashicorp/vault/pull/3971)] 3538 * replication: When bootstrapping a new secondary, if the initial cluster 3539 connection fails, Vault will attempt to roll back state so that 3540 bootstrapping can be tried again, rather than having to recreate the 3541 downstream cluster. This will still require fetching a new secondary 3542 activation token. 3543 3544BUG FIXES: 3545 3546 * auth/aws: Update libraries to fix regression verifying PKCS#7 identity 3547 documents [[GH-4014](https://github.com/hashicorp/vault/pull/4014)] 3548 * listener: Revert to Go 1.9 for now to allow certificates with non-DNS names 3549 in their DNS SANs to be used for Vault's TLS connections [[GH-4028](https://github.com/hashicorp/vault/pull/4028)] 3550 * replication: Fix issue with a performance secondary/DR primary node losing 3551 its DR primary status when performing an update-primary operation 3552 * replication: Fix issue where performance secondaries could be unable to 3553 automatically connect to a performance primary after that performance 3554 primary has been promoted to a DR primary from a DR secondary 3555 * ui: Fix behavior when a value contains a `.` 3556 3557## 0.9.4 (February 20th, 2018) 3558 3559SECURITY: 3560 3561 * Role Tags used with the EC2 style of AWS auth were being improperly parsed; 3562 as a result they were not being used to properly restrict values. 3563 Implementations following our suggestion of using these as defense-in-depth 3564 rather than the only source of restriction should not have significant 3565 impact. 3566 3567FEATURES: 3568 3569 * **ChaCha20-Poly1305 support in `transit`**: You can now encrypt and decrypt 3570 with ChaCha20-Poly1305 in `transit`. Key derivation and convergent 3571 encryption is also supported. 3572 * **Okta Push support in Okta Auth Backend**: If a user account has MFA 3573 required within Okta, an Okta Push MFA flow can be used to successfully 3574 finish authentication. 3575 * **PKI Improvements**: Custom OID subject alternate names can now be set, 3576 subject to allow restrictions that support globbing. Additionally, Country, 3577 Locality, Province, Street Address, and Postal Code can now be set in 3578 certificate subjects. 3579 * **Manta Storage**: Joyent Triton Manta can now be used for Vault storage 3580 * **Google Cloud Spanner Storage**: Google Cloud Spanner can now be used for 3581 Vault storage 3582 3583IMPROVEMENTS: 3584 3585 * auth/centrify: Add CLI helper 3586 * audit: Always log failure metrics, even if zero, to ensure the values appear 3587 on dashboards [[GH-3937](https://github.com/hashicorp/vault/pull/3937)] 3588 * cli: Disable color when output is not a TTY [[GH-3897](https://github.com/hashicorp/vault/pull/3897)] 3589 * cli: Add `-format` flag to all subcommands [[GH-3897](https://github.com/hashicorp/vault/pull/3897)] 3590 * cli: Do not display deprecation warnings when the format is not table 3591 [[GH-3897](https://github.com/hashicorp/vault/pull/3897)] 3592 * core: If over a predefined lease count (256k), log a warning not more than 3593 once a minute. Too many leases can be problematic for many of the storage 3594 backends and often this number of leases is indicative of a need for 3595 workflow improvements. [[GH-3957](https://github.com/hashicorp/vault/pull/3957)] 3596 * secret/nomad: Have generated ACL tokens cap out at 64 characters [[GH-4009](https://github.com/hashicorp/vault/pull/4009)] 3597 * secret/pki: Country, Locality, Province, Street Address, and Postal Code can 3598 now be set on certificates [[GH-3992](https://github.com/hashicorp/vault/pull/3992)] 3599 * secret/pki: UTF-8 Other Names can now be set in Subject Alternate Names in 3600 issued certs; allowed values can be set per role and support globbing 3601 [[GH-3889](https://github.com/hashicorp/vault/pull/3889)] 3602 * secret/pki: Add a flag to make the common name optional on certs [[GH-3940](https://github.com/hashicorp/vault/pull/3940)] 3603 * secret/pki: Ensure only DNS-compatible names go into DNS SANs; additionally, 3604 properly handle IDNA transformations for these DNS names [[GH-3953](https://github.com/hashicorp/vault/pull/3953)] 3605 * secret/ssh: Add `valid-principles` flag to CLI for CA mode [[GH-3922](https://github.com/hashicorp/vault/pull/3922)] 3606 * storage/manta: Add Manta storage [[GH-3270](https://github.com/hashicorp/vault/pull/3270)] 3607 * ui (Enterprise): Support for ChaCha20-Poly1305 keys in the transit engine. 3608 3609BUG FIXES: 3610 * api/renewer: Honor increment value in renew auth calls [[GH-3904](https://github.com/hashicorp/vault/pull/3904)] 3611 * auth/approle: Fix inability to use limited-use-count secret IDs on 3612 replication performance secondaries 3613 * auth/approle: Cleanup of secret ID accessors during tidy and removal of 3614 dangling accessor entries [[GH-3924](https://github.com/hashicorp/vault/pull/3924)] 3615 * auth/aws-ec2: Avoid masking of role tag response [[GH-3941](https://github.com/hashicorp/vault/pull/3941)] 3616 * auth/cert: Verify DNS SANs in the authenticating certificate [[GH-3982](https://github.com/hashicorp/vault/pull/3982)] 3617 * auth/okta: Return configured durations as seconds, not nanoseconds [[GH-3871](https://github.com/hashicorp/vault/pull/3871)] 3618 * auth/okta: Get all okta groups for a user vs. default 200 limit [[GH-4034](https://github.com/hashicorp/vault/pull/4034)] 3619 * auth/token: Token creation via the CLI no longer forces periodic token 3620 creation. Passing an explicit zero value for the period no longer create 3621 periodic tokens. [[GH-3880](https://github.com/hashicorp/vault/pull/3880)] 3622 * command: Fix interpreted formatting directives when printing raw fields 3623 [[GH-4005](https://github.com/hashicorp/vault/pull/4005)] 3624 * command: Correctly format output when using -field and -format flags at the 3625 same time [[GH-3987](https://github.com/hashicorp/vault/pull/3987)] 3626 * command/rekey: Re-add lost `stored-shares` parameter [[GH-3974](https://github.com/hashicorp/vault/pull/3974)] 3627 * command/ssh: Create and reuse the api client [[GH-3909](https://github.com/hashicorp/vault/pull/3909)] 3628 * command/status: Fix panic when status returns 500 from leadership lookup 3629 [[GH-3998](https://github.com/hashicorp/vault/pull/3998)] 3630 * identity: Fix race when creating entities [[GH-3932](https://github.com/hashicorp/vault/pull/3932)] 3631 * plugin/gRPC: Fixed an issue with list requests and raw responses coming from 3632 plugins using gRPC transport [[GH-3881](https://github.com/hashicorp/vault/pull/3881)] 3633 * plugin/gRPC: Fix panic when special paths are not set [[GH-3946](https://github.com/hashicorp/vault/pull/3946)] 3634 * secret/pki: Verify a name is a valid hostname before adding to DNS SANs 3635 [[GH-3918](https://github.com/hashicorp/vault/pull/3918)] 3636 * secret/transit: Fix auditing when reading a key after it has been backed up 3637 or restored [[GH-3919](https://github.com/hashicorp/vault/pull/3919)] 3638 * secret/transit: Fix storage/memory consistency when persistence fails 3639 [[GH-3959](https://github.com/hashicorp/vault/pull/3959)] 3640 * storage/consul: Validate that service names are RFC 1123 compliant [[GH-3960](https://github.com/hashicorp/vault/pull/3960)] 3641 * storage/etcd3: Fix memory ballooning with standby instances [[GH-3798](https://github.com/hashicorp/vault/pull/3798)] 3642 * storage/etcd3: Fix large lists (like token loading at startup) not being 3643 handled [[GH-3772](https://github.com/hashicorp/vault/pull/3772)] 3644 * storage/postgresql: Fix compatibility with versions using custom string 3645 version tags [[GH-3949](https://github.com/hashicorp/vault/pull/3949)] 3646 * storage/zookeeper: Update vendoring to fix freezing issues [[GH-3896](https://github.com/hashicorp/vault/pull/3896)] 3647 * ui (Enterprise): Decoding the replication token should no longer error and 3648 prevent enabling of a secondary replication cluster via the ui. 3649 * plugin/gRPC: Add connection info to the request object [[GH-3997](https://github.com/hashicorp/vault/pull/3997)] 3650 3651## 0.9.3 (January 28th, 2018) 3652 3653A regression from a feature merge disabled the Nomad secrets backend in 0.9.2. 3654This release re-enables the Nomad secrets backend; it is otherwise identical to 36550.9.2. 3656 3657## 0.9.2 (January 26th, 2018) 3658 3659SECURITY: 3660 3661 * Okta Auth Backend: While the Okta auth backend was successfully verifying 3662 usernames and passwords, it was not checking the returned state of the 3663 account, so accounts that had been marked locked out could still be used to 3664 log in. Only accounts in SUCCESS or PASSWORD_WARN states are now allowed. 3665 * Periodic Tokens: A regression in 0.9.1 meant that periodic tokens created by 3666 the AppRole, AWS, and Cert auth backends would expire when the max TTL for 3667 the backend/mount/system was hit instead of their stated behavior of living 3668 as long as they are renewed. This is now fixed; existing tokens do not have 3669 to be reissued as this was purely a regression in the renewal logic. 3670 * Seal Wrapping: During certain replication states values written marked for 3671 seal wrapping may not be wrapped on the secondaries. This has been fixed, 3672 and existing values will be wrapped on next read or write. This does not 3673 affect the barrier keys. 3674 3675DEPRECATIONS/CHANGES: 3676 3677 * `sys/health` DR Secondary Reporting: The `replication_dr_secondary` bool 3678 returned by `sys/health` could be misleading since it would be `false` both 3679 when a cluster was not a DR secondary but also when the node is a standby in 3680 the cluster and has not yet fully received state from the active node. This 3681 could cause health checks on LBs to decide that the node was acceptable for 3682 traffic even though DR secondaries cannot handle normal Vault traffic. (In 3683 other words, the bool could only convey "yes" or "no" but not "not sure 3684 yet".) This has been replaced by `replication_dr_mode` and 3685 `replication_perf_mode` which are string values that convey the current 3686 state of the node; a value of `disabled` indicates that replication is 3687 disabled or the state is still being discovered. As a result, an LB check 3688 can positively verify that the node is both not `disabled` and is not a DR 3689 secondary, and avoid sending traffic to it if either is true. 3690 * PKI Secret Backend Roles parameter types: For `ou` and `organization` 3691 in role definitions in the PKI secret backend, input can now be a 3692 comma-separated string or an array of strings. Reading a role will 3693 now return arrays for these parameters. 3694 * Plugin API Changes: The plugin API has been updated to utilize golang's 3695 context.Context package. Many function signatures now accept a context 3696 object as the first parameter. Existing plugins will need to pull in the 3697 latest Vault code and update their function signatures to begin using 3698 context and the new gRPC transport. 3699 3700FEATURES: 3701 3702 * **gRPC Backend Plugins**: Backend plugins now use gRPC for transport, 3703 allowing them to be written in other languages. 3704 * **Brand New CLI**: Vault has a brand new CLI interface that is significantly 3705 streamlined, supports autocomplete, and is almost entirely backwards 3706 compatible. 3707 * **UI: PKI Secret Backend (Enterprise)**: Configure PKI secret backends, 3708 create and browse roles and certificates, and issue and sign certificates via 3709 the listed roles. 3710 3711IMPROVEMENTS: 3712 3713 * auth/aws: Handle IAM headers produced by clients that formulate numbers as 3714 ints rather than strings [[GH-3763](https://github.com/hashicorp/vault/pull/3763)] 3715 * auth/okta: Support JSON lists when specifying groups and policies [[GH-3801](https://github.com/hashicorp/vault/pull/3801)] 3716 * autoseal/hsm: Attempt reconnecting to the HSM on certain kinds of issues, 3717 including HA scenarios for some Gemalto HSMs. 3718 (Enterprise) 3719 * cli: Output password prompts to stderr to make it easier to pipe an output 3720 token to another command [[GH-3782](https://github.com/hashicorp/vault/pull/3782)] 3721 * core: Report replication status in `sys/health` [[GH-3810](https://github.com/hashicorp/vault/pull/3810)] 3722 * physical/s3: Allow using paths with S3 for non-AWS deployments [[GH-3730](https://github.com/hashicorp/vault/pull/3730)] 3723 * physical/s3: Add ability to disable SSL for non-AWS deployments [[GH-3730](https://github.com/hashicorp/vault/pull/3730)] 3724 * plugins: Args for plugins can now be specified separately from the command, 3725 allowing the same output format and input format for plugin information 3726 [[GH-3778](https://github.com/hashicorp/vault/pull/3778)] 3727 * secret/pki: `ou` and `organization` can now be specified as a 3728 comma-separated string or an array of strings [[GH-3804](https://github.com/hashicorp/vault/pull/3804)] 3729 * plugins: Plugins will fall back to using netrpc as the communication protocol 3730 on older versions of Vault [[GH-3833](https://github.com/hashicorp/vault/pull/3833)] 3731 3732BUG FIXES: 3733 3734 * auth/(approle,aws,cert): Fix behavior where periodic tokens generated by 3735 these backends could not have their TTL renewed beyond the system/mount max 3736 TTL value [[GH-3803](https://github.com/hashicorp/vault/pull/3803)] 3737 * auth/aws: Fix error returned if `bound_iam_principal_arn` was given to an 3738 existing role update [[GH-3843](https://github.com/hashicorp/vault/pull/3843)] 3739 * core/sealwrap: Speed improvements and bug fixes (Enterprise) 3740 * identity: Delete group alias when an external group is deleted [[GH-3773](https://github.com/hashicorp/vault/pull/3773)] 3741 * legacymfa/duo: Fix intermittent panic when Duo could not be reached 3742 [[GH-2030](https://github.com/hashicorp/vault/pull/2030)] 3743 * secret/database: Fix a location where a lock could potentially not be 3744 released, leading to deadlock [[GH-3774](https://github.com/hashicorp/vault/pull/3774)] 3745 * secret/(all databases) Fix behavior where if a max TTL was specified but no 3746 default TTL was specified the system/mount default TTL would be used but not 3747 be capped by the local max TTL [[GH-3814](https://github.com/hashicorp/vault/pull/3814)] 3748 * secret/database: Fix an issue where plugins were not closed properly if they 3749 failed to initialize [[GH-3768](https://github.com/hashicorp/vault/pull/3768)] 3750 * ui: mounting a secret backend will now properly set `max_lease_ttl` and 3751 `default_lease_ttl` when specified - previously both fields set 3752 `default_lease_ttl`. 3753 3754## 0.9.1 (December 21st, 2017) 3755 3756DEPRECATIONS/CHANGES: 3757 3758 * AppRole Case Sensitivity: In prior versions of Vault, `list` operations 3759 against AppRole roles would require preserving case in the role name, even 3760 though most other operations within AppRole are case-insensitive with 3761 respect to the role name. This has been fixed; existing roles will behave as 3762 they have in the past, but new roles will act case-insensitively in these 3763 cases. 3764 * Token Auth Backend Roles parameter types: For `allowed_policies` and 3765 `disallowed_policies` in role definitions in the token auth backend, input 3766 can now be a comma-separated string or an array of strings. Reading a role 3767 will now return arrays for these parameters. 3768 * Transit key exporting: You can now mark a key in the `transit` backend as 3769 `exportable` at any time, rather than just at creation time; however, once 3770 this value is set, it still cannot be unset. 3771 * PKI Secret Backend Roles parameter types: For `allowed_domains` and 3772 `key_usage` in role definitions in the PKI secret backend, input 3773 can now be a comma-separated string or an array of strings. Reading a role 3774 will now return arrays for these parameters. 3775 * SSH Dynamic Keys Method Defaults to 2048-bit Keys: When using the dynamic 3776 key method in the SSH backend, the default is now to use 2048-bit keys if no 3777 specific key bit size is specified. 3778 * Consul Secret Backend lease handling: The `consul` secret backend can now 3779 accept both strings and integer numbers of seconds for its lease value. The 3780 value returned on a role read will be an integer number of seconds instead 3781 of a human-friendly string. 3782 * Unprintable characters not allowed in API paths: Unprintable characters are 3783 no longer allowed in names in the API (paths and path parameters), with an 3784 extra restriction on whitespace characters. Allowed characters are those 3785 that are considered printable by Unicode plus spaces. 3786 3787FEATURES: 3788 3789 * **Transit Backup/Restore**: The `transit` backend now supports a backup 3790 operation that can export a given key, including all key versions and 3791 configuration, as well as a restore operation allowing import into another 3792 Vault. 3793 * **gRPC Database Plugins**: Database plugins now use gRPC for transport, 3794 allowing them to be written in other languages. 3795 * **Nomad Secret Backend**: Nomad ACL tokens can now be generated and revoked 3796 using Vault. 3797 * **TLS Cert Auth Backend Improvements**: The `cert` auth backend can now 3798 match against custom certificate extensions via exact or glob matching, and 3799 additionally supports max_ttl and periodic token toggles. 3800 3801IMPROVEMENTS: 3802 3803 * auth/cert: Support custom certificate constraints [[GH-3634](https://github.com/hashicorp/vault/pull/3634)] 3804 * auth/cert: Support setting `max_ttl` and `period` [[GH-3642](https://github.com/hashicorp/vault/pull/3642)] 3805 * audit/file: Setting a file mode of `0000` will now disable Vault from 3806 automatically `chmod`ing the log file [[GH-3649](https://github.com/hashicorp/vault/pull/3649)] 3807 * auth/github: The legacy MFA system can now be used with the GitHub auth 3808 backend [[GH-3696](https://github.com/hashicorp/vault/pull/3696)] 3809 * auth/okta: The legacy MFA system can now be used with the Okta auth backend 3810 [[GH-3653](https://github.com/hashicorp/vault/pull/3653)] 3811 * auth/token: `allowed_policies` and `disallowed_policies` can now be specified 3812 as a comma-separated string or an array of strings [[GH-3641](https://github.com/hashicorp/vault/pull/3641)] 3813 * command/server: The log level can now be specified with `VAULT_LOG_LEVEL` 3814 [[GH-3721](https://github.com/hashicorp/vault/pull/3721)] 3815 * core: Period values from auth backends will now be checked and applied to the 3816 TTL value directly by core on login and renewal requests [[GH-3677](https://github.com/hashicorp/vault/pull/3677)] 3817 * database/mongodb: Add optional `write_concern` parameter, which can be set 3818 during database configuration. This establishes a session-wide [write 3819 concern](https://docs.mongodb.com/manual/reference/write-concern/) for the 3820 lifecycle of the mount [[GH-3646](https://github.com/hashicorp/vault/pull/3646)] 3821 * http: Request path containing non-printable characters will return 400 - Bad 3822 Request [[GH-3697](https://github.com/hashicorp/vault/pull/3697)] 3823 * mfa/okta: Filter a given email address as a login filter, allowing operation 3824 when login email and account email are different 3825 * plugins: Make Vault more resilient when unsealing when plugins are 3826 unavailable [[GH-3686](https://github.com/hashicorp/vault/pull/3686)] 3827 * secret/pki: `allowed_domains` and `key_usage` can now be specified 3828 as a comma-separated string or an array of strings [[GH-3642](https://github.com/hashicorp/vault/pull/3642)] 3829 * secret/ssh: Allow 4096-bit keys to be used in dynamic key method [[GH-3593](https://github.com/hashicorp/vault/pull/3593)] 3830 * secret/consul: The Consul secret backend now uses the value of `lease` set 3831 on the role, if set, when renewing a secret. [[GH-3796](https://github.com/hashicorp/vault/pull/3796)] 3832 * storage/mysql: Don't attempt database creation if it exists, which can help 3833 under certain permissions constraints [[GH-3716](https://github.com/hashicorp/vault/pull/3716)] 3834 3835BUG FIXES: 3836 3837 * api/status (enterprise): Fix status reporting when using an auto seal 3838 * auth/approle: Fix case-sensitive/insensitive comparison issue [[GH-3665](https://github.com/hashicorp/vault/pull/3665)] 3839 * auth/cert: Return `allowed_names` on role read [[GH-3654](https://github.com/hashicorp/vault/pull/3654)] 3840 * auth/ldap: Fix incorrect control information being sent [[GH-3402](https://github.com/hashicorp/vault/pull/3402)] [[GH-3496](https://github.com/hashicorp/vault/pull/3496)] 3841 [[GH-3625](https://github.com/hashicorp/vault/pull/3625)] [[GH-3656](https://github.com/hashicorp/vault/pull/3656)] 3842 * core: Fix seal status reporting when using an autoseal 3843 * core: Add creation path to wrap info for a control group token 3844 * core: Fix potential panic that could occur using plugins when a node 3845 transitioned from active to standby [[GH-3638](https://github.com/hashicorp/vault/pull/3638)] 3846 * core: Fix memory ballooning when a connection would connect to the cluster 3847 port and then go away -- redux! [[GH-3680](https://github.com/hashicorp/vault/pull/3680)] 3848 * core: Replace recursive token revocation logic with depth-first logic, which 3849 can avoid hitting stack depth limits in extreme cases [[GH-2348](https://github.com/hashicorp/vault/pull/2348)] 3850 * core: When doing a read on configured audited-headers, properly handle case 3851 insensitivity [[GH-3701](https://github.com/hashicorp/vault/pull/3701)] 3852 * core/pkcs11 (enterprise): Fix panic when PKCS#11 library is not readable 3853 * database/mysql: Allow the creation statement to use commands that are not yet 3854 supported by the prepare statement protocol [[GH-3619](https://github.com/hashicorp/vault/pull/3619)] 3855 * plugin/auth-gcp: Fix IAM roles when using `allow_gce_inference` [VPAG-19] 3856 3857## 0.9.0.1 (November 21st, 2017) (Enterprise Only) 3858 3859IMPROVEMENTS: 3860 3861 * auth/gcp: Support seal wrapping of configuration parameters 3862 * auth/kubernetes: Support seal wrapping of configuration parameters 3863 3864BUG FIXES: 3865 3866 * Fix an upgrade issue with some physical backends when migrating from legacy 3867 HSM stored key support to the new Seal Wrap mechanism (Enterprise) 3868 * mfa: Add the 'mfa' flag that was removed by mistake [[GH-4223](https://github.com/hashicorp/vault/pull/4223)] 3869 3870## 0.9.0 (November 14th, 2017) 3871 3872DEPRECATIONS/CHANGES: 3873 3874 * HSM config parameter requirements: When using Vault with an HSM, a new 3875 parameter is required: `hmac_key_label`. This performs a similar function to 3876 `key_label` but for the HMAC key Vault will use. Vault will generate a 3877 suitable key if this value is specified and `generate_key` is set true. 3878 * API HTTP client behavior: When calling `NewClient` the API no longer 3879 modifies the provided client/transport. In particular this means it will no 3880 longer enable redirection limiting and HTTP/2 support on custom clients. It 3881 is suggested that if you want to make changes to an HTTP client that you use 3882 one created by `DefaultConfig` as a starting point. 3883 * AWS EC2 client nonce behavior: The client nonce generated by the backend 3884 that gets returned along with the authentication response will be audited in 3885 plaintext. If this is undesired, the clients can choose to supply a custom 3886 nonce to the login endpoint. The custom nonce set by the client will from 3887 now on, not be returned back with the authentication response, and hence not 3888 audit logged. 3889 * AWS Auth role options: The API will now error when trying to create or 3890 update a role with the mutually-exclusive options 3891 `disallow_reauthentication` and `allow_instance_migration`. 3892 * SSH CA role read changes: When reading back a role from the `ssh` backend, 3893 the TTL/max TTL values will now be an integer number of seconds rather than 3894 a string. This better matches the API elsewhere in Vault. 3895 * SSH role list changes: When listing roles from the `ssh` backend via the API, 3896 the response data will additionally return a `key_info` map that will contain 3897 a map of each key with a corresponding object containing the `key_type`. 3898 * More granularity in audit logs: Audit request and response entries are still 3899 in RFC3339 format but now have a granularity of nanoseconds. 3900 * High availability related values have been moved out of the `storage` and 3901 `ha_storage` stanzas, and into the top-level configuration. `redirect_addr` 3902 has been renamed to `api_addr`. The stanzas still support accepting 3903 HA-related values to maintain backward compatibility, but top-level values 3904 will take precedence. 3905 * A new `seal` stanza has been added to the configuration file, which is 3906 optional and enables configuration of the seal type to use for additional 3907 data protection, such as using HSM or Cloud KMS solutions to encrypt and 3908 decrypt data. 3909 3910FEATURES: 3911 3912 * **RSA Support for Transit Backend**: Transit backend can now generate RSA 3913 keys which can be used for encryption and signing. [[GH-3489](https://github.com/hashicorp/vault/pull/3489)] 3914 * **Identity System**: Now in open source and with significant enhancements, 3915 Identity is an integrated system for understanding users across tokens and 3916 enabling easier management of users directly and via groups. 3917 * **External Groups in Identity**: Vault can now automatically assign users 3918 and systems to groups in Identity based on their membership in external 3919 groups. 3920 * **Seal Wrap / FIPS 140-2 Compatibility (Enterprise)**: Vault can now take 3921 advantage of FIPS 140-2-certified HSMs to ensure that Critical Security 3922 Parameters are protected in a compliant fashion. Vault's implementation has 3923 received a statement of compliance from Leidos. 3924 * **Control Groups (Enterprise)**: Require multiple members of an Identity 3925 group to authorize a requested action before it is allowed to run. 3926 * **Cloud Auto-Unseal (Enterprise)**: Automatically unseal Vault using AWS KMS 3927 and GCP CKMS. 3928 * **Sentinel Integration (Enterprise)**: Take advantage of HashiCorp Sentinel 3929 to create extremely flexible access control policies -- even on 3930 unauthenticated endpoints. 3931 * **Barrier Rekey Support for Auto-Unseal (Enterprise)**: When using auto-unsealing 3932 functionality, the `rekey` operation is now supported; it uses recovery keys 3933 to authorize the master key rekey. 3934 * **Operation Token for Disaster Recovery Actions (Enterprise)**: When using 3935 Disaster Recovery replication, a token can be created that can be used to 3936 authorize actions such as promotion and updating primary information, rather 3937 than using recovery keys. 3938 * **Trigger Auto-Unseal with Recovery Keys (Enterprise)**: When using 3939 auto-unsealing, a request to unseal Vault can be triggered by a threshold of 3940 recovery keys, rather than requiring the Vault process to be restarted. 3941 * **UI Redesign (Enterprise)**: All new experience for the Vault Enterprise 3942 UI. The look and feel has been completely redesigned to give users a better 3943 experience and make managing secrets fast and easy. 3944 * **UI: SSH Secret Backend (Enterprise)**: Configure an SSH secret backend, 3945 create and browse roles. And use them to sign keys or generate one time 3946 passwords. 3947 * **UI: AWS Secret Backend (Enterprise)**: You can now configure the AWS 3948 backend via the Vault Enterprise UI. In addition you can create roles, 3949 browse the roles and Generate IAM Credentials from them in the UI. 3950 3951IMPROVEMENTS: 3952 3953 * api: Add ability to set custom headers on each call [[GH-3394](https://github.com/hashicorp/vault/pull/3394)] 3954 * command/server: Add config option to disable requesting client certificates 3955 [[GH-3373](https://github.com/hashicorp/vault/pull/3373)] 3956 * auth/aws: Max retries can now be customized for the AWS client [[GH-3965](https://github.com/hashicorp/vault/pull/3965)] 3957 * core: Disallow mounting underneath an existing path, not just over [[GH-2919](https://github.com/hashicorp/vault/pull/2919)] 3958 * physical/file: Use `700` as permissions when creating directories. The files 3959 themselves were `600` and are all encrypted, but this doesn't hurt. 3960 * secret/aws: Add ability to use custom IAM/STS endpoints [[GH-3416](https://github.com/hashicorp/vault/pull/3416)] 3961 * secret/aws: Max retries can now be customized for the AWS client [[GH-3965](https://github.com/hashicorp/vault/pull/3965)] 3962 * secret/cassandra: Work around Cassandra ignoring consistency levels for a 3963 user listing query [[GH-3469](https://github.com/hashicorp/vault/pull/3469)] 3964 * secret/pki: Private keys can now be marshalled as PKCS#8 [[GH-3518](https://github.com/hashicorp/vault/pull/3518)] 3965 * secret/pki: Allow entering URLs for `pki` as both comma-separated strings and JSON 3966 arrays [[GH-3409](https://github.com/hashicorp/vault/pull/3409)] 3967 * secret/ssh: Role TTL/max TTL can now be specified as either a string or an 3968 integer [[GH-3507](https://github.com/hashicorp/vault/pull/3507)] 3969 * secret/transit: Sign and verify operations now support a `none` hash 3970 algorithm to allow signing/verifying pre-hashed data [[GH-3448](https://github.com/hashicorp/vault/pull/3448)] 3971 * secret/database: Add the ability to glob allowed roles in the Database Backend [[GH-3387](https://github.com/hashicorp/vault/pull/3387)] 3972 * ui (enterprise): Support for RSA keys in the transit backend 3973 * ui (enterprise): Support for DR Operation Token generation, promoting, and 3974 updating primary on DR Secondary clusters 3975 3976BUG FIXES: 3977 3978 * api: Fix panic when setting a custom HTTP client but with a nil transport 3979 [[GH-3435](https://github.com/hashicorp/vault/pull/3435)] [[GH-3437](https://github.com/hashicorp/vault/pull/3437)] 3980 * api: Fix authing to the `cert` backend when the CA for the client cert is 3981 not known to the server's listener [[GH-2946](https://github.com/hashicorp/vault/pull/2946)] 3982 * auth/approle: Create role ID index during read if a role is missing one [[GH-3561](https://github.com/hashicorp/vault/pull/3561)] 3983 * auth/aws: Don't allow mutually exclusive options [[GH-3291](https://github.com/hashicorp/vault/pull/3291)] 3984 * auth/radius: Fix logging in in some situations [[GH-3461](https://github.com/hashicorp/vault/pull/3461)] 3985 * core: Fix memleak when a connection would connect to the cluster port and 3986 then go away [[GH-3513](https://github.com/hashicorp/vault/pull/3513)] 3987 * core: Fix panic if a single-use token is used to step-down or seal [[GH-3497](https://github.com/hashicorp/vault/pull/3497)] 3988 * core: Set rather than add headers to prevent some duplicated headers in 3989 responses when requests were forwarded to the active node [[GH-3485](https://github.com/hashicorp/vault/pull/3485)] 3990 * physical/etcd3: Fix some listing issues due to how etcd3 does prefix 3991 matching [[GH-3406](https://github.com/hashicorp/vault/pull/3406)] 3992 * physical/etcd3: Fix case where standbys can lose their etcd client lease 3993 [[GH-3031](https://github.com/hashicorp/vault/pull/3031)] 3994 * physical/file: Fix listing when underscores are the first component of a 3995 path [[GH-3476](https://github.com/hashicorp/vault/pull/3476)] 3996 * plugins: Allow response errors to be returned from backend plugins [[GH-3412](https://github.com/hashicorp/vault/pull/3412)] 3997 * secret/transit: Fix panic if the length of the input ciphertext was less 3998 than the expected nonce length [[GH-3521](https://github.com/hashicorp/vault/pull/3521)] 3999 * ui (enterprise): Reinstate support for generic secret backends - this was 4000 erroneously removed in a previous release 4001 4002## 0.8.3 (September 19th, 2017) 4003 4004CHANGES: 4005 4006 * Policy input/output standardization: For all built-in authentication 4007 backends, policies can now be specified as a comma-delimited string or an 4008 array if using JSON as API input; on read, policies will be returned as an 4009 array; and the `default` policy will not be forcefully added to policies 4010 saved in configurations. Please note that the `default` policy will continue 4011 to be added to generated tokens, however, rather than backends adding 4012 `default` to the given set of input policies (in some cases, and not in 4013 others), the stored set will reflect the user-specified set. 4014 * `sign-self-issued` modifies Issuer in generated certificates: In 0.8.2 the 4015 endpoint would not modify the Issuer in the generated certificate, leaving 4016 the output self-issued. Although theoretically valid, in practice crypto 4017 stacks were unhappy validating paths containing such certs. As a result, 4018 `sign-self-issued` now encodes the signing CA's Subject DN into the Issuer 4019 DN of the generated certificate. 4020 * `sys/raw` requires enabling: While the `sys/raw` endpoint can be extremely 4021 useful in break-glass or support scenarios, it is also extremely dangerous. 4022 As of now, a configuration file option `raw_storage_endpoint` must be set in 4023 order to enable this API endpoint. Once set, the available functionality has 4024 been enhanced slightly; it now supports listing and decrypting most of 4025 Vault's core data structures, except for the encryption keyring itself. 4026 * `generic` is now `kv`: To better reflect its actual use, the `generic` 4027 backend is now `kv`. Using `generic` will still work for backwards 4028 compatibility. 4029 4030FEATURES: 4031 4032 * **GCE Support for GCP Auth**: GCE instances can now authenticate to Vault 4033 using machine credentials. 4034 * **Support for Kubernetes Service Account Auth**: Kubernetes Service Accounts 4035 can now authenticate to vault using JWT tokens. 4036 4037IMPROVEMENTS: 4038 4039 * configuration: Provide a config option to store Vault server's process ID 4040 (PID) in a file [[GH-3321](https://github.com/hashicorp/vault/pull/3321)] 4041 * mfa (Enterprise): Add the ability to use identity metadata in username format 4042 * mfa/okta (Enterprise): Add support for configuring base_url for API calls 4043 * secret/pki: `sign-intermediate` will now allow specifying a `ttl` value 4044 longer than the signing CA certificate's NotAfter value. [[GH-3325](https://github.com/hashicorp/vault/pull/3325)] 4045 * sys/raw: Raw storage access is now disabled by default [[GH-3329](https://github.com/hashicorp/vault/pull/3329)] 4046 4047BUG FIXES: 4048 4049 * auth/okta: Fix regression that removed the ability to set base_url [[GH-3313](https://github.com/hashicorp/vault/pull/3313)] 4050 * core: Fix panic while loading leases at startup on ARM processors 4051 [[GH-3314](https://github.com/hashicorp/vault/pull/3314)] 4052 * secret/pki: Fix `sign-self-issued` encoding the wrong subject public key 4053 [[GH-3325](https://github.com/hashicorp/vault/pull/3325)] 4054 4055## 0.8.2.1 (September 11th, 2017) (Enterprise Only) 4056 4057BUG FIXES: 4058 4059 * Fix an issue upgrading to 0.8.2 for Enterprise customers. 4060 4061## 0.8.2 (September 5th, 2017) 4062 4063SECURITY: 4064 4065* In prior versions of Vault, if authenticating via AWS IAM and requesting a 4066 periodic token, the period was not properly respected. This could lead to 4067 tokens expiring unexpectedly, or a token lifetime being longer than expected. 4068 Upon token renewal with Vault 0.8.2 the period will be properly enforced. 4069 4070DEPRECATIONS/CHANGES: 4071 4072* `vault ssh` users should supply `-mode` and `-role` to reduce the number of 4073 API calls. A future version of Vault will mark these optional values are 4074 required. Failure to supply `-mode` or `-role` will result in a warning. 4075* Vault plugins will first briefly run a restricted version of the plugin to 4076 fetch metadata, and then lazy-load the plugin on first request to prevent 4077 crash/deadlock of Vault during the unseal process. Plugins will need to be 4078 built with the latest changes in order for them to run properly. 4079 4080FEATURES: 4081 4082* **Lazy Lease Loading**: On startup, Vault will now load leases from storage 4083 in a lazy fashion (token checks and revocation/renewal requests still force 4084 an immediate load). For larger installations this can significantly reduce 4085 downtime when switching active nodes or bringing Vault up from cold start. 4086* **SSH CA Login with `vault ssh`**: `vault ssh` now supports the SSH CA 4087 backend for authenticating to machines. It also supports remote host key 4088 verification through the SSH CA backend, if enabled. 4089* **Signing of Self-Issued Certs in PKI**: The `pki` backend now supports 4090 signing self-issued CA certs. This is useful when switching root CAs. 4091 4092IMPROVEMENTS: 4093 4094 * audit/file: Allow specifying `stdout` as the `file_path` to log to standard 4095 output [[GH-3235](https://github.com/hashicorp/vault/pull/3235)] 4096 * auth/aws: Allow wildcards in `bound_iam_principal_arn` [[GH-3213](https://github.com/hashicorp/vault/pull/3213)] 4097 * auth/okta: Compare groups case-insensitively since Okta is only 4098 case-preserving [[GH-3240](https://github.com/hashicorp/vault/pull/3240)] 4099 * auth/okta: Standardize Okta configuration APIs across backends [[GH-3245](https://github.com/hashicorp/vault/pull/3245)] 4100 * cli: Add subcommand autocompletion that can be enabled with 4101 `vault -autocomplete-install` [[GH-3223](https://github.com/hashicorp/vault/pull/3223)] 4102 * cli: Add ability to handle wrapped responses when using `vault auth`. What 4103 is output depends on the other given flags; see the help output for that 4104 command for more information. [[GH-3263](https://github.com/hashicorp/vault/pull/3263)] 4105 * core: TLS cipher suites used for cluster behavior can now be set via 4106 `cluster_cipher_suites` in configuration [[GH-3228](https://github.com/hashicorp/vault/pull/3228)] 4107 * core: The `plugin_name` can now either be specified directly as part of the 4108 parameter or within the `config` object when mounting a secret or auth backend 4109 via `sys/mounts/:path` or `sys/auth/:path` respectively [[GH-3202](https://github.com/hashicorp/vault/pull/3202)] 4110 * core: It is now possible to update the `description` of a mount when 4111 mount-tuning, although this must be done through the HTTP layer [[GH-3285](https://github.com/hashicorp/vault/pull/3285)] 4112 * secret/databases/mongo: If an EOF is encountered, attempt reconnecting and 4113 retrying the operation [[GH-3269](https://github.com/hashicorp/vault/pull/3269)] 4114 * secret/pki: TTLs can now be specified as a string or an integer number of 4115 seconds [[GH-3270](https://github.com/hashicorp/vault/pull/3270)] 4116 * secret/pki: Self-issued certs can now be signed via 4117 `pki/root/sign-self-issued` [[GH-3274](https://github.com/hashicorp/vault/pull/3274)] 4118 * storage/gcp: Use application default credentials if they exist [[GH-3248](https://github.com/hashicorp/vault/pull/3248)] 4119 4120BUG FIXES: 4121 4122 * auth/aws: Properly use role-set period values for IAM-derived token renewals 4123 [[GH-3220](https://github.com/hashicorp/vault/pull/3220)] 4124 * auth/okta: Fix updating organization/ttl/max_ttl after initial setting 4125 [[GH-3236](https://github.com/hashicorp/vault/pull/3236)] 4126 * core: Fix PROXY when underlying connection is TLS [[GH-3195](https://github.com/hashicorp/vault/pull/3195)] 4127 * core: Policy-related commands would sometimes fail to act case-insensitively 4128 [[GH-3210](https://github.com/hashicorp/vault/pull/3210)] 4129 * storage/consul: Fix parsing TLS configuration when using a bare IPv6 address 4130 [[GH-3268](https://github.com/hashicorp/vault/pull/3268)] 4131 * plugins: Lazy-load plugins to prevent crash/deadlock during unseal process. 4132 [[GH-3255](https://github.com/hashicorp/vault/pull/3255)] 4133 * plugins: Skip mounting plugin-based secret and credential mounts when setting 4134 up mounts if the plugin is no longer present in the catalog. [[GH-3255](https://github.com/hashicorp/vault/pull/3255)] 4135 4136## 0.8.1 (August 16th, 2017) 4137 4138DEPRECATIONS/CHANGES: 4139 4140 * PKI Root Generation: Calling `pki/root/generate` when a CA cert/key already 4141 exists will now return a `204` instead of overwriting an existing root. If 4142 you want to recreate the root, first run a delete operation on `pki/root` 4143 (requires `sudo` capability), then generate it again. 4144 4145FEATURES: 4146 4147 * **Oracle Secret Backend**: There is now an external plugin to support leased 4148 credentials for Oracle databases (distributed separately). 4149 * **GCP IAM Auth Backend**: There is now an authentication backend that allows 4150 using GCP IAM credentials to retrieve Vault tokens. This is available as 4151 both a plugin and built-in to Vault. 4152 * **PingID Push Support for Path-Based MFA (Enterprise)**: PingID Push can 4153 now be used for MFA with the new path-based MFA introduced in Vault 4154 Enterprise 0.8. 4155 * **Permitted DNS Domains Support in PKI**: The `pki` backend now supports 4156 specifying permitted DNS domains for CA certificates, allowing you to 4157 narrowly scope the set of domains for which a CA can issue or sign child 4158 certificates. 4159 * **Plugin Backend Reload Endpoint**: Plugin backends can now be triggered to 4160 reload using the `sys/plugins/reload/backend` endpoint and providing either 4161 the plugin name or the mounts to reload. 4162 * **Self-Reloading Plugins**: The plugin system will now attempt to reload a 4163 crashed or stopped plugin, once per request. 4164 4165IMPROVEMENTS: 4166 4167 * auth/approle: Allow array input for policies in addition to comma-delimited 4168 strings [[GH-3163](https://github.com/hashicorp/vault/pull/3163)] 4169 * plugins: Send logs through Vault's logger rather than stdout [[GH-3142](https://github.com/hashicorp/vault/pull/3142)] 4170 * secret/pki: Add `pki/root` delete operation [[GH-3165](https://github.com/hashicorp/vault/pull/3165)] 4171 * secret/pki: Don't overwrite an existing root cert/key when calling generate 4172 [[GH-3165](https://github.com/hashicorp/vault/pull/3165)] 4173 4174BUG FIXES: 4175 4176 * aws: Don't prefer a nil HTTP client over an existing one [[GH-3159](https://github.com/hashicorp/vault/pull/3159)] 4177 * core: If there is an error when checking for create/update existence, return 4178 500 instead of 400 [[GH-3162](https://github.com/hashicorp/vault/pull/3162)] 4179 * secret/database: Avoid creating usernames that are too long for legacy MySQL 4180 [[GH-3138](https://github.com/hashicorp/vault/pull/3138)] 4181 4182## 0.8.0 (August 9th, 2017) 4183 4184SECURITY: 4185 4186 * We've added a note to the docs about the way the GitHub auth backend works 4187 as it may not be readily apparent that GitHub personal access tokens, which 4188 are used by the backend, can be used for unauthorized access if they are 4189 stolen from third party services and access to Vault is public. 4190 4191DEPRECATIONS/CHANGES: 4192 4193 * Database Plugin Backends: Passwords generated for these backends now 4194 enforce stricter password requirements, as opposed to the previous behavior 4195 of returning a randomized UUID. Passwords are of length 20, and have a `A1a-` 4196 characters prepended to ensure stricter requirements. No regressions are 4197 expected from this change. (For database backends that were previously 4198 substituting underscores for hyphens in passwords, this will remain the 4199 case.) 4200 * Lease Endpoints: The endpoints `sys/renew`, `sys/revoke`, `sys/revoke-prefix`, 4201 `sys/revoke-force` have been deprecated and relocated under `sys/leases`. 4202 Additionally, the deprecated path `sys/revoke-force` now requires the `sudo` 4203 capability. 4204 * Response Wrapping Lookup Unauthenticated: The `sys/wrapping/lookup` endpoint 4205 is now unauthenticated. This allows introspection of the wrapping info by 4206 clients that only have the wrapping token without then invalidating the 4207 token. Validation functions/checks are still performed on the token. 4208 4209FEATURES: 4210 4211 * **Cassandra Storage**: Cassandra can now be used for Vault storage 4212 * **CockroachDB Storage**: CockroachDB can now be used for Vault storage 4213 * **CouchDB Storage**: CouchDB can now be used for Vault storage 4214 * **SAP HANA Database Plugin**: The `databases` backend can now manage users 4215 for SAP HANA databases 4216 * **Plugin Backends**: Vault now supports running secret and auth backends as 4217 plugins. Plugins can be mounted like normal backends and can be developed 4218 independently from Vault. 4219 * **PROXY Protocol Support** Vault listeners can now be configured to honor 4220 PROXY protocol v1 information to allow passing real client IPs into Vault. A 4221 list of authorized addresses (IPs or subnets) can be defined and 4222 accept/reject behavior controlled. 4223 * **Lease Lookup and Browsing in the Vault Enterprise UI**: Vault Enterprise UI 4224 now supports lookup and listing of leases and the associated actions from the 4225 `sys/leases` endpoints in the API. These are located in the new top level 4226 navigation item "Leases". 4227 * **Filtered Mounts for Performance Mode Replication**: Whitelists or 4228 blacklists of mounts can be defined per-secondary to control which mounts 4229 are actually replicated to that secondary. This can allow targeted 4230 replication of specific sets of data to specific geolocations/datacenters. 4231 * **Disaster Recovery Mode Replication (Enterprise Only)**: There is a new 4232 replication mode, Disaster Recovery (DR), that performs full real-time 4233 replication (including tokens and leases) to DR secondaries. DR secondaries 4234 cannot handle client requests, but can be promoted to primary as needed for 4235 failover. 4236 * **Manage New Replication Features in the Vault Enterprise UI**: Support for 4237 Replication features in Vault Enterprise UI has expanded to include new DR 4238 Replication mode and management of Filtered Mounts in Performance Replication 4239 mode. 4240 * **Vault Identity (Enterprise Only)**: Vault's new Identity system allows 4241 correlation of users across tokens. At present this is only used for MFA, 4242 but will be the foundation of many other features going forward. 4243 * **Duo Push, Okta Push, and TOTP MFA For All Authenticated Paths (Enterprise 4244 Only)**: A brand new MFA system built on top of Identity allows MFA 4245 (currently Duo Push, Okta Push, and TOTP) for any authenticated path within 4246 Vault. MFA methods can be configured centrally, and TOTP keys live within 4247 the user's Identity information to allow using the same key across tokens. 4248 Specific MFA method(s) required for any given path within Vault can be 4249 specified in normal ACL path statements. 4250 4251IMPROVEMENTS: 4252 4253 * api: Add client method for a secret renewer background process [[GH-2886](https://github.com/hashicorp/vault/pull/2886)] 4254 * api: Add `RenewTokenAsSelf` [[GH-2886](https://github.com/hashicorp/vault/pull/2886)] 4255 * api: Client timeout can now be adjusted with the `VAULT_CLIENT_TIMEOUT` env 4256 var or with a new API function [[GH-2956](https://github.com/hashicorp/vault/pull/2956)] 4257 * api/cli: Client will now attempt to look up SRV records for the given Vault 4258 hostname [[GH-3035](https://github.com/hashicorp/vault/pull/3035)] 4259 * audit/socket: Enhance reconnection logic and don't require the connection to 4260 be established at unseal time [[GH-2934](https://github.com/hashicorp/vault/pull/2934)] 4261 * audit/file: Opportunistically try re-opening the file on error [[GH-2999](https://github.com/hashicorp/vault/pull/2999)] 4262 * auth/approle: Add role name to token metadata [[GH-2985](https://github.com/hashicorp/vault/pull/2985)] 4263 * auth/okta: Allow specifying `ttl`/`max_ttl` inside the mount [[GH-2915](https://github.com/hashicorp/vault/pull/2915)] 4264 * cli: Client timeout can now be adjusted with the `VAULT_CLIENT_TIMEOUT` env 4265 var [[GH-2956](https://github.com/hashicorp/vault/pull/2956)] 4266 * command/auth: Add `-token-only` flag to `vault auth` that returns only the 4267 token on stdout and does not store it via the token helper [[GH-2855](https://github.com/hashicorp/vault/pull/2855)] 4268 * core: CORS allowed origins can now be configured [[GH-2021](https://github.com/hashicorp/vault/pull/2021)] 4269 * core: Add metrics counters for audit log failures [[GH-2863](https://github.com/hashicorp/vault/pull/2863)] 4270 * cors: Allow setting allowed headers via the API instead of always using 4271 wildcard [[GH-3023](https://github.com/hashicorp/vault/pull/3023)] 4272 * secret/ssh: Allow specifying the key ID format using template values for CA 4273 type [[GH-2888](https://github.com/hashicorp/vault/pull/2888)] 4274 * server: Add `tls_client_ca_file` option for specifying a CA file to use for 4275 client certificate verification when `tls_require_and_verify_client_cert` is 4276 enabled [[GH-3034](https://github.com/hashicorp/vault/pull/3034)] 4277 * storage/cockroachdb: Add CockroachDB storage backend [[GH-2713](https://github.com/hashicorp/vault/pull/2713)] 4278 * storage/couchdb: Add CouchDB storage backend [[GH-2880](https://github.com/hashicorp/vault/pull/2880)] 4279 * storage/mssql: Add `max_parallel` [[GH-3026](https://github.com/hashicorp/vault/pull/3026)] 4280 * storage/postgresql: Add `max_parallel` [[GH-3026](https://github.com/hashicorp/vault/pull/3026)] 4281 * storage/postgresql: Improve listing speed [[GH-2945](https://github.com/hashicorp/vault/pull/2945)] 4282 * storage/s3: More efficient paging when an object has a lot of subobjects 4283 [[GH-2780](https://github.com/hashicorp/vault/pull/2780)] 4284 * sys/wrapping: Make `sys/wrapping/lookup` unauthenticated [[GH-3084](https://github.com/hashicorp/vault/pull/3084)] 4285 * sys/wrapping: Wrapped tokens now store the original request path of the data 4286 [[GH-3100](https://github.com/hashicorp/vault/pull/3100)] 4287 * telemetry: Add support for DogStatsD [[GH-2490](https://github.com/hashicorp/vault/pull/2490)] 4288 4289BUG FIXES: 4290 4291 * api/health: Don't treat standby `429` codes as an error [[GH-2850](https://github.com/hashicorp/vault/pull/2850)] 4292 * api/leases: Fix lease lookup returning lease properties at the top level 4293 * audit: Fix panic when audit logging a read operation on an asymmetric 4294 `transit` key [[GH-2958](https://github.com/hashicorp/vault/pull/2958)] 4295 * auth/approle: Fix panic when secret and cidr list not provided in role 4296 [[GH-3075](https://github.com/hashicorp/vault/pull/3075)] 4297 * auth/aws: Look up proper account ID on token renew [[GH-3012](https://github.com/hashicorp/vault/pull/3012)] 4298 * auth/aws: Store IAM header in all cases when it changes [[GH-3004](https://github.com/hashicorp/vault/pull/3004)] 4299 * auth/ldap: Verify given certificate is PEM encoded instead of failing 4300 silently [[GH-3016](https://github.com/hashicorp/vault/pull/3016)] 4301 * auth/token: Don't allow using the same token ID twice when manually 4302 specifying [[GH-2916](https://github.com/hashicorp/vault/pull/2916)] 4303 * cli: Fix issue with parsing keys that start with special characters [[GH-2998](https://github.com/hashicorp/vault/pull/2998)] 4304 * core: Relocated `sys/leases/renew` returns same payload as original 4305 `sys/leases` endpoint [[GH-2891](https://github.com/hashicorp/vault/pull/2891)] 4306 * secret/ssh: Fix panic when signing with incorrect key type [[GH-3072](https://github.com/hashicorp/vault/pull/3072)] 4307 * secret/totp: Ensure codes can only be used once. This makes some automated 4308 workflows harder but complies with the RFC. [[GH-2908](https://github.com/hashicorp/vault/pull/2908)] 4309 * secret/transit: Fix locking when creating a key with unsupported options 4310 [[GH-2974](https://github.com/hashicorp/vault/pull/2974)] 4311 4312## 0.7.3 (June 7th, 2017) 4313 4314SECURITY: 4315 4316 * Cert auth backend now checks validity of individual certificates: In 4317 previous versions of Vault, validity (e.g. expiration) of individual leaf 4318 certificates added for authentication was not checked. This was done to make 4319 it easier for administrators to control lifecycles of individual 4320 certificates added to the backend, e.g. the authentication material being 4321 checked was access to that specific certificate's private key rather than 4322 all private keys signed by a CA. However, this behavior is often unexpected 4323 and as a result can lead to insecure deployments, so we are now validating 4324 these certificates as well. 4325 * App-ID path salting was skipped in 0.7.1/0.7.2: A regression in 0.7.1/0.7.2 4326 caused the HMACing of any App-ID information stored in paths (including 4327 actual app-IDs and user-IDs) to be unsalted and written as-is from the API. 4328 In 0.7.3 any such paths will be automatically changed to salted versions on 4329 access (e.g. login or read); however, if you created new app-IDs or user-IDs 4330 in 0.7.1/0.7.2, you may want to consider whether any users with access to 4331 Vault's underlying data store may have intercepted these values, and 4332 revoke/roll them. 4333 4334DEPRECATIONS/CHANGES: 4335 4336 * Step-Down is Forwarded: When a step-down is issued against a non-active node 4337 in an HA cluster, it will now forward the request to the active node. 4338 4339FEATURES: 4340 4341 * **ed25519 Signing/Verification in Transit with Key Derivation**: The 4342 `transit` backend now supports generating 4343 [ed25519](https://ed25519.cr.yp.to/) keys for signing and verification 4344 functionality. These keys support derivation, allowing you to modify the 4345 actual encryption key used by supplying a `context` value. 4346 * **Key Version Specification for Encryption in Transit**: You can now specify 4347 the version of a key you use to wish to generate a signature, ciphertext, or 4348 HMAC. This can be controlled by the `min_encryption_version` key 4349 configuration property. 4350 * **Replication Primary Discovery (Enterprise)**: Replication primaries will 4351 now advertise the addresses of their local HA cluster members to replication 4352 secondaries. This helps recovery if the primary active node goes down and 4353 neither service discovery nor load balancers are in use to steer clients. 4354 4355IMPROVEMENTS: 4356 4357 * api/health: Add Sys().Health() [[GH-2805](https://github.com/hashicorp/vault/pull/2805)] 4358 * audit: Add auth information to requests that error out [[GH-2754](https://github.com/hashicorp/vault/pull/2754)] 4359 * command/auth: Add `-no-store` option that prevents the auth command from 4360 storing the returned token into the configured token helper [[GH-2809](https://github.com/hashicorp/vault/pull/2809)] 4361 * core/forwarding: Request forwarding now heartbeats to prevent unused 4362 connections from being terminated by firewalls or proxies 4363 * plugins/databases: Add MongoDB as an internal database plugin [[GH-2698](https://github.com/hashicorp/vault/pull/2698)] 4364 * storage/dynamodb: Add a method for checking the existence of children, 4365 speeding up deletion operations in the DynamoDB storage backend [[GH-2722](https://github.com/hashicorp/vault/pull/2722)] 4366 * storage/mysql: Add max_parallel parameter to MySQL backend [[GH-2760](https://github.com/hashicorp/vault/pull/2760)] 4367 * secret/databases: Support listing connections [[GH-2823](https://github.com/hashicorp/vault/pull/2823)] 4368 * secret/databases: Support custom renewal statements in Postgres database 4369 plugin [[GH-2788](https://github.com/hashicorp/vault/pull/2788)] 4370 * secret/databases: Use the role name as part of generated credentials 4371 [[GH-2812](https://github.com/hashicorp/vault/pull/2812)] 4372 * ui (Enterprise): Transit key and secret browsing UI handle large lists better 4373 * ui (Enterprise): root tokens are no longer persisted 4374 * ui (Enterprise): support for mounting Database and TOTP secret backends 4375 4376BUG FIXES: 4377 4378 * auth/app-id: Fix regression causing loading of salts to be skipped 4379 * auth/aws: Improve EC2 describe instances performance [[GH-2766](https://github.com/hashicorp/vault/pull/2766)] 4380 * auth/aws: Fix lookup of some instance profile ARNs [[GH-2802](https://github.com/hashicorp/vault/pull/2802)] 4381 * auth/aws: Resolve ARNs to internal AWS IDs which makes lookup at various 4382 points (e.g. renewal time) more robust [[GH-2814](https://github.com/hashicorp/vault/pull/2814)] 4383 * auth/aws: Properly honor configured period when using IAM authentication 4384 [[GH-2825](https://github.com/hashicorp/vault/pull/2825)] 4385 * auth/aws: Check that a bound IAM principal is not empty (in the current 4386 state of the role) before requiring it match the previously authenticated 4387 client [[GH-2781](https://github.com/hashicorp/vault/pull/2781)] 4388 * auth/cert: Fix panic on renewal [[GH-2749](https://github.com/hashicorp/vault/pull/2749)] 4389 * auth/cert: Certificate verification for non-CA certs [[GH-2761](https://github.com/hashicorp/vault/pull/2761)] 4390 * core/acl: Prevent race condition when compiling ACLs in some scenarios 4391 [[GH-2826](https://github.com/hashicorp/vault/pull/2826)] 4392 * secret/database: Increase wrapping token TTL; in a loaded scenario it could 4393 be too short 4394 * secret/generic: Allow integers to be set as the value of `ttl` field as the 4395 documentation claims is supported [[GH-2699](https://github.com/hashicorp/vault/pull/2699)] 4396 * secret/ssh: Added host key callback to ssh client config [[GH-2752](https://github.com/hashicorp/vault/pull/2752)] 4397 * storage/s3: Avoid a panic when some bad data is returned [[GH-2785](https://github.com/hashicorp/vault/pull/2785)] 4398 * storage/dynamodb: Fix list functions working improperly on Windows [[GH-2789](https://github.com/hashicorp/vault/pull/2789)] 4399 * storage/file: Don't leak file descriptors in some error cases 4400 * storage/swift: Fix pre-v3 project/tenant name reading [[GH-2803](https://github.com/hashicorp/vault/pull/2803)] 4401 4402## 0.7.2 (May 8th, 2017) 4403 4404BUG FIXES: 4405 4406 * audit: Fix auditing entries containing certain kinds of time values 4407 [[GH-2689](https://github.com/hashicorp/vault/pull/2689)] 4408 4409## 0.7.1 (May 5th, 2017) 4410 4411DEPRECATIONS/CHANGES: 4412 4413 * LDAP Auth Backend: Group membership queries will now run as the `binddn` 4414 user when `binddn`/`bindpass` are configured, rather than as the 4415 authenticating user as was the case previously. 4416 4417FEATURES: 4418 4419 * **AWS IAM Authentication**: IAM principals can get Vault tokens 4420 automatically, opening AWS-based authentication to users, ECS containers, 4421 Lambda instances, and more. Signed client identity information retrieved 4422 using the AWS API `sts:GetCallerIdentity` is validated against the AWS STS 4423 service before issuing a Vault token. This backend is unified with the 4424 `aws-ec2` authentication backend under the name `aws`, and allows additional 4425 EC2-related restrictions to be applied during the IAM authentication; the 4426 previous EC2 behavior is also still available. [[GH-2441](https://github.com/hashicorp/vault/pull/2441)] 4427 * **MSSQL Physical Backend**: You can now use Microsoft SQL Server as your 4428 Vault physical data store [[GH-2546](https://github.com/hashicorp/vault/pull/2546)] 4429 * **Lease Listing and Lookup**: You can now introspect a lease to get its 4430 creation and expiration properties via `sys/leases/lookup`; with `sudo` 4431 capability you can also list leases for lookup, renewal, or revocation via 4432 that endpoint. Various lease functions (renew, revoke, revoke-prefix, 4433 revoke-force) have also been relocated to `sys/leases/`, but they also work 4434 at the old paths for compatibility. Reading (but not listing) leases via 4435 `sys/leases/lookup` is now a part of the current `default` policy. [[GH-2650](https://github.com/hashicorp/vault/pull/2650)] 4436 * **TOTP Secret Backend**: You can now store multi-factor authentication keys 4437 in Vault and use the API to retrieve time-based one-time use passwords on 4438 demand. The backend can also be used to generate a new key and validate 4439 passwords generated by that key. [[GH-2492](https://github.com/hashicorp/vault/pull/2492)] 4440 * **Database Secret Backend & Secure Plugins (Beta)**: This new secret backend 4441 combines the functionality of the MySQL, PostgreSQL, MSSQL, and Cassandra 4442 backends. It also provides a plugin interface for extendability through 4443 custom databases. [[GH-2200](https://github.com/hashicorp/vault/pull/2200)] 4444 4445IMPROVEMENTS: 4446 4447 * auth/cert: Support for constraints on subject Common Name and DNS/email 4448 Subject Alternate Names in certificates [[GH-2595](https://github.com/hashicorp/vault/pull/2595)] 4449 * auth/ldap: Use the binding credentials to search group membership rather 4450 than the user credentials [[GH-2534](https://github.com/hashicorp/vault/pull/2534)] 4451 * cli/revoke: Add `-self` option to allow revoking the currently active token 4452 [[GH-2596](https://github.com/hashicorp/vault/pull/2596)] 4453 * core: Randomize x coordinate in Shamir shares [[GH-2621](https://github.com/hashicorp/vault/pull/2621)] 4454 * replication: Fix a bug when enabling `approle` on a primary before 4455 secondaries were connected 4456 * replication: Add heartbeating to ensure firewalls don't kill connections to 4457 primaries 4458 * secret/pki: Add `no_store` option that allows certificates to be issued 4459 without being stored. This removes the ability to look up and/or add to a 4460 CRL but helps with scaling to very large numbers of certificates. [[GH-2565](https://github.com/hashicorp/vault/pull/2565)] 4461 * secret/pki: If used with a role parameter, the `sign-verbatim/<role>` 4462 endpoint honors the values of `generate_lease`, `no_store`, `ttl` and 4463 `max_ttl` from the given role [[GH-2593](https://github.com/hashicorp/vault/pull/2593)] 4464 * secret/pki: Add role parameter `allow_glob_domains` that enables defining 4465 names in `allowed_domains` containing `*` glob patterns [[GH-2517](https://github.com/hashicorp/vault/pull/2517)] 4466 * secret/pki: Update certificate storage to not use characters that are not 4467 supported on some filesystems [[GH-2575](https://github.com/hashicorp/vault/pull/2575)] 4468 * storage/etcd3: Add `discovery_srv` option to query for SRV records to find 4469 servers [[GH-2521](https://github.com/hashicorp/vault/pull/2521)] 4470 * storage/s3: Support `max_parallel` option to limit concurrent outstanding 4471 requests [[GH-2466](https://github.com/hashicorp/vault/pull/2466)] 4472 * storage/s3: Use pooled transport for http client [[GH-2481](https://github.com/hashicorp/vault/pull/2481)] 4473 * storage/swift: Allow domain values for V3 authentication [[GH-2554](https://github.com/hashicorp/vault/pull/2554)] 4474 * tidy: Improvements to `auth/token/tidy` and `sys/leases/tidy` to handle more 4475 cleanup cases [[GH-2452](https://github.com/hashicorp/vault/pull/2452)] 4476 4477BUG FIXES: 4478 4479 * api: Respect a configured path in Vault's address [[GH-2588](https://github.com/hashicorp/vault/pull/2588)] 4480 * auth/aws-ec2: New bounds added as criteria to allow role creation [[GH-2600](https://github.com/hashicorp/vault/pull/2600)] 4481 * auth/ldap: Don't lowercase groups attached to users [[GH-2613](https://github.com/hashicorp/vault/pull/2613)] 4482 * cli: Don't panic if `vault write` is used with the `force` flag but no path 4483 [[GH-2674](https://github.com/hashicorp/vault/pull/2674)] 4484 * core: Help operations should request forward since standbys may not have 4485 appropriate info [[GH-2677](https://github.com/hashicorp/vault/pull/2677)] 4486 * replication: Fix enabling secondaries when certain mounts already existed on 4487 the primary 4488 * secret/mssql: Update mssql driver to support queries with colons [[GH-2610](https://github.com/hashicorp/vault/pull/2610)] 4489 * secret/pki: Don't lowercase O/OU values in certs [[GH-2555](https://github.com/hashicorp/vault/pull/2555)] 4490 * secret/pki: Don't attempt to validate IP SANs if none are provided [[GH-2574](https://github.com/hashicorp/vault/pull/2574)] 4491 * secret/ssh: Don't automatically lowercase principles in issued SSH certs 4492 [[GH-2591](https://github.com/hashicorp/vault/pull/2591)] 4493 * storage/consul: Properly handle state events rather than timing out 4494 [[GH-2548](https://github.com/hashicorp/vault/pull/2548)] 4495 * storage/etcd3: Ensure locks are released if client is improperly shut down 4496 [[GH-2526](https://github.com/hashicorp/vault/pull/2526)] 4497 4498## 0.7.0 (March 21th, 2017) 4499 4500SECURITY: 4501 4502 * Common name not being validated when `exclude_cn_from_sans` option used in 4503 `pki` backend: When using a role in the `pki` backend that specified the 4504 `exclude_cn_from_sans` option, the common name would not then be properly 4505 validated against the role's constraints. This has been fixed. We recommend 4506 any users of this feature to upgrade to 0.7 as soon as feasible. 4507 4508DEPRECATIONS/CHANGES: 4509 4510 * List Operations Always Use Trailing Slash: Any list operation, whether via 4511 the `GET` or `LIST` HTTP verb, will now internally canonicalize the path to 4512 have a trailing slash. This makes policy writing more predictable, as it 4513 means clients will no longer work or fail based on which client they're 4514 using or which HTTP verb they're using. However, it also means that policies 4515 allowing `list` capability must be carefully checked to ensure that they 4516 contain a trailing slash; some policies may need to be split into multiple 4517 stanzas to accommodate. 4518 * PKI Defaults to Unleased Certificates: When issuing certificates from the 4519 PKI backend, by default, no leases will be issued. If you want to manually 4520 revoke a certificate, its serial number can be used with the `pki/revoke` 4521 endpoint. Issuing leases is still possible by enabling the `generate_lease` 4522 toggle in PKI role entries (this will default to `true` for upgrades, to 4523 keep existing behavior), which will allow using lease IDs to revoke 4524 certificates. For installations issuing large numbers of certificates (tens 4525 to hundreds of thousands, or millions), this will significantly improve 4526 Vault startup time since leases associated with these certificates will not 4527 have to be loaded; however note that it also means that revocation of a 4528 token used to issue certificates will no longer add these certificates to a 4529 CRL. If this behavior is desired or needed, consider keeping leases enabled 4530 and ensuring lifetimes are reasonable, and issue long-lived certificates via 4531 a different role with leases disabled. 4532 4533FEATURES: 4534 4535 * **Replication (Enterprise)**: Vault Enterprise now has support for creating 4536 a multi-datacenter replication set between clusters. The current replication 4537 offering is based on an asynchronous primary/secondary (1:N) model that 4538 replicates static data while keeping dynamic data (leases, tokens) 4539 cluster-local, focusing on horizontal scaling for high-throughput and 4540 high-fanout deployments. 4541 * **Response Wrapping & Replication in the Vault Enterprise UI**: Vault 4542 Enterprise UI now supports looking up and rotating response wrapping tokens, 4543 as well as creating tokens with arbitrary values inside. It also now 4544 supports replication functionality, enabling the configuration of a 4545 replication set in the UI. 4546 * **Expanded Access Control Policies**: Access control policies can now 4547 specify allowed and denied parameters -- and, optionally, their values -- to 4548 control what a client can and cannot submit during an API call. Policies can 4549 also specify minimum/maximum response wrapping TTLs to both enforce the use 4550 of response wrapping and control the duration of resultant wrapping tokens. 4551 See the [policies concepts 4552 page](https://www.vaultproject.io/docs/concepts/policies.html) for more 4553 information. 4554 * **SSH Backend As Certificate Authority**: The SSH backend can now be 4555 configured to sign host and user certificates. Each mount of the backend 4556 acts as an independent signing authority. The CA key pair can be configured 4557 for each mount and the public key is accessible via an unauthenticated API 4558 call; additionally, the backend can generate a public/private key pair for 4559 you. We recommend using separate mounts for signing host and user 4560 certificates. 4561 4562IMPROVEMENTS: 4563 4564 * api/request: Passing username and password information in API request 4565 [GH-2469] 4566 * audit: Logging the token's use count with authentication response and 4567 logging the remaining uses of the client token with request [GH-2437] 4568 * auth/approle: Support for restricting the number of uses on the tokens 4569 issued [GH-2435] 4570 * auth/aws-ec2: AWS EC2 auth backend now supports constraints for VPC ID, 4571 Subnet ID and Region [GH-2407] 4572 * auth/ldap: Use the value of the `LOGNAME` or `USER` env vars for the 4573 username if not explicitly set on the command line when authenticating 4574 [GH-2154] 4575 * audit: Support adding a configurable prefix (such as `@cee`) before each 4576 line [GH-2359] 4577 * core: Canonicalize list operations to use a trailing slash [GH-2390] 4578 * core: Add option to disable caching on a per-mount level [GH-2455] 4579 * core: Add ability to require valid client certs in listener config [GH-2457] 4580 * physical/dynamodb: Implement a session timeout to avoid having to use 4581 recovery mode in the case of an unclean shutdown, which makes HA much safer 4582 [GH-2141] 4583 * secret/pki: O (Organization) values can now be set to role-defined values 4584 for issued/signed certificates [GH-2369] 4585 * secret/pki: Certificates issued/signed from PKI backend do not generate 4586 leases by default [GH-2403] 4587 * secret/pki: When using DER format, still return the private key type 4588 [GH-2405] 4589 * secret/pki: Add an intermediate to the CA chain even if it lacks an 4590 authority key ID [GH-2465] 4591 * secret/pki: Add role option to use CSR SANs [GH-2489] 4592 * secret/ssh: SSH backend as CA to sign user and host certificates [GH-2208] 4593 * secret/ssh: Support reading of SSH CA public key from `config/ca` endpoint 4594 and also return it when CA key pair is generated [GH-2483] 4595 4596BUG FIXES: 4597 4598 * audit: When auditing headers use case-insensitive comparisons [GH-2362] 4599 * auth/aws-ec2: Return role period in seconds and not nanoseconds [GH-2374] 4600 * auth/okta: Fix panic if user had no local groups and/or policies set 4601 [GH-2367] 4602 * command/server: Fix parsing of redirect address when port is not mentioned 4603 [GH-2354] 4604 * physical/postgresql: Fix listing returning incorrect results if there were 4605 multiple levels of children [GH-2393] 4606 4607## 0.6.5 (February 7th, 2017) 4608 4609FEATURES: 4610 4611 * **Okta Authentication**: A new Okta authentication backend allows you to use 4612 Okta usernames and passwords to authenticate to Vault. If provided with an 4613 appropriate Okta API token, group membership can be queried to assign 4614 policies; users and groups can be defined locally as well. 4615 * **RADIUS Authentication**: A new RADIUS authentication backend allows using 4616 a RADIUS server to authenticate to Vault. Policies can be configured for 4617 specific users or for any authenticated user. 4618 * **Exportable Transit Keys**: Keys in `transit` can now be marked as 4619 `exportable` at creation time. This allows a properly ACL'd user to retrieve 4620 the associated signing key, encryption key, or HMAC key. The `exportable` 4621 value is returned on a key policy read and cannot be changed, so if a key is 4622 marked `exportable` it will always be exportable, and if it is not it will 4623 never be exportable. 4624 * **Batch Transit Operations**: `encrypt`, `decrypt` and `rewrap` operations 4625 in the transit backend now support processing multiple input items in one 4626 call, returning the output of each item in the response. 4627 * **Configurable Audited HTTP Headers**: You can now specify headers that you 4628 want to have included in each audit entry, along with whether each header 4629 should be HMAC'd or kept plaintext. This can be useful for adding additional 4630 client or network metadata to the audit logs. 4631 * **Transit Backend UI (Enterprise)**: Vault Enterprise UI now supports the transit 4632 backend, allowing creation, viewing and editing of named keys as well as using 4633 those keys to perform supported transit operations directly in the UI. 4634 * **Socket Audit Backend** A new socket audit backend allows audit logs to be sent 4635 through TCP, UDP, or UNIX Sockets. 4636 4637IMPROVEMENTS: 4638 4639 * auth/aws-ec2: Add support for cross-account auth using STS [GH-2148] 4640 * auth/aws-ec2: Support issuing periodic tokens [GH-2324] 4641 * auth/github: Support listing teams and users [GH-2261] 4642 * auth/ldap: Support adding policies to local users directly, in addition to 4643 local groups [GH-2152] 4644 * command/server: Add ability to select and prefer server cipher suites 4645 [GH-2293] 4646 * core: Add a nonce to unseal operations as a check (useful mostly for 4647 support, not as a security principle) [GH-2276] 4648 * duo: Added ability to supply extra context to Duo pushes [GH-2118] 4649 * physical/consul: Add option for setting consistency mode on Consul gets 4650 [GH-2282] 4651 * physical/etcd: Full v3 API support; code will autodetect which API version 4652 to use. The v3 code path is significantly less complicated and may be much 4653 more stable. [GH-2168] 4654 * secret/pki: Allow specifying OU entries in generated certificate subjects 4655 [GH-2251] 4656 * secret mount ui (Enterprise): the secret mount list now shows all mounted 4657 backends even if the UI cannot browse them. Additional backends can now be 4658 mounted from the UI as well. 4659 4660BUG FIXES: 4661 4662 * auth/token: Fix regression in 0.6.4 where using token store roles as a 4663 blacklist (with only `disallowed_policies` set) would not work in most 4664 circumstances [GH-2286] 4665 * physical/s3: Page responses in client so list doesn't truncate [GH-2224] 4666 * secret/cassandra: Stop a connection leak that could occur on active node 4667 failover [GH-2313] 4668 * secret/pki: When using `sign-verbatim`, don't require a role and use the 4669 CSR's common name [GH-2243] 4670 4671## 0.6.4 (December 16, 2016) 4672 4673SECURITY: 4674 4675Further details about these security issues can be found in the 0.6.4 upgrade 4676guide. 4677 4678 * `default` Policy Privilege Escalation: If a parent token did not have the 4679 `default` policy attached to its token, it could still create children with 4680 the `default` policy. This is no longer allowed (unless the parent has 4681 `sudo` capability for the creation path). In most cases this is low severity 4682 since the access grants in the `default` policy are meant to be access 4683 grants that are acceptable for all tokens to have. 4684 * Leases Not Expired When Limited Use Token Runs Out of Uses: When using 4685 limited-use tokens to create leased secrets, if the limited-use token was 4686 revoked due to running out of uses (rather than due to TTL expiration or 4687 explicit revocation) it would fail to revoke the leased secrets. These 4688 secrets would still be revoked when their TTL expired, limiting the severity 4689 of this issue. An endpoint has been added (`auth/token/tidy`) that can 4690 perform housekeeping tasks on the token store; one of its tasks can detect 4691 this situation and revoke the associated leases. 4692 4693FEATURES: 4694 4695 * **Policy UI (Enterprise)**: Vault Enterprise UI now supports viewing, 4696 creating, and editing policies. 4697 4698IMPROVEMENTS: 4699 4700 * http: Vault now sets a `no-store` cache control header to make it more 4701 secure in setups that are not end-to-end encrypted [GH-2183] 4702 4703BUG FIXES: 4704 4705 * auth/ldap: Don't panic if dialing returns an error and starttls is enabled; 4706 instead, return the error [GH-2188] 4707 * ui (Enterprise): Submitting an unseal key now properly resets the 4708 form so a browser refresh isn't required to continue. 4709 4710## 0.6.3 (December 6, 2016) 4711 4712DEPRECATIONS/CHANGES: 4713 4714 * Request size limitation: A maximum request size of 32MB is imposed to 4715 prevent a denial of service attack with arbitrarily large requests [GH-2108] 4716 * LDAP denies passwordless binds by default: In new LDAP mounts, or when 4717 existing LDAP mounts are rewritten, passwordless binds will be denied by 4718 default. The new `deny_null_bind` parameter can be set to `false` to allow 4719 these. [GH-2103] 4720 * Any audit backend activated satisfies conditions: Previously, when a new 4721 Vault node was taking over service in an HA cluster, all audit backends were 4722 required to be loaded successfully to take over active duty. This behavior 4723 now matches the behavior of the audit logging system itself: at least one 4724 audit backend must successfully be loaded. The server log contains an error 4725 when this occurs. This helps keep a Vault HA cluster working when there is a 4726 misconfiguration on a standby node. [GH-2083] 4727 4728FEATURES: 4729 4730 * **Web UI (Enterprise)**: Vault Enterprise now contains a built-in web UI 4731 that offers access to a number of features, including init/unsealing/sealing, 4732 authentication via userpass or LDAP, and K/V reading/writing. The capability 4733 set of the UI will be expanding rapidly in further releases. To enable it, 4734 set `ui = true` in the top level of Vault's configuration file and point a 4735 web browser at your Vault address. 4736 * **Google Cloud Storage Physical Backend**: You can now use GCS for storing 4737 Vault data [GH-2099] 4738 4739IMPROVEMENTS: 4740 4741 * auth/github: Policies can now be assigned to users as well as to teams 4742 [GH-2079] 4743 * cli: Set the number of retries on 500 down to 0 by default (no retrying). It 4744 can be very confusing to users when there is a pause while the retries 4745 happen if they haven't explicitly set it. With request forwarding the need 4746 for this is lessened anyways. [GH-2093] 4747 * core: Response wrapping is now allowed to be specified by backend responses 4748 (requires backends gaining support) [GH-2088] 4749 * physical/consul: When announcing service, use the scheme of the Vault server 4750 rather than the Consul client [GH-2146] 4751 * secret/consul: Added listing functionality to roles [GH-2065] 4752 * secret/postgresql: Added `revocation_sql` parameter on the role endpoint to 4753 enable customization of user revocation SQL statements [GH-2033] 4754 * secret/transit: Add listing of keys [GH-1987] 4755 4756BUG FIXES: 4757 4758 * api/unwrap, command/unwrap: Increase compatibility of `unwrap` command with 4759 Vault 0.6.1 and older [GH-2014] 4760 * api/unwrap, command/unwrap: Fix error when no client token exists [GH-2077] 4761 * auth/approle: Creating the index for the role_id properly [GH-2004] 4762 * auth/aws-ec2: Handle the case of multiple upgrade attempts when setting the 4763 instance-profile ARN [GH-2035] 4764 * auth/ldap: Avoid leaking connections on login [GH-2130] 4765 * command/path-help: Use the actual error generated by Vault rather than 4766 always using 500 when there is a path help error [GH-2153] 4767 * command/ssh: Use temporary file for identity and ensure its deletion before 4768 the command returns [GH-2016] 4769 * cli: Fix error printing values with `-field` if the values contained 4770 formatting directives [GH-2109] 4771 * command/server: Don't say mlock is supported on OSX when it isn't. [GH-2120] 4772 * core: Fix bug where a failure to come up as active node (e.g. if an audit 4773 backend failed) could lead to deadlock [GH-2083] 4774 * physical/mysql: Fix potential crash during setup due to a query failure 4775 [GH-2105] 4776 * secret/consul: Fix panic on user error [GH-2145] 4777 4778## 0.6.2 (October 5, 2016) 4779 4780DEPRECATIONS/CHANGES: 4781 4782 * Convergent Encryption v2: New keys in `transit` using convergent mode will 4783 use a new nonce derivation mechanism rather than require the user to supply 4784 a nonce. While not explicitly increasing security, it minimizes the 4785 likelihood that a user will use the mode improperly and impact the security 4786 of their keys. Keys in convergent mode that were created in v0.6.1 will 4787 continue to work with the same mechanism (user-supplied nonce). 4788 * `etcd` HA off by default: Following in the footsteps of `dynamodb`, the 4789 `etcd` storage backend now requires that `ha_enabled` be explicitly 4790 specified in the configuration file. The backend currently has known broken 4791 HA behavior, so this flag discourages use by default without explicitly 4792 enabling it. If you are using this functionality, when upgrading, you should 4793 set `ha_enabled` to `"true"` *before* starting the new versions of Vault. 4794 * Default/Max lease/token TTLs are now 32 days: In previous versions of Vault 4795 the default was 30 days, but moving it to 32 days allows some operations 4796 (e.g. reauthenticating, renewing, etc.) to be performed via a monthly cron 4797 job. 4798 * AppRole Secret ID endpoints changed: Secret ID and Secret ID accessors are 4799 no longer part of request URLs. The GET and DELETE operations are now moved 4800 to new endpoints (`/lookup` and `/destroy`) which consumes the input from 4801 the body and not the URL. 4802 * AppRole requires at least one constraint: previously it was sufficient to 4803 turn off all AppRole authentication constraints (secret ID, CIDR block) and 4804 use the role ID only. It is now required that at least one additional 4805 constraint is enabled. Existing roles are unaffected, but any new roles or 4806 updated roles will require this. 4807 * Reading wrapped responses from `cubbyhole/response` is deprecated. The 4808 `sys/wrapping/unwrap` endpoint should be used instead as it provides 4809 additional security, auditing, and other benefits. The ability to read 4810 directly will be removed in a future release. 4811 * Request Forwarding is now on by default: in 0.6.1 this required toggling on, 4812 but is now enabled by default. This can be disabled via the 4813 `"disable_clustering"` parameter in Vault's 4814 [config](https://www.vaultproject.io/docs/config/index.html), or per-request 4815 with the `X-Vault-No-Request-Forwarding` header. 4816 * In prior versions a bug caused the `bound_iam_role_arn` value in the 4817 `aws-ec2` authentication backend to actually use the instance profile ARN. 4818 This has been corrected, but as a result there is a behavior change. To 4819 match using the instance profile ARN, a new parameter 4820 `bound_iam_instance_profile_arn` has been added. Existing roles will 4821 automatically transfer the value over to the correct parameter, but the next 4822 time the role is updated, the new meanings will take effect. 4823 4824FEATURES: 4825 4826 * **Secret ID CIDR Restrictions in `AppRole`**: Secret IDs generated under an 4827 approle can now specify a list of CIDR blocks from where the requests to 4828 generate secret IDs should originate from. If an approle already has CIDR 4829 restrictions specified, the CIDR restrictions on the secret ID should be a 4830 subset of those specified on the role [GH-1910] 4831 * **Initial Root Token PGP Encryption**: Similar to `generate-root`, the root 4832 token created at initialization time can now be PGP encrypted [GH-1883] 4833 * **Support Chained Intermediate CAs in `pki`**: The `pki` backend now allows, 4834 when a CA cert is being supplied as a signed root or intermediate, a trust 4835 chain of arbitrary length. The chain is returned as a parameter at 4836 certificate issue/sign time and is retrievable independently as well. 4837 [GH-1694] 4838 * **Response Wrapping Enhancements**: There are new endpoints to look up 4839 response wrapped token parameters; wrap arbitrary values; rotate wrapping 4840 tokens; and unwrap with enhanced validation. In addition, list operations 4841 can now be response-wrapped. [GH-1927] 4842 * **Transit Features**: The `transit` backend now supports generating random 4843 bytes and SHA sums; HMACs; and signing and verification functionality using 4844 EC keys (P-256 curve) 4845 4846IMPROVEMENTS: 4847 4848 * api: Return error when an invalid (as opposed to incorrect) unseal key is 4849 submitted, rather than ignoring it [GH-1782] 4850 * api: Add method to call `auth/token/create-orphan` endpoint [GH-1834] 4851 * api: Rekey operation now redirects from standbys to master [GH-1862] 4852 * audit/file: Sending a `SIGHUP` to Vault now causes Vault to close and 4853 re-open the log file, making it easier to rotate audit logs [GH-1953] 4854 * auth/aws-ec2: EC2 instances can get authenticated by presenting the identity 4855 document and its SHA256 RSA digest [GH-1961] 4856 * auth/aws-ec2: IAM bound parameters on the aws-ec2 backend will perform a 4857 prefix match instead of exact match [GH-1943] 4858 * auth/aws-ec2: Added a new constraint `bound_iam_instance_profile_arn` to 4859 refer to IAM instance profile ARN and fixed the earlier `bound_iam_role_arn` 4860 to refer to IAM role ARN instead of the instance profile ARN [GH-1913] 4861 * auth/aws-ec2: Backend generates the nonce by default and clients can 4862 explicitly disable reauthentication by setting empty nonce [GH-1889] 4863 * auth/token: Added warnings if tokens and accessors are used in URLs [GH-1806] 4864 * command/format: The `format` flag on select CLI commands takes `yml` as an 4865 alias for `yaml` [GH-1899] 4866 * core: Allow the size of the read cache to be set via the config file, and 4867 change the default value to 1MB (from 32KB) [GH-1784] 4868 * core: Allow single and two-character path parameters for most places 4869 [GH-1811] 4870 * core: Allow list operations to be response-wrapped [GH-1814] 4871 * core: Provide better protection against timing attacks in Shamir code 4872 [GH-1877] 4873 * core: Unmounting/disabling backends no longer returns an error if the mount 4874 didn't exist. This is line with elsewhere in Vault's API where `DELETE` is 4875 an idempotent operation. [GH-1903] 4876 * credential/approle: At least one constraint is required to be enabled while 4877 creating and updating a role [GH-1882] 4878 * secret/cassandra: Added consistency level for use with roles [GH-1931] 4879 * secret/mysql: SQL for revoking user can be configured on the role [GH-1914] 4880 * secret/transit: Use HKDF (RFC 5869) as the key derivation function for new 4881 keys [GH-1812] 4882 * secret/transit: Empty plaintext values are now allowed [GH-1874] 4883 4884BUG FIXES: 4885 4886 * audit: Fix panic being caused by some values logging as underlying Go types 4887 instead of formatted strings [GH-1912] 4888 * auth/approle: Fixed panic on deleting approle that doesn't exist [GH-1920] 4889 * auth/approle: Not letting secret IDs and secret ID accessors to get logged 4890 in plaintext in audit logs [GH-1947] 4891 * auth/aws-ec2: Allow authentication if the underlying host is in a bad state 4892 but the instance is running [GH-1884] 4893 * auth/token: Fixed metadata getting missed out from token lookup response by 4894 gracefully handling token entry upgrade [GH-1924] 4895 * cli: Don't error on newline in token file [GH-1774] 4896 * core: Pass back content-type header for forwarded requests [GH-1791] 4897 * core: Fix panic if the same key was given twice to `generate-root` [GH-1827] 4898 * core: Fix potential deadlock on unmount/remount [GH-1793] 4899 * physical/file: Remove empty directories from the `file` storage backend [GH-1821] 4900 * physical/zookeeper: Remove empty directories from the `zookeeper` storage 4901 backend and add a fix to the `file` storage backend's logic [GH-1964] 4902 * secret/aws: Added update operation to `aws/sts` path to consider `ttl` 4903 parameter [39b75c6] 4904 * secret/aws: Mark STS secrets as non-renewable [GH-1804] 4905 * secret/cassandra: Properly store session for re-use [GH-1802] 4906 * secret/ssh: Fix panic when revoking SSH dynamic keys [GH-1781] 4907 4908## 0.6.1 (August 22, 2016) 4909 4910DEPRECATIONS/CHANGES: 4911 4912 * Once the active node is 0.6.1, standby nodes must also be 0.6.1 in order to 4913 connect to the HA cluster. We recommend following our [general upgrade 4914 instructions](https://www.vaultproject.io/docs/install/upgrade.html) in 4915 addition to 0.6.1-specific upgrade instructions to ensure that this is not 4916 an issue. 4917 * Status codes for sealed/uninitialized Vaults have changed to `503`/`501` 4918 respectively. See the [version-specific upgrade 4919 guide](https://www.vaultproject.io/docs/install/upgrade-to-0.6.1.html) for 4920 more details. 4921 * Root tokens (tokens with the `root` policy) can no longer be created except 4922 by another root token or the `generate-root` endpoint. 4923 * Issued certificates from the `pki` backend against new roles created or 4924 modified after upgrading will contain a set of default key usages. 4925 * The `dynamodb` physical data store no longer supports HA by default. It has 4926 some non-ideal behavior around failover that was causing confusion. See the 4927 [documentation](https://www.vaultproject.io/docs/config/index.html#ha_enabled) 4928 for information on enabling HA mode. It is very important that this 4929 configuration is added _before upgrading_. 4930 * The `ldap` backend no longer searches for `memberOf` groups as part of its 4931 normal flow. Instead, the desired group filter must be specified. This fixes 4932 some errors and increases speed for directories with different structures, 4933 but if this behavior has been relied upon, ensure that you see the upgrade 4934 notes _before upgrading_. 4935 * `app-id` is now deprecated with the addition of the new AppRole backend. 4936 There are no plans to remove it, but we encourage using AppRole whenever 4937 possible, as it offers enhanced functionality and can accommodate many more 4938 types of authentication paradigms. 4939 4940FEATURES: 4941 4942 * **AppRole Authentication Backend**: The `approle` backend is a 4943 machine-oriented authentication backend that provides a similar concept to 4944 App-ID while adding many missing features, including a pull model that 4945 allows for the backend to generate authentication credentials rather than 4946 requiring operators or other systems to push credentials in. It should be 4947 useful in many more situations than App-ID. The inclusion of this backend 4948 deprecates App-ID. [GH-1426] 4949 * **Request Forwarding**: Vault servers can now forward requests to each other 4950 rather than redirecting clients. This feature is off by default in 0.6.1 but 4951 will be on by default in the next release. See the [HA concepts 4952 page](https://www.vaultproject.io/docs/concepts/ha.html) for information on 4953 enabling and configuring it. [GH-443] 4954 * **Convergent Encryption in `Transit`**: The `transit` backend now supports a 4955 convergent encryption mode where the same plaintext will produce the same 4956 ciphertext. Although very useful in some situations, this has potential 4957 security implications, which are mostly mitigated by requiring the use of 4958 key derivation when convergent encryption is enabled. See [the `transit` 4959 backend 4960 documentation](https://www.vaultproject.io/docs/secrets/transit/index.html) 4961 for more details. [GH-1537] 4962 * **Improved LDAP Group Filters**: The `ldap` auth backend now uses templates 4963 to define group filters, providing the capability to support some 4964 directories that could not easily be supported before (especially specific 4965 Active Directory setups with nested groups). [GH-1388] 4966 * **Key Usage Control in `PKI`**: Issued certificates from roles created or 4967 modified after upgrading contain a set of default key usages for increased 4968 compatibility with OpenVPN and some other software. This set can be changed 4969 when writing a role definition. Existing roles are unaffected. [GH-1552] 4970 * **Request Retrying in the CLI and Go API**: Requests that fail with a `5xx` 4971 error code will now retry after a backoff. The maximum total number of 4972 retries (including disabling this functionality) can be set with an 4973 environment variable. See the [environment variable 4974 documentation](https://www.vaultproject.io/docs/commands/environment.html) 4975 for more details. [GH-1594] 4976 * **Service Discovery in `vault init`**: The new `-auto` option on `vault init` 4977 will perform service discovery using Consul. When only one node is discovered, 4978 it will be initialized and when more than one node is discovered, they will 4979 be output for easy selection. See `vault init --help` for more details. [GH-1642] 4980 * **MongoDB Secret Backend**: Generate dynamic unique MongoDB database 4981 credentials based on configured roles. Sponsored by 4982 [CommerceHub](http://www.commercehub.com/). [GH-1414] 4983 * **Circonus Metrics Integration**: Vault can now send metrics to 4984 [Circonus](http://www.circonus.com/). See the [configuration 4985 documentation](https://www.vaultproject.io/docs/config/index.html) for 4986 details. [GH-1646] 4987 4988IMPROVEMENTS: 4989 4990 * audit: Added a unique identifier to each request which will also be found in 4991 the request portion of the response. [GH-1650] 4992 * auth/aws-ec2: Added a new constraint `bound_account_id` to the role 4993 [GH-1523] 4994 * auth/aws-ec2: Added a new constraint `bound_iam_role_arn` to the role 4995 [GH-1522] 4996 * auth/aws-ec2: Added `ttl` field for the role [GH-1703] 4997 * auth/ldap, secret/cassandra, physical/consul: Clients with `tls.Config` 4998 have the minimum TLS version set to 1.2 by default. This is configurable. 4999 * auth/token: Added endpoint to list accessors [GH-1676] 5000 * auth/token: Added `disallowed_policies` option to token store roles [GH-1681] 5001 * auth/token: `root` or `sudo` tokens can now create periodic tokens via 5002 `auth/token/create`; additionally, the same token can now be periodic and 5003 have an explicit max TTL [GH-1725] 5004 * build: Add support for building on Solaris/Illumos [GH-1726] 5005 * cli: Output formatting in the presence of warnings in the response object 5006 [GH-1533] 5007 * cli: `vault auth` command supports a `-path` option to take in the path at 5008 which the auth backend is enabled, thereby allowing authenticating against 5009 different paths using the command options [GH-1532] 5010 * cli: `vault auth -methods` will now display the config settings of the mount 5011 [GH-1531] 5012 * cli: `vault read/write/unwrap -field` now allows selecting token response 5013 fields [GH-1567] 5014 * cli: `vault write -field` now allows selecting wrapped response fields 5015 [GH-1567] 5016 * command/status: Version information and cluster details added to the output 5017 of `vault status` command [GH-1671] 5018 * core: Response wrapping is now enabled for login endpoints [GH-1588] 5019 * core: The duration of leadership is now exported via events through 5020 telemetry [GH-1625] 5021 * core: `sys/capabilities-self` is now accessible as part of the `default` 5022 policy [GH-1695] 5023 * core: `sys/renew` is now accessible as part of the `default` policy [GH-1701] 5024 * core: Unseal keys will now be returned in both hex and base64 forms, and 5025 either can be used [GH-1734] 5026 * core: Responses from most `/sys` endpoints now return normal `api.Secret` 5027 structs in addition to the values they carried before. This means that 5028 response wrapping can now be used with most authenticated `/sys` operations 5029 [GH-1699] 5030 * physical/etcd: Support `ETCD_ADDR` env var for specifying addresses [GH-1576] 5031 * physical/consul: Allowing additional tags to be added to Consul service 5032 registration via `service_tags` option [GH-1643] 5033 * secret/aws: Listing of roles is supported now [GH-1546] 5034 * secret/cassandra: Add `connect_timeout` value for Cassandra connection 5035 configuration [GH-1581] 5036 * secret/mssql,mysql,postgresql: Reading of connection settings is supported 5037 in all the sql backends [GH-1515] 5038 * secret/mysql: Added optional maximum idle connections value to MySQL 5039 connection configuration [GH-1635] 5040 * secret/mysql: Use a combination of the role name and token display name in 5041 generated user names and allow the length to be controlled [GH-1604] 5042 * secret/{cassandra,mssql,mysql,postgresql}: SQL statements can now be passed 5043 in via one of four ways: a semicolon-delimited string, a base64-delimited 5044 string, a serialized JSON string array, or a base64-encoded serialized JSON 5045 string array [GH-1686] 5046 * secret/ssh: Added `allowed_roles` to vault-ssh-helper's config and returning 5047 role name as part of response of `verify` API 5048 * secret/ssh: Added passthrough of command line arguments to `ssh` [GH-1680] 5049 * sys/health: Added version information to the response of health status 5050 endpoint [GH-1647] 5051 * sys/health: Cluster information isbe returned as part of health status when 5052 Vault is unsealed [GH-1671] 5053 * sys/mounts: MountTable data is compressed before serializing to accommodate 5054 thousands of mounts [GH-1693] 5055 * website: The [token 5056 concepts](https://www.vaultproject.io/docs/concepts/tokens.html) page has 5057 been completely rewritten [GH-1725] 5058 5059BUG FIXES: 5060 5061 * auth/aws-ec2: Added a nil check for stored whitelist identity object 5062 during renewal [GH-1542] 5063 * auth/cert: Fix panic if no client certificate is supplied [GH-1637] 5064 * auth/token: Don't report that a non-expiring root token is renewable, as 5065 attempting to renew it results in an error [GH-1692] 5066 * cli: Don't retry a command when a redirection is received [GH-1724] 5067 * core: Fix regression causing status codes to be `400` in most non-5xx error 5068 cases [GH-1553] 5069 * core: Fix panic that could occur during a leadership transition [GH-1627] 5070 * physical/postgres: Remove use of prepared statements as this causes 5071 connection multiplexing software to break [GH-1548] 5072 * physical/consul: Multiple Vault nodes on the same machine leading to check ID 5073 collisions were resulting in incorrect health check responses [GH-1628] 5074 * physical/consul: Fix deregistration of health checks on exit [GH-1678] 5075 * secret/postgresql: Check for existence of role before attempting deletion 5076 [GH-1575] 5077 * secret/postgresql: Handle revoking roles that have privileges on sequences 5078 [GH-1573] 5079 * secret/postgresql(,mysql,mssql): Fix incorrect use of database over 5080 transaction object which could lead to connection exhaustion [GH-1572] 5081 * secret/pki: Fix parsing CA bundle containing trailing whitespace [GH-1634] 5082 * secret/pki: Fix adding email addresses as SANs [GH-1688] 5083 * secret/pki: Ensure that CRL values are always UTC, per RFC [GH-1727] 5084 * sys/seal-status: Fixed nil Cluster object while checking seal status [GH-1715] 5085 5086## 0.6.0 (June 14th, 2016) 5087 5088SECURITY: 5089 5090 * Although `sys/revoke-prefix` was intended to revoke prefixes of secrets (via 5091 lease IDs, which incorporate path information) and 5092 `auth/token/revoke-prefix` was intended to revoke prefixes of tokens (using 5093 the tokens' paths and, since 0.5.2, role information), in implementation 5094 they both behaved exactly the same way since a single component in Vault is 5095 responsible for managing lifetimes of both, and the type of the tracked 5096 lifetime was not being checked. The end result was that either endpoint 5097 could revoke both secret leases and tokens. We consider this a very minor 5098 security issue as there are a number of mitigating factors: both endpoints 5099 require `sudo` capability in addition to write capability, preventing 5100 blanket ACL path globs from providing access; both work by using the prefix 5101 to revoke as a part of the endpoint path, allowing them to be properly 5102 ACL'd; and both are intended for emergency scenarios and users should 5103 already not generally have access to either one. In order to prevent 5104 confusion, we have simply removed `auth/token/revoke-prefix` in 0.6, and 5105 `sys/revoke-prefix` will be meant for both leases and tokens instead. 5106 5107DEPRECATIONS/CHANGES: 5108 5109 * `auth/token/revoke-prefix` has been removed. See the security notice for 5110 details. [GH-1280] 5111 * Vault will now automatically register itself as the `vault` service when 5112 using the `consul` backend and will perform its own health checks. See 5113 the Consul backend documentation for information on how to disable 5114 auto-registration and service checks. 5115 * List operations that do not find any keys now return a `404` status code 5116 rather than an empty response object [GH-1365] 5117 * CA certificates issued from the `pki` backend no longer have associated 5118 leases, and any CA certs already issued will ignore revocation requests from 5119 the lease manager. This is to prevent CA certificates from being revoked 5120 when the token used to issue the certificate expires; it was not be obvious 5121 to users that they need to ensure that the token lifetime needed to be at 5122 least as long as a potentially very long-lived CA cert. 5123 5124FEATURES: 5125 5126 * **AWS EC2 Auth Backend**: Provides a secure introduction mechanism for AWS 5127 EC2 instances allowing automated retrieval of Vault tokens. Unlike most 5128 Vault authentication backends, this backend does not require first deploying 5129 or provisioning security-sensitive credentials (tokens, username/password, 5130 client certificates, etc). Instead, it treats AWS as a Trusted Third Party 5131 and uses the cryptographically signed dynamic metadata information that 5132 uniquely represents each EC2 instance. [Vault 5133 Enterprise](https://www.hashicorp.com/vault.html) customers have access to a 5134 turnkey client that speaks the backend API and makes access to a Vault token 5135 easy. 5136 * **Response Wrapping**: Nearly any response within Vault can now be wrapped 5137 inside a single-use, time-limited token's cubbyhole, taking the [Cubbyhole 5138 Authentication 5139 Principles](https://www.hashicorp.com/blog/vault-cubbyhole-principles.html) 5140 mechanism to its logical conclusion. Retrieving the original response is as 5141 simple as a single API command or the new `vault unwrap` command. This makes 5142 secret distribution easier and more secure, including secure introduction. 5143 * **Azure Physical Backend**: You can now use Azure blob object storage as 5144 your Vault physical data store [GH-1266] 5145 * **Swift Physical Backend**: You can now use Swift blob object storage as 5146 your Vault physical data store [GH-1425] 5147 * **Consul Backend Health Checks**: The Consul backend will automatically 5148 register a `vault` service and perform its own health checking. By default 5149 the active node can be found at `active.vault.service.consul` and all with 5150 standby nodes are `standby.vault.service.consul`. Sealed vaults are marked 5151 critical and are not listed by default in Consul's service discovery. See 5152 the documentation for details. [GH-1349] 5153 * **Explicit Maximum Token TTLs**: You can now set explicit maximum TTLs on 5154 tokens that do not honor changes in the system- or mount-set values. This is 5155 useful, for instance, when the max TTL of the system or the `auth/token` 5156 mount must be set high to accommodate certain needs but you want more 5157 granular restrictions on tokens being issued directly from the Token 5158 authentication backend at `auth/token`. [GH-1399] 5159 * **Non-Renewable Tokens**: When creating tokens directly through the token 5160 authentication backend, you can now specify in both token store roles and 5161 the API whether or not a token should be renewable, defaulting to `true`. 5162 * **RabbitMQ Secret Backend**: Vault can now generate credentials for 5163 RabbitMQ. Vhosts and tags can be defined within roles. [GH-788] 5164 5165IMPROVEMENTS: 5166 5167 * audit: Add the DisplayName value to the copy of the Request object embedded 5168 in the associated Response, to match the original Request object [GH-1387] 5169 * audit: Enable auditing of the `seal` and `step-down` commands [GH-1435] 5170 * backends: Remove most `root`/`sudo` paths in favor of normal ACL mechanisms. 5171 A particular exception are any current MFA paths. A few paths in `token` and 5172 `sys` also require `root` or `sudo`. [GH-1478] 5173 * command/auth: Restore the previous authenticated token if the `auth` command 5174 fails to authenticate the provided token [GH-1233] 5175 * command/write: `-format` and `-field` can now be used with the `write` 5176 command [GH-1228] 5177 * core: Add `mlock` support for FreeBSD, OpenBSD, and Darwin [GH-1297] 5178 * core: Don't keep lease timers around when tokens are revoked [GH-1277] 5179 * core: If using the `disable_cache` option, caches for the policy store and 5180 the `transit` backend are now disabled as well [GH-1346] 5181 * credential/cert: Renewal requests are rejected if the set of policies has 5182 changed since the token was issued [GH-477] 5183 * credential/cert: Check CRLs for specific non-CA certs configured in the 5184 backend [GH-1404] 5185 * credential/ldap: If `groupdn` is not configured, skip searching LDAP and 5186 only return policies for local groups, plus a warning [GH-1283] 5187 * credential/ldap: `vault list` support for users and groups [GH-1270] 5188 * credential/ldap: Support for the `memberOf` attribute for group membership 5189 searching [GH-1245] 5190 * credential/userpass: Add list support for users [GH-911] 5191 * credential/userpass: Remove user configuration paths from requiring sudo, in 5192 favor of normal ACL mechanisms [GH-1312] 5193 * credential/token: Sanitize policies and add `default` policies in appropriate 5194 places [GH-1235] 5195 * credential/token: Setting the renewable status of a token is now possible 5196 via `vault token-create` and the API. The default is true, but tokens can be 5197 specified as non-renewable. [GH-1499] 5198 * secret/aws: Use chain credentials to allow environment/EC2 instance/shared 5199 providers [GH-307] 5200 * secret/aws: Support for STS AssumeRole functionality [GH-1318] 5201 * secret/consul: Reading consul access configuration supported. The response 5202 will contain non-sensitive information only [GH-1445] 5203 * secret/pki: Added `exclude_cn_from_sans` field to prevent adding the CN to 5204 DNS or Email Subject Alternate Names [GH-1220] 5205 * secret/pki: Added list support for certificates [GH-1466] 5206 * sys/capabilities: Enforce ACL checks for requests that query the capabilities 5207 of a token on a given path [GH-1221] 5208 * sys/health: Status information can now be retrieved with `HEAD` [GH-1509] 5209 5210BUG FIXES: 5211 5212 * command/read: Fix panic when using `-field` with a non-string value [GH-1308] 5213 * command/token-lookup: Fix TTL showing as 0 depending on how a token was 5214 created. This only affected the value shown at lookup, not the token 5215 behavior itself. [GH-1306] 5216 * command/various: Tell the JSON decoder to not convert all numbers to floats; 5217 fixes some various places where numbers were showing up in scientific 5218 notation 5219 * command/server: Prioritized `devRootTokenID` and `devListenAddress` flags 5220 over their respective env vars [GH-1480] 5221 * command/ssh: Provided option to disable host key checking. The automated 5222 variant of `vault ssh` command uses `sshpass` which was failing to handle 5223 host key checking presented by the `ssh` binary. [GH-1473] 5224 * core: Properly persist mount-tuned TTLs for auth backends [GH-1371] 5225 * core: Don't accidentally crosswire SIGINT to the reload handler [GH-1372] 5226 * credential/github: Make organization comparison case-insensitive during 5227 login [GH-1359] 5228 * credential/github: Fix panic when renewing a token created with some earlier 5229 versions of Vault [GH-1510] 5230 * credential/github: The token used to log in via `vault auth` can now be 5231 specified in the `VAULT_AUTH_GITHUB_TOKEN` environment variable [GH-1511] 5232 * credential/ldap: Fix problem where certain error conditions when configuring 5233 or opening LDAP connections would cause a panic instead of return a useful 5234 error message [GH-1262] 5235 * credential/token: Fall back to normal parent-token semantics if 5236 `allowed_policies` is empty for a role. Using `allowed_policies` of 5237 `default` resulted in the same behavior anyways. [GH-1276] 5238 * credential/token: Fix issues renewing tokens when using the "suffix" 5239 capability of token roles [GH-1331] 5240 * credential/token: Fix lookup via POST showing the request token instead of 5241 the desired token [GH-1354] 5242 * credential/various: Fix renewal conditions when `default` policy is not 5243 contained in the backend config [GH-1256] 5244 * physical/s3: Don't panic in certain error cases from bad S3 responses [GH-1353] 5245 * secret/consul: Use non-pooled Consul API client to avoid leaving files open 5246 [GH-1428] 5247 * secret/pki: Don't check whether a certificate is destined to be a CA 5248 certificate if sign-verbatim endpoint is used [GH-1250] 5249 5250## 0.5.3 (May 27th, 2016) 5251 5252SECURITY: 5253 5254 * Consul ACL Token Revocation: An issue was reported to us indicating that 5255 generated Consul ACL tokens were not being properly revoked. Upon 5256 investigation, we found that this behavior was reproducible in a specific 5257 scenario: when a generated lease for a Consul ACL token had been renewed 5258 prior to revocation. In this case, the generated token was not being 5259 properly persisted internally through the renewal function, leading to an 5260 error during revocation due to the missing token. Unfortunately, this was 5261 coded as a user error rather than an internal error, and the revocation 5262 logic was expecting internal errors if revocation failed. As a result, the 5263 revocation logic believed the revocation to have succeeded when it in fact 5264 failed, causing the lease to be dropped while the token was still valid 5265 within Consul. In this release, the Consul backend properly persists the 5266 token through renewals, and the revocation logic has been changed to 5267 consider any error type to have been a failure to revoke, causing the lease 5268 to persist and attempt to be revoked later. 5269 5270We have written an example shell script that searches through Consul's ACL 5271tokens and looks for those generated by Vault, which can be used as a template 5272for a revocation script as deemed necessary for any particular security 5273response. The script is available at 5274https://gist.github.com/jefferai/6233c2963f9407a858d84f9c27d725c0 5275 5276Please note that any outstanding leases for Consul tokens produced prior to 52770.5.3 that have been renewed will continue to exhibit this behavior. As a 5278result, we recommend either revoking all tokens produced by the backend and 5279issuing new ones, or if needed, a more advanced variant of the provided example 5280could use the timestamp embedded in each generated token's name to decide which 5281tokens are too old and should be deleted. This could then be run periodically 5282up until the maximum lease time for any outstanding pre-0.5.3 tokens has 5283expired. 5284 5285This is a security-only release. There are no other code changes since 0.5.2. 5286The binaries have one additional change: they are built against Go 1.6.1 rather 5287than Go 1.6, as Go 1.6.1 contains two security fixes to the Go programming 5288language itself. 5289 5290## 0.5.2 (March 16th, 2016) 5291 5292FEATURES: 5293 5294 * **MSSQL Backend**: Generate dynamic unique MSSQL database credentials based 5295 on configured roles [GH-998] 5296 * **Token Accessors**: Vault now provides an accessor with each issued token. 5297 This accessor is an identifier that can be used for a limited set of 5298 actions, notably for token revocation. This value can be logged in 5299 plaintext to audit logs, and in combination with the plaintext metadata 5300 logged to audit logs, provides a searchable and straightforward way to 5301 revoke particular users' or services' tokens in many cases. To enable 5302 plaintext audit logging of these accessors, set `hmac_accessor=false` when 5303 enabling an audit backend. 5304 * **Token Credential Backend Roles**: Roles can now be created in the `token` 5305 credential backend that allow modifying token behavior in ways that are not 5306 otherwise exposed or easily delegated. This allows creating tokens with a 5307 fixed set (or subset) of policies (rather than a subset of the calling 5308 token's), periodic tokens with a fixed TTL but no expiration, specified 5309 prefixes, and orphans. 5310 * **Listener Certificate Reloading**: Vault's configured listeners now reload 5311 their TLS certificate and private key when the Vault process receives a 5312 SIGHUP. 5313 5314IMPROVEMENTS: 5315 5316 * auth/token: Endpoints optionally accept tokens from the HTTP body rather 5317 than just from the URLs [GH-1211] 5318 * auth/token,sys/capabilities: Added new endpoints 5319 `auth/token/lookup-accessor`, `auth/token/revoke-accessor` and 5320 `sys/capabilities-accessor`, which enables performing the respective actions 5321 with just the accessor of the tokens, without having access to the actual 5322 token [GH-1188] 5323 * core: Ignore leading `/` in policy paths [GH-1170] 5324 * core: Ignore leading `/` in mount paths [GH-1172] 5325 * command/policy-write: Provided HCL is now validated for format violations 5326 and provides helpful information around where the violation occurred 5327 [GH-1200] 5328 * command/server: The initial root token ID when running in `-dev` mode can 5329 now be specified via `-dev-root-token-id` or the environment variable 5330 `VAULT_DEV_ROOT_TOKEN_ID` [GH-1162] 5331 * command/server: The listen address when running in `-dev` mode can now be 5332 specified via `-dev-listen-address` or the environment variable 5333 `VAULT_DEV_LISTEN_ADDRESS` [GH-1169] 5334 * command/server: The configured listeners now reload their TLS 5335 certificates/keys when Vault is SIGHUP'd [GH-1196] 5336 * command/step-down: New `vault step-down` command and API endpoint to force 5337 the targeted node to give up active status, but without sealing. The node 5338 will wait ten seconds before attempting to grab the lock again. [GH-1146] 5339 * command/token-renew: Allow no token to be passed in; use `renew-self` in 5340 this case. Change the behavior for any token being passed in to use `renew`. 5341 [GH-1150] 5342 * credential/app-id: Allow `app-id` parameter to be given in the login path; 5343 this causes the `app-id` to be part of the token path, making it easier to 5344 use with `revoke-prefix` [GH-424] 5345 * credential/cert: Non-CA certificates can be used for authentication. They 5346 must be matched exactly (issuer and serial number) for authentication, and 5347 the certificate must carry the client authentication or 'any' extended usage 5348 attributes. [GH-1153] 5349 * credential/cert: Subject and Authority key IDs are output in metadata; this 5350 allows more flexible searching/revocation in the audit logs [GH-1183] 5351 * credential/cert: Support listing configured certs [GH-1212] 5352 * credential/userpass: Add support for `create`/`update` capability 5353 distinction in user path, and add user-specific endpoints to allow changing 5354 the password and policies [GH-1216] 5355 * credential/token: Add roles [GH-1155] 5356 * secret/mssql: Add MSSQL backend [GH-998] 5357 * secret/pki: Add revocation time (zero or Unix epoch) to `pki/cert/SERIAL` 5358 endpoint [GH-1180] 5359 * secret/pki: Sanitize serial number in `pki/revoke` endpoint to allow some 5360 other formats [GH-1187] 5361 * secret/ssh: Added documentation for `ssh/config/zeroaddress` endpoint. 5362 [GH-1154] 5363 * sys: Added new endpoints `sys/capabilities` and `sys/capabilities-self` to 5364 fetch the capabilities of a token on a given path [GH-1171] 5365 * sys: Added `sys/revoke-force`, which enables a user to ignore backend errors 5366 when revoking a lease, necessary in some emergency/failure scenarios 5367 [GH-1168] 5368 * sys: The return codes from `sys/health` can now be user-specified via query 5369 parameters [GH-1199] 5370 5371BUG FIXES: 5372 5373 * logical/cassandra: Apply hyphen/underscore replacement to the entire 5374 generated username, not just the UUID, in order to handle token display name 5375 hyphens [GH-1140] 5376 * physical/etcd: Output actual error when cluster sync fails [GH-1141] 5377 * vault/expiration: Not letting the error responses from the backends to skip 5378 during renewals [GH-1176] 5379 5380## 0.5.1 (February 25th, 2016) 5381 5382DEPRECATIONS/CHANGES: 5383 5384 * RSA keys less than 2048 bits are no longer supported in the PKI backend. 5385 1024-bit keys are considered unsafe and are disallowed in the Internet PKI. 5386 The `pki` backend has enforced SHA256 hashes in signatures from the 5387 beginning, and software that can handle these hashes should be able to 5388 handle larger key sizes. [GH-1095] 5389 * The PKI backend now does not automatically delete expired certificates, 5390 including from the CRL. Doing so could lead to a situation where a time 5391 mismatch between the Vault server and clients could result in a certificate 5392 that would not be considered expired by a client being removed from the CRL. 5393 The new `pki/tidy` endpoint can be used to trigger expirations. [GH-1129] 5394 * The `cert` backend now performs a variant of channel binding at renewal time 5395 for increased security. In order to not overly burden clients, a notion of 5396 identity is used. This functionality can be disabled. See the 0.5.1 upgrade 5397 guide for more specific information [GH-1127] 5398 5399FEATURES: 5400 5401 * **Codebase Audit**: Vault's 0.5 codebase was audited by iSEC. (The terms of 5402 the audit contract do not allow us to make the results public.) [GH-220] 5403 5404IMPROVEMENTS: 5405 5406 * api: The `VAULT_TLS_SERVER_NAME` environment variable can be used to control 5407 the SNI header during TLS connections [GH-1131] 5408 * api/health: Add the server's time in UTC to health responses [GH-1117] 5409 * command/rekey and command/generate-root: These now return the status at 5410 attempt initialization time, rather than requiring a separate fetch for the 5411 nonce [GH-1054] 5412 * credential/cert: Don't require root/sudo tokens for the `certs/` and `crls/` 5413 paths; use normal ACL behavior instead [GH-468] 5414 * credential/github: The validity of the token used for login will be checked 5415 at renewal time [GH-1047] 5416 * credential/github: The `config` endpoint no longer requires a root token; 5417 normal ACL path matching applies 5418 * deps: Use the standardized Go 1.6 vendoring system 5419 * secret/aws: Inform users of AWS-imposed policy restrictions around STS 5420 tokens if they attempt to use an invalid policy [GH-1113] 5421 * secret/mysql: The MySQL backend now allows disabling verification of the 5422 `connection_url` [GH-1096] 5423 * secret/pki: Submitted CSRs are now verified to have the correct key type and 5424 minimum number of bits according to the role. The exception is intermediate 5425 CA signing and the `sign-verbatim` path [GH-1104] 5426 * secret/pki: New `tidy` endpoint to allow expunging expired certificates. 5427 [GH-1129] 5428 * secret/postgresql: The PostgreSQL backend now allows disabling verification 5429 of the `connection_url` [GH-1096] 5430 * secret/ssh: When verifying an OTP, return 400 if it is not valid instead of 5431 204 [GH-1086] 5432 * credential/app-id: App ID backend will check the validity of app-id and user-id 5433 during renewal time [GH-1039] 5434 * credential/cert: TLS Certificates backend, during renewal, will now match the 5435 client identity with the client identity used during login [GH-1127] 5436 5437BUG FIXES: 5438 5439 * credential/ldap: Properly escape values being provided to search filters 5440 [GH-1100] 5441 * secret/aws: Capping on length of usernames for both IAM and STS types 5442 [GH-1102] 5443 * secret/pki: If a cert is not found during lookup of a serial number, 5444 respond with a 400 rather than a 500 [GH-1085] 5445 * secret/postgresql: Add extra revocation statements to better handle more 5446 permission scenarios [GH-1053] 5447 * secret/postgresql: Make connection_url work properly [GH-1112] 5448 5449## 0.5.0 (February 10, 2016) 5450 5451SECURITY: 5452 5453 * Previous versions of Vault could allow a malicious user to hijack the rekey 5454 operation by canceling an operation in progress and starting a new one. The 5455 practical application of this is very small. If the user was an unseal key 5456 owner, they could attempt to do this in order to either receive unencrypted 5457 reseal keys or to replace the PGP keys used for encryption with ones under 5458 their control. However, since this would invalidate any rekey progress, they 5459 would need other unseal key holders to resubmit, which would be rather 5460 suspicious during this manual operation if they were not also the original 5461 initiator of the rekey attempt. If the user was not an unseal key holder, 5462 there is no benefit to be gained; the only outcome that could be attempted 5463 would be a denial of service against a legitimate rekey operation by sending 5464 cancel requests over and over. Thanks to Josh Snyder for the report! 5465 5466DEPRECATIONS/CHANGES: 5467 5468 * `s3` physical backend: Environment variables are now preferred over 5469 configuration values. This makes it behave similar to the rest of Vault, 5470 which, in increasing order of preference, uses values from the configuration 5471 file, environment variables, and CLI flags. [GH-871] 5472 * `etcd` physical backend: `sync` functionality is now supported and turned on 5473 by default. This can be disabled. [GH-921] 5474 * `transit`: If a client attempts to encrypt a value with a key that does not 5475 yet exist, what happens now depends on the capabilities set in the client's 5476 ACL policies. If the client has `create` (or `create` and `update`) 5477 capability, the key will upsert as in the past. If the client has `update` 5478 capability, they will receive an error. [GH-1012] 5479 * `token-renew` CLI command: If the token given for renewal is the same as the 5480 client token, the `renew-self` endpoint will be used in the API. Given that 5481 the `default` policy (by default) allows all clients access to the 5482 `renew-self` endpoint, this makes it much more likely that the intended 5483 operation will be successful. [GH-894] 5484 * Token `lookup`: the `ttl` value in the response now reflects the actual 5485 remaining TTL rather than the original TTL specified when the token was 5486 created; this value is now located in `creation_ttl` [GH-986] 5487 * Vault no longer uses grace periods on leases or token TTLs. Uncertainty 5488 about the length grace period for any given backend could cause confusion 5489 and uncertainty. [GH-1002] 5490 * `rekey`: Rekey now requires a nonce to be supplied with key shares. This 5491 nonce is generated at the start of a rekey attempt and is unique for that 5492 attempt. 5493 * `status`: The exit code for the `status` CLI command is now `2` for an 5494 uninitialized Vault instead of `1`. `1` is returned for errors. This better 5495 matches the rest of the CLI. 5496 5497FEATURES: 5498 5499 * **Split Data/High Availability Physical Backends**: You can now configure 5500 two separate physical backends: one to be used for High Availability 5501 coordination and another to be used for encrypted data storage. See the 5502 [configuration 5503 documentation](https://vaultproject.io/docs/config/index.html) for details. 5504 [GH-395] 5505 * **Fine-Grained Access Control**: Policies can now use the `capabilities` set 5506 to specify fine-grained control over operations allowed on a path, including 5507 separation of `sudo` privileges from other privileges. These can be mixed 5508 and matched in any way desired. The `policy` value is kept for backwards 5509 compatibility. See the [updated policy 5510 documentation](https://vaultproject.io/docs/concepts/policies.html) for 5511 details. [GH-914] 5512 * **List Support**: Listing is now supported via the API and the new `vault 5513 list` command. This currently supports listing keys in the `generic` and 5514 `cubbyhole` backends and a few other places (noted in the IMPROVEMENTS 5515 section below). Different parts of the API and backends will need to 5516 implement list capabilities in ways that make sense to particular endpoints, 5517 so further support will appear over time. [GH-617] 5518 * **Root Token Generation via Unseal Keys**: You can now use the 5519 `generate-root` CLI command to generate new orphaned, non-expiring root 5520 tokens in case the original is lost or revoked (accidentally or 5521 purposefully). This requires a quorum of unseal key holders. The output 5522 value is protected via any PGP key of the initiator's choosing or a one-time 5523 pad known only to the initiator (a suitable pad can be generated via the 5524 `-genotp` flag to the command. [GH-915] 5525 * **Unseal Key Archiving**: You can now optionally have Vault store your 5526 unseal keys in your chosen physical store for disaster recovery purposes. 5527 This option is only available when the keys are encrypted with PGP. [GH-907] 5528 * **Keybase Support for PGP Encryption Keys**: You can now specify Keybase 5529 users when passing in PGP keys to the `init`, `rekey`, and `generate-root` 5530 CLI commands. Public keys for these users will be fetched automatically. 5531 [GH-901] 5532 * **DynamoDB HA Physical Backend**: There is now a new, community-supported 5533 HA-enabled physical backend using Amazon DynamoDB. See the [configuration 5534 documentation](https://vaultproject.io/docs/config/index.html) for details. 5535 [GH-878] 5536 * **PostgreSQL Physical Backend**: There is now a new, community-supported 5537 physical backend using PostgreSQL. See the [configuration 5538 documentation](https://vaultproject.io/docs/config/index.html) for details. 5539 [GH-945] 5540 * **STS Support in AWS Secret Backend**: You can now use the AWS secret 5541 backend to fetch STS tokens rather than IAM users. [GH-927] 5542 * **Speedups in the transit backend**: The `transit` backend has gained a 5543 cache, and now loads only the working set of keys (e.g. from the 5544 `min_decryption_version` to the current key version) into its working set. 5545 This provides large speedups and potential memory savings when the `rotate` 5546 feature of the backend is used heavily. 5547 5548IMPROVEMENTS: 5549 5550 * cli: Output secrets sorted by key name [GH-830] 5551 * cli: Support YAML as an output format [GH-832] 5552 * cli: Show an error if the output format is incorrect, rather than falling 5553 back to an empty table [GH-849] 5554 * cli: Allow setting the `advertise_addr` for HA via the 5555 `VAULT_ADVERTISE_ADDR` environment variable [GH-581] 5556 * cli/generate-root: Add generate-root and associated functionality [GH-915] 5557 * cli/init: Add `-check` flag that returns whether Vault is initialized 5558 [GH-949] 5559 * cli/server: Use internal functions for the token-helper rather than shelling 5560 out, which fixes some problems with using a static binary in Docker or paths 5561 with multiple spaces when launching in `-dev` mode [GH-850] 5562 * cli/token-lookup: Add token-lookup command [GH-892] 5563 * command/{init,rekey}: Allow ASCII-armored keychain files to be arguments for 5564 `-pgp-keys` [GH-940] 5565 * conf: Use normal bool values rather than empty/non-empty for the 5566 `tls_disable` option [GH-802] 5567 * credential/ldap: Add support for binding, both anonymously (to discover a 5568 user DN) and via a username and password [GH-975] 5569 * credential/token: Add `last_renewal_time` to token lookup calls [GH-896] 5570 * credential/token: Change `ttl` to reflect the current remaining TTL; the 5571 original value is in `creation_ttl` [GH-1007] 5572 * helper/certutil: Add ability to parse PKCS#8 bundles [GH-829] 5573 * logical/aws: You can now get STS tokens instead of IAM users [GH-927] 5574 * logical/cassandra: Add `protocol_version` parameter to set the CQL proto 5575 version [GH-1005] 5576 * logical/cubbyhole: Add cubbyhole access to default policy [GH-936] 5577 * logical/mysql: Add list support for roles path [GH-984] 5578 * logical/pki: Fix up key usages being specified for CAs [GH-989] 5579 * logical/pki: Add list support for roles path [GH-985] 5580 * logical/pki: Allow `pem_bundle` to be specified as the format, which 5581 provides a concatenated PEM bundle of returned values [GH-1008] 5582 * logical/pki: Add 30 seconds of slack to the validity start period to 5583 accommodate some clock skew in machines [GH-1036] 5584 * logical/postgres: Add `max_idle_connections` parameter [GH-950] 5585 * logical/postgres: Add list support for roles path 5586 * logical/ssh: Add list support for roles path [GH-983] 5587 * logical/transit: Keys are archived and only keys between the latest version 5588 and `min_decryption_version` are loaded into the working set. This can 5589 provide a very large speed increase when rotating keys very often. [GH-977] 5590 * logical/transit: Keys are now cached, which should provide a large speedup 5591 in most cases [GH-979] 5592 * physical/cache: Use 2Q cache instead of straight LRU [GH-908] 5593 * physical/etcd: Support basic auth [GH-859] 5594 * physical/etcd: Support sync functionality and enable by default [GH-921] 5595 5596BUG FIXES: 5597 5598 * api: Correct the HTTP verb used in the LookupSelf method [GH-887] 5599 * api: Fix the output of `Sys().MountConfig(...)` to return proper values 5600 [GH-1017] 5601 * command/read: Fix panic when an empty argument was given [GH-923] 5602 * command/ssh: Fix panic when username lookup fails [GH-886] 5603 * core: When running in standalone mode, don't advertise that we are active 5604 until post-unseal setup completes [GH-872] 5605 * core: Update go-cleanhttp dependency to ensure idle connections aren't 5606 leaked [GH-867] 5607 * core: Don't allow tokens to have duplicate policies [GH-897] 5608 * core: Fix regression in `sys/renew` that caused information stored in the 5609 Secret part of the response to be lost [GH-912] 5610 * physical: Use square brackets when setting an IPv6-based advertise address 5611 as the auto-detected advertise address [GH-883] 5612 * physical/s3: Use an initialized client when using IAM roles to fix a 5613 regression introduced against newer versions of the AWS Go SDK [GH-836] 5614 * secret/pki: Fix a condition where unmounting could fail if the CA 5615 certificate was not properly loaded [GH-946] 5616 * secret/ssh: Fix a problem where SSH connections were not always closed 5617 properly [GH-942] 5618 5619MISC: 5620 5621 * Clarified our stance on support for community-derived physical backends. 5622 See the [configuration 5623 documentation](https://vaultproject.io/docs/config/index.html) for details. 5624 * Add `vault-java` to libraries [GH-851] 5625 * Various minor documentation fixes and improvements [GH-839] [GH-854] 5626 [GH-861] [GH-876] [GH-899] [GH-900] [GH-904] [GH-923] [GH-924] [GH-958] 5627 [GH-959] [GH-981] [GH-990] [GH-1024] [GH-1025] 5628 5629BUILD NOTE: 5630 5631 * The HashiCorp-provided binary release of Vault 0.5.0 is built against a 5632 patched version of Go 1.5.3 containing two specific bug fixes affecting TLS 5633 certificate handling. These fixes are in the Go 1.6 tree and were 5634 cherry-picked on top of stock Go 1.5.3. If you want to examine the way in 5635 which the releases were built, please look at our [cross-compilation 5636 Dockerfile](https://github.com/hashicorp/vault/blob/v0.5.0/scripts/cross/Dockerfile-patched-1.5.3). 5637 5638## 0.4.1 (January 13, 2016) 5639 5640SECURITY: 5641 5642 * Build against Go 1.5.3 to mitigate a security vulnerability introduced in 5643 Go 1.5. For more information, please see 5644 https://groups.google.com/forum/#!topic/golang-dev/MEATuOi_ei4 5645 5646This is a security-only release; other than the version number and building 5647against Go 1.5.3, there are no changes from 0.4.0. 5648 5649## 0.4.0 (December 10, 2015) 5650 5651DEPRECATIONS/CHANGES: 5652 5653 * Policy Name Casing: Policy names are now normalized to lower-case on write, 5654 helping prevent accidental case mismatches. For backwards compatibility, 5655 policy names are not currently normalized when reading or deleting. [GH-676] 5656 * Default etcd port number: the default connection string for the `etcd` 5657 physical store uses port 2379 instead of port 4001, which is the port used 5658 by the supported version 2.x of etcd. [GH-753] 5659 * As noted below in the FEATURES section, if your Vault installation contains 5660 a policy called `default`, new tokens created will inherit this policy 5661 automatically. 5662 * In the PKI backend there have been a few minor breaking changes: 5663 * The token display name is no longer a valid option for providing a base 5664 domain for issuance. Since this name is prepended with the name of the 5665 authentication backend that issued it, it provided a faulty use-case at best 5666 and a confusing experience at worst. We hope to figure out a better 5667 per-token value in a future release. 5668 * The `allowed_base_domain` parameter has been changed to `allowed_domains`, 5669 which accepts a comma-separated list of domains. This allows issuing 5670 certificates with DNS subjects across multiple domains. If you had a 5671 configured `allowed_base_domain` parameter, it will be migrated 5672 automatically when the role is read (either via a normal read, or via 5673 issuing a certificate). 5674 5675FEATURES: 5676 5677 * **Significantly Enhanced PKI Backend**: The `pki` backend can now generate 5678 and sign root CA certificates and intermediate CA CSRs. It can also now sign 5679 submitted client CSRs, as well as a significant number of other 5680 enhancements. See the updated documentation for the full API. [GH-666] 5681 * **CRL Checking for Certificate Authentication**: The `cert` backend now 5682 supports pushing CRLs into the mount and using the contained serial numbers 5683 for revocation checking. See the documentation for the `cert` backend for 5684 more info. [GH-330] 5685 * **Default Policy**: Vault now ensures that a policy named `default` is added 5686 to every token. This policy cannot be deleted, but it can be modified 5687 (including to an empty policy). There are three endpoints allowed in the 5688 default `default` policy, related to token self-management: `lookup-self`, 5689 which allows a token to retrieve its own information, and `revoke-self` and 5690 `renew-self`, which are self-explanatory. If your existing Vault 5691 installation contains a policy called `default`, it will not be overridden, 5692 but it will be added to each new token created. You can override this 5693 behavior when using manual token creation (i.e. not via an authentication 5694 backend) by setting the "no_default_policy" flag to true. [GH-732] 5695 5696IMPROVEMENTS: 5697 5698 * api: API client now uses a 60 second timeout instead of indefinite [GH-681] 5699 * api: Implement LookupSelf, RenewSelf, and RevokeSelf functions for auth 5700 tokens [GH-739] 5701 * api: Standardize environment variable reading logic inside the API; the CLI 5702 now uses this but can still override via command-line parameters [GH-618] 5703 * audit: HMAC-SHA256'd client tokens are now stored with each request entry. 5704 Previously they were only displayed at creation time; this allows much 5705 better traceability of client actions. [GH-713] 5706 * audit: There is now a `sys/audit-hash` endpoint that can be used to generate 5707 an HMAC-SHA256'd value from provided data using the given audit backend's 5708 salt [GH-784] 5709 * core: The physical storage read cache can now be disabled via 5710 "disable_cache" [GH-674] 5711 * core: The unsealing process can now be reset midway through (this feature 5712 was documented before, but not enabled) [GH-695] 5713 * core: Tokens can now renew themselves [GH-455] 5714 * core: Base64-encoded PGP keys can be used with the CLI for `init` and 5715 `rekey` operations [GH-653] 5716 * core: Print version on startup [GH-765] 5717 * core: Access to `sys/policy` and `sys/mounts` now uses the normal ACL system 5718 instead of requiring a root token [GH-769] 5719 * credential/token: Display whether or not a token is an orphan in the output 5720 of a lookup call [GH-766] 5721 * logical: Allow `.` in path-based variables in many more locations [GH-244] 5722 * logical: Responses now contain a "warnings" key containing a list of 5723 warnings returned from the server. These are conditions that did not require 5724 failing an operation, but of which the client should be aware. [GH-676] 5725 * physical/(consul,etcd): Consul and etcd now use a connection pool to limit 5726 the number of outstanding operations, improving behavior when a lot of 5727 operations must happen at once [GH-677] [GH-780] 5728 * physical/consul: The `datacenter` parameter was removed; It could not be 5729 effective unless the Vault node (or the Consul node it was connecting to) 5730 was in the datacenter specified, in which case it wasn't needed [GH-816] 5731 * physical/etcd: Support TLS-encrypted connections and use a connection pool 5732 to limit the number of outstanding operations [GH-780] 5733 * physical/s3: The S3 endpoint can now be configured, allowing using 5734 S3-API-compatible storage solutions [GH-750] 5735 * physical/s3: The S3 bucket can now be configured with the `AWS_S3_BUCKET` 5736 environment variable [GH-758] 5737 * secret/consul: Management tokens can now be created [GH-714] 5738 5739BUG FIXES: 5740 5741 * api: API client now checks for a 301 response for redirects. Vault doesn't 5742 generate these, but in certain conditions Go's internal HTTP handler can 5743 generate them, leading to client errors. 5744 * cli: `token-create` now supports the `ttl` parameter in addition to the 5745 deprecated `lease` parameter. [GH-688] 5746 * core: Return data from `generic` backends on the last use of a limited-use 5747 token [GH-615] 5748 * core: Fix upgrade path for leases created in `generic` prior to 0.3 [GH-673] 5749 * core: Stale leader entries will now be reaped [GH-679] 5750 * core: Using `mount-tune` on the auth/token path did not take effect. 5751 [GH-688] 5752 * core: Fix a potential race condition when (un)sealing the vault with metrics 5753 enabled [GH-694] 5754 * core: Fix an error that could happen in some failure scenarios where Vault 5755 could fail to revert to a clean state [GH-733] 5756 * core: Ensure secondary indexes are removed when a lease is expired [GH-749] 5757 * core: Ensure rollback manager uses an up-to-date mounts table [GH-771] 5758 * everywhere: Don't use http.DefaultClient, as it shares state implicitly and 5759 is a source of hard-to-track-down bugs [GH-700] 5760 * credential/token: Allow creating orphan tokens via an API path [GH-748] 5761 * secret/generic: Validate given duration at write time, not just read time; 5762 if stored durations are not parseable, return a warning and the default 5763 duration rather than an error [GH-718] 5764 * secret/generic: Return 400 instead of 500 when `generic` backend is written 5765 to with no data fields [GH-825] 5766 * secret/postgresql: Revoke permissions before dropping a user or revocation 5767 may fail [GH-699] 5768 5769MISC: 5770 5771 * Various documentation fixes and improvements [GH-685] [GH-688] [GH-697] 5772 [GH-710] [GH-715] [GH-831] 5773 5774## 0.3.1 (October 6, 2015) 5775 5776SECURITY: 5777 5778 * core: In certain failure scenarios, the full values of requests and 5779 responses would be logged [GH-665] 5780 5781FEATURES: 5782 5783 * **Settable Maximum Open Connections**: The `mysql` and `postgresql` backends 5784 now allow setting the number of maximum open connections to the database, 5785 which was previously capped to 2. [GH-661] 5786 * **Renewable Tokens for GitHub**: The `github` backend now supports 5787 specifying a TTL, enabling renewable tokens. [GH-664] 5788 5789BUG FIXES: 5790 5791 * dist: linux-amd64 distribution was dynamically linked [GH-656] 5792 * credential/github: Fix acceptance tests [GH-651] 5793 5794MISC: 5795 5796 * Various minor documentation fixes and improvements [GH-649] [GH-650] 5797 [GH-654] [GH-663] 5798 5799## 0.3.0 (September 28, 2015) 5800 5801DEPRECATIONS/CHANGES: 5802 5803Note: deprecations and breaking changes in upcoming releases are announced 5804ahead of time on the "vault-tool" mailing list. 5805 5806 * **Cookie Authentication Removed**: As of 0.3 the only way to authenticate is 5807 via the X-Vault-Token header. Cookie authentication was hard to properly 5808 test, could result in browsers/tools/applications saving tokens in plaintext 5809 on disk, and other issues. [GH-564] 5810 * **Terminology/Field Names**: Vault is transitioning from overloading the 5811 term "lease" to mean both "a set of metadata" and "the amount of time the 5812 metadata is valid". The latter is now being referred to as TTL (or 5813 "lease_duration" for backwards-compatibility); some parts of Vault have 5814 already switched to using "ttl" and others will follow in upcoming releases. 5815 In particular, the "token", "generic", and "pki" backends accept both "ttl" 5816 and "lease" but in 0.4 only "ttl" will be accepted. [GH-528] 5817 * **Downgrade Not Supported**: Due to enhancements in the storage subsystem, 5818 values written by Vault 0.3+ will not be able to be read by prior versions 5819 of Vault. There are no expected upgrade issues, however, as with all 5820 critical infrastructure it is recommended to back up Vault's physical 5821 storage before upgrading. 5822 5823FEATURES: 5824 5825 * **SSH Backend**: Vault can now be used to delegate SSH access to machines, 5826 via a (recommended) One-Time Password approach or by issuing dynamic keys. 5827 [GH-385] 5828 * **Cubbyhole Backend**: This backend works similarly to the "generic" backend 5829 but provides a per-token workspace. This enables some additional 5830 authentication workflows (especially for containers) and can be useful to 5831 applications to e.g. store local credentials while being restarted or 5832 upgraded, rather than persisting to disk. [GH-612] 5833 * **Transit Backend Improvements**: The transit backend now allows key 5834 rotation and datakey generation. For rotation, data encrypted with previous 5835 versions of the keys can still be decrypted, down to a (configurable) 5836 minimum previous version; there is a rewrap function for manual upgrades of 5837 ciphertext to newer versions. Additionally, the backend now allows 5838 generating and returning high-entropy keys of a configurable bitsize 5839 suitable for AES and other functions; this is returned wrapped by a named 5840 key, or optionally both wrapped and plaintext for immediate use. [GH-626] 5841 * **Global and Per-Mount Default/Max TTL Support**: You can now set the 5842 default and maximum Time To Live for leases both globally and per-mount. 5843 Per-mount settings override global settings. Not all backends honor these 5844 settings yet, but the maximum is a hard limit enforced outside the backend. 5845 See the documentation for "/sys/mounts/" for details on configuring 5846 per-mount TTLs. [GH-469] 5847 * **PGP Encryption for Unseal Keys**: When initializing or rotating Vault's 5848 master key, PGP/GPG public keys can now be provided. The output keys will be 5849 encrypted with the given keys, in order. [GH-570] 5850 * **Duo Multifactor Authentication Support**: Backends that support MFA can 5851 now use Duo as the mechanism. [GH-464] 5852 * **Performance Improvements**: Users of the "generic" backend will see a 5853 significant performance improvement as the backend no longer creates leases, 5854 although it does return TTLs (global/mount default, or set per-item) as 5855 before. [GH-631] 5856 * **Codebase Audit**: Vault's codebase was audited by iSEC. (The terms of the 5857 audit contract do not allow us to make the results public.) [GH-220] 5858 5859IMPROVEMENTS: 5860 5861 * audit: Log entries now contain a time field [GH-495] 5862 * audit: Obfuscated audit entries now use hmac-sha256 instead of sha1 [GH-627] 5863 * backends: Add ability for a cleanup function to be called on backend unmount 5864 [GH-608] 5865 * config: Allow specifying minimum acceptable TLS version [GH-447] 5866 * core: If trying to mount in a location that is already mounted, be more 5867 helpful about the error [GH-510] 5868 * core: Be more explicit on failure if the issue is invalid JSON [GH-553] 5869 * core: Tokens can now revoke themselves [GH-620] 5870 * credential/app-id: Give a more specific error when sending a duplicate POST 5871 to sys/auth/app-id [GH-392] 5872 * credential/github: Support custom API endpoints (e.g. for Github Enterprise) 5873 [GH-572] 5874 * credential/ldap: Add per-user policies and option to login with 5875 userPrincipalName [GH-420] 5876 * credential/token: Allow root tokens to specify the ID of a token being 5877 created from CLI [GH-502] 5878 * credential/userpass: Enable renewals for login tokens [GH-623] 5879 * scripts: Use /usr/bin/env to find Bash instead of hardcoding [GH-446] 5880 * scripts: Use godep for build scripts to use same environment as tests 5881 [GH-404] 5882 * secret/mysql: Allow reading configuration data [GH-529] 5883 * secret/pki: Split "allow_any_name" logic to that and "enforce_hostnames", to 5884 allow for non-hostname values (e.g. for client certificates) [GH-555] 5885 * storage/consul: Allow specifying certificates used to talk to Consul 5886 [GH-384] 5887 * storage/mysql: Allow SSL encrypted connections [GH-439] 5888 * storage/s3: Allow using temporary security credentials [GH-433] 5889 * telemetry: Put telemetry object in configuration to allow more flexibility 5890 [GH-419] 5891 * testing: Disable mlock for testing of logical backends so as not to require 5892 root [GH-479] 5893 5894BUG FIXES: 5895 5896 * audit/file: Do not enable auditing if file permissions are invalid [GH-550] 5897 * backends: Allow hyphens in endpoint patterns (fixes AWS and others) [GH-559] 5898 * cli: Fixed missing setup of client TLS certificates if no custom CA was 5899 provided 5900 * cli/read: Do not include a carriage return when using raw field output 5901 [GH-624] 5902 * core: Bad input data could lead to a panic for that session, rather than 5903 returning an error [GH-503] 5904 * core: Allow SHA2-384/SHA2-512 hashed certificates [GH-448] 5905 * core: Do not return a Secret if there are no uses left on a token (since it 5906 will be unable to be used) [GH-615] 5907 * core: Code paths that called lookup-self would decrement num_uses and 5908 potentially immediately revoke a token [GH-552] 5909 * core: Some /sys/ paths would not properly redirect from a standby to the 5910 leader [GH-499] [GH-551] 5911 * credential/aws: Translate spaces in a token's display name to avoid making 5912 IAM unhappy [GH-567] 5913 * credential/github: Integration failed if more than ten organizations or 5914 teams [GH-489] 5915 * credential/token: Tokens with sudo access to "auth/token/create" can now use 5916 root-only options [GH-629] 5917 * secret/cassandra: Work around backwards-incompatible change made in 5918 Cassandra 2.2 preventing Vault from properly setting/revoking leases 5919 [GH-549] 5920 * secret/mysql: Use varbinary instead of varchar to avoid InnoDB/UTF-8 issues 5921 [GH-522] 5922 * secret/postgres: Explicitly set timezone in connections [GH-597] 5923 * storage/etcd: Renew semaphore periodically to prevent leadership flapping 5924 [GH-606] 5925 * storage/zk: Fix collisions in storage that could lead to data unavailability 5926 [GH-411] 5927 5928MISC: 5929 5930 * Various documentation fixes and improvements [GH-412] [GH-474] [GH-476] 5931 [GH-482] [GH-483] [GH-486] [GH-508] [GH-568] [GH-574] [GH-586] [GH-590] 5932 [GH-591] [GH-592] [GH-595] [GH-613] [GH-637] 5933 * Less "armon" in stack traces [GH-453] 5934 * Sourcegraph integration [GH-456] 5935 5936## 0.2.0 (July 13, 2015) 5937 5938FEATURES: 5939 5940 * **Key Rotation Support**: The `rotate` command can be used to rotate the 5941 master encryption key used to write data to the storage (physical) backend. 5942 [GH-277] 5943 * **Rekey Support**: Rekey can be used to rotate the master key and change the 5944 configuration of the unseal keys (number of shares, threshold required). 5945 [GH-277] 5946 * **New secret backend: `pki`**: Enable Vault to be a certificate authority 5947 and generate signed TLS certificates. [GH-310] 5948 * **New secret backend: `cassandra`**: Generate dynamic credentials for 5949 Cassandra [GH-363] 5950 * **New storage backend: `etcd`**: store physical data in etcd [GH-259] 5951 [GH-297] 5952 * **New storage backend: `s3`**: store physical data in S3. Does not support 5953 HA. [GH-242] 5954 * **New storage backend: `MySQL`**: store physical data in MySQL. Does not 5955 support HA. [GH-324] 5956 * `transit` secret backend supports derived keys for per-transaction unique 5957 keys [GH-399] 5958 5959IMPROVEMENTS: 5960 5961 * cli/auth: Enable `cert` method [GH-380] 5962 * cli/auth: read input from stdin [GH-250] 5963 * cli/read: Ability to read a single field from a secret [GH-257] 5964 * cli/write: Adding a force flag when no input required 5965 * core: allow time duration format in place of seconds for some inputs 5966 * core: audit log provides more useful information [GH-360] 5967 * core: graceful shutdown for faster HA failover 5968 * core: **change policy format** to use explicit globbing [GH-400] Any 5969 existing policy in Vault is automatically upgraded to avoid issues. All 5970 policy files must be updated for future writes. Adding the explicit glob 5971 character `*` to the path specification is all that is required. 5972 * core: policy merging to give deny highest precedence [GH-400] 5973 * credential/app-id: Protect against timing attack on app-id 5974 * credential/cert: Record the common name in the metadata [GH-342] 5975 * credential/ldap: Allow TLS verification to be disabled [GH-372] 5976 * credential/ldap: More flexible names allowed [GH-245] [GH-379] [GH-367] 5977 * credential/userpass: Protect against timing attack on password 5978 * credential/userpass: Use bcrypt for password matching 5979 * http: response codes improved to reflect error [GH-366] 5980 * http: the `sys/health` endpoint supports `?standbyok` to return 200 on 5981 standby [GH-389] 5982 * secret/app-id: Support deleting AppID and UserIDs [GH-200] 5983 * secret/consul: Fine grained lease control [GH-261] 5984 * secret/transit: Decouple raw key from key management endpoint [GH-355] 5985 * secret/transit: Upsert named key when encrypt is used [GH-355] 5986 * storage/zk: Support for HA configuration [GH-252] 5987 * storage/zk: Changing node representation. **Backwards incompatible**. 5988 [GH-416] 5989 5990BUG FIXES: 5991 5992 * audit/file: file removing TLS connection state 5993 * audit/syslog: fix removing TLS connection state 5994 * command/*: commands accepting `k=v` allow blank values 5995 * core: Allow building on FreeBSD [GH-365] 5996 * core: Fixed various panics when audit logging enabled 5997 * core: Lease renewal does not create redundant lease 5998 * core: fixed leases with negative duration [GH-354] 5999 * core: token renewal does not create child token 6000 * core: fixing panic when lease increment is null [GH-408] 6001 * credential/app-id: Salt the paths in storage backend to avoid information 6002 leak 6003 * credential/cert: Fixing client certificate not being requested 6004 * credential/cert: Fixing panic when no certificate match found [GH-361] 6005 * http: Accept PUT as POST for sys/auth 6006 * http: Accept PUT as POST for sys/mounts [GH-349] 6007 * http: Return 503 when sealed [GH-225] 6008 * secret/postgres: Username length is capped to exceeding limit 6009 * server: Do not panic if backend not configured [GH-222] 6010 * server: Explicitly check value of tls_diable [GH-201] 6011 * storage/zk: Fixed issues with version conflicts [GH-190] 6012 6013MISC: 6014 6015 * cli/path-help: renamed from `help` to avoid confusion 6016 6017## 0.1.2 (May 11, 2015) 6018 6019FEATURES: 6020 6021 * **New physical backend: `zookeeper`**: store physical data in Zookeeper. 6022 HA not supported yet. 6023 * **New credential backend: `ldap`**: authenticate using LDAP credentials. 6024 6025IMPROVEMENTS: 6026 6027 * core: Auth backends can store internal data about auth creds 6028 * audit: display name for auth is shown in logs [GH-176] 6029 * command/*: `-insecure` has been renamed to `-tls-skip-verify` [GH-130] 6030 * command/*: `VAULT_TOKEN` overrides local stored auth [GH-162] 6031 * command/server: environment variables are copy-pastable 6032 * credential/app-id: hash of app and user ID are in metadata [GH-176] 6033 * http: HTTP API accepts `X-Vault-Token` as auth header [GH-124] 6034 * logical/*: Generate help output even if no synopsis specified 6035 6036BUG FIXES: 6037 6038 * core: login endpoints should never return secrets 6039 * core: Internal data should never be returned from core endpoints 6040 * core: defer barrier initialization to as late as possible to avoid error 6041 cases during init that corrupt data (no data loss) 6042 * core: guard against invalid init config earlier 6043 * audit/file: create file if it doesn't exist [GH-148] 6044 * command/*: ignore directories when traversing CA paths [GH-181] 6045 * credential/*: all policy mapping keys are case insensitive [GH-163] 6046 * physical/consul: Fixing path for locking so HA works in every case 6047 6048## 0.1.1 (May 2, 2015) 6049 6050SECURITY CHANGES: 6051 6052 * physical/file: create the storge with 0600 permissions [GH-102] 6053 * token/disk: write the token to disk with 0600 perms 6054 6055IMPROVEMENTS: 6056 6057 * core: Very verbose error if mlock fails [GH-59] 6058 * command/*: On error with TLS oversized record, show more human-friendly 6059 error message. [GH-123] 6060 * command/read: `lease_renewable` is now outputted along with the secret to 6061 show whether it is renewable or not 6062 * command/server: Add configuration option to disable mlock 6063 * command/server: Disable mlock for dev mode so it works on more systems 6064 6065BUG FIXES: 6066 6067 * core: if token helper isn't absolute, prepend with path to Vault 6068 executable, not "vault" (which requires PATH) [GH-60] 6069 * core: Any "mapping" routes allow hyphens in keys [GH-119] 6070 * core: Validate `advertise_addr` is a valid URL with scheme [GH-106] 6071 * command/auth: Using an invalid token won't crash [GH-75] 6072 * credential/app-id: app and user IDs can have hyphens in keys [GH-119] 6073 * helper/password: import proper DLL for Windows to ask password [GH-83] 6074 6075## 0.1.0 (April 28, 2015) 6076 6077 * Initial release 6078