Skip to content

Releases: hashicorp/vault

v1.6.3

25 Feb 18:21
@hashicorp-ci hashicorp-ci
v1.6.3
b540be4
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.6.3

SECURITY:

  • Limited Unauthenticated License Read: We addressed a security vulnerability that allowed for the unauthenticated
    reading of Vault licenses from DR Secondaries. This vulnerability affects Vault and Vault Enterprise and is
    fixed in 1.6.3 (CVE-2021-27668).

CHANGES:

  • secrets/mongodbatlas: Move from whitelist to access list API [GH-10966]

IMPROVEMENTS:

  • ui: Clarify language on usage metrics page empty state [GH-10951]

BUG FIXES:

  • auth/kubernetes: Cancel API calls to TokenReview endpoint when request context
    is closed [GH-10930]
  • core/identity: Fix deadlock in entity merge endpoint. [GH-10877]
  • quotas: Fix duplicate quotas on performance standby nodes. [GH-10855]
  • quotas/rate-limit: Fix quotas enforcing old rate limit quota paths [GH-10689]
  • replication (enterprise): Don't write request count data on DR Secondaries.
    Fixes DR Secondaries becoming out of sync approximately every 30s. [GH-10970]
  • secrets/azure (enterprise): Forward service principal credential creation to the
    primary cluster if called on a performance standby or performance secondary. [GH-10902]
Loading

v1.6.2

29 Jan 18:22
@hashicorp-ci hashicorp-ci
v1.6.2
be65a22
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.6.2

SECURITY:

  • IP Address Disclosure: We fixed a vulnerability where, under some error
    conditions, Vault would return an error message disclosing internal IP
    addresses. This vulnerability affects Vault and Vault Enterprise and is fixed in
    1.6.2 (CVE-2021-3024).
  • Limited Unauthenticated Remove Peer: As of Vault 1.6, the remove-peer command
    on DR secondaries did not require authentication. This issue impacts the
    stability of HA architecture, as a bad actor could remove all standby
    nodes from a DR
    secondary. This issue affects Vault Enterprise 1.6.0 and 1.6.1, and is fixed in
    1.6.2 (CVE-2021-3282).
  • Mount Path Disclosure: Vault previously returned different HTTP status codes for
    existent and non-existent mount paths. This behavior would allow unauthenticated
    brute force attacks to reveal which paths had valid mounts. This issue affects
    Vault and Vault Enterprise and is fixed in 1.6.2 (CVE-2020-25594).

CHANGES:

  • go: Update go version to 1.15.7 [GH-10730]

FEATURES:

  • ui: Adds check for feature flag on application, and updates namespace toolbar on login if present [GH-10588]

IMPROVEMENTS:

  • core (enterprise): "vault status" command works when a namespace is set. [GH-10725]
  • core: reduce memory used by leases [GH-10726]
  • storage/raft (enterprise): Listing of peers is now allowed on DR secondary
    cluster nodes, as an update operation that takes in DR operation token for
    authenticating the request.

BUG FIXES:

  • agent: Set namespace for template server in agent. [GH-10757]
  • core: Make the response to an unauthenticated request to sys/internal endpoints consistent regardless of mount existence. [GH-10650]
  • metrics: Protect emitMetrics from panicking during post-seal [GH-10708]
  • secrets/gcp: Fix issue with account and iam_policy roleset WALs not being removed after attempts when GCP project no longer exists [GH-10759]
  • storage/raft (enterprise): Automated snapshots with Azure required specifying
    azure_blob_environment, which should have had as a default AZUREPUBLICCLOUD.
  • storage/raft (enterprise): Autosnapshots config and storage weren't excluded from
    performance replication, causing conflicts and errors.
  • ui: Fix bug that double encodes secret route when there are spaces in the path and makes you unable to view the version history. [GH-10596]
  • ui: Fix expected response from feature-flags endpoint [GH-10684]
Loading

v1.5.7

29 Jan 18:18
@hashicorp-ci hashicorp-ci
v1.5.7
81d55e3
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.5.7

SECURITY:

  • IP Address Disclosure: We fixed a vulnerability where, under some error
    conditions, Vault would return an error message disclosing internal IP
    addresses. This vulnerability affects Vault and Vault Enterprise and is fixed in
    1.6.2 and 1.5.7 (CVE-2021-3024).
  • Mount Path Disclosure: Vault previously returned different HTTP status codes for
    existent and non-existent mount paths. This behavior would allow unauthenticated
    brute force attacks to reveal which paths had valid mounts. This issue affects
    Vault and Vault Enterprise and is fixed in 1.6.2 and 1.5.7 (CVE-2020-25594).

IMPROVEMENTS:

  • storage/raft (enterprise): Listing of peers is now allowed on DR secondary
    cluster nodes, as an update operation that takes in DR operation token for
    authenticating the request.

BUG FIXES:

  • core: Avoid disclosing IP addresses in the errors of unauthenticated requests [GH-10579]
  • core: Make the response to an unauthenticated request to sys/internal endpoints consistent regardless of mount existence. [GH-10650]
Loading

v1.6.1

16 Dec 15:44
@hashicorp-ci hashicorp-ci
v1.6.1
6d2db3f
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.6.1

Release vault v1.6.1

Loading

v1.5.6

16 Dec 15:31
@hashicorp-ci hashicorp-ci
v1.5.6
5799790
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.5.6

Release vault v1.5.6

Loading

v1.6.0

11 Nov 15:10
@hashicorp-ci hashicorp-ci
v1.6.0
7ce0bd9
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.6.0

Release vault v1.6.0

Loading

v1.6.0-rc

04 Nov 22:39
@hashicorp-ci hashicorp-ci
v1.6.0-rc
daadba9
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v1.6.0-rc Pre-release
Pre-release

Release vault v1.6.0-rc

Loading