The NetBSD Project

CVS log for pkgsrc/security/vault/Makefile

[BACK] Up to [] / pkgsrc / security / vault

Request diff between arbitrary revisions

Default branch: MAIN

Revision 1.66 / (download) - annotate - [select for diffs], Sun Jun 6 12:18:58 2021 UTC (2 weeks, 4 days ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2021Q2-base, pkgsrc-2021Q2, HEAD
Changes since 1.65: +2 -1 lines
Diff to previous 1.65 (colored)

Revbump all Go packages after go116 update

Revision 1.65 / (download) - annotate - [select for diffs], Sun May 30 17:37:53 2021 UTC (3 weeks, 4 days ago) by he
Branch: MAIN
Changes since 1.64: +2 -3 lines
Diff to previous 1.64 (colored)

Upgrade security/vault to version 1.6.5.

Pkgsrc changes:
 * None

Upstream changes:

May 20th, 2021

 * Non-Expiring Leases: Vault and Vault Enterprise renewed
   nearly-expiring token leases and dynamic secret leases with a
   zero-second TTL, causing them to be treated as non-expiring,
   and never revoked. This issue affects Vault and Vault Enterprise
   versions 0.10.0 through 1.7.1, and is fixed in 1.5.9, 1.6.5,
   and 1.7.2 (CVE-2021-32923).

 * agent: Update to use IAM Service Account Credentials endpoint
   for signing JWTs when using GCP Auto-Auth method [GH-11473]
 * auth/gcp: Update to v0.8.1 to use IAM Service Account Credentials
   API for signing JWTs [GH-11498]

 * core (enterprise): Fix plugins mounted in namespaces being
   unable to use password policies [GH-11596]
 * core: correct logic for renewal of leases nearing their expiration
   time. [GH-11650]
 * secrets/database: Fix marshalling to allow providing numeric
   arguments to external database plugins. [GH-11451]
 * secrets/database: Fixes issue for V4 database interface where
   SetCredentials wasn't falling back to using RotateRootCredentials
   if SetCredentials is Unimplemented [GH-11585]
 * ui: Fix namespace-bug on login [GH-11182]

April 21, 2021
Release vault v1.6.4

February 25, 2021

 * Limited Unauthenticated License Read: We addressed a security
   vulnerability that allowed for the unauthenticated reading of
   Vault licenses from DR Secondaries. This vulnerability affects
   Vault and Vault Enterprise and is fixed in 1.6.3 (CVE-2021-27668).

 * secrets/mongodbatlas: Move from whitelist to access list API [GH-10966]

 * ui: Clarify language on usage metrics page empty state [GH-10951]

 * auth/kubernetes: Cancel API calls to TokenReview endpoint when
   request context is closed [GH-10930]
 * core/identity: Fix deadlock in entity merge endpoint. [GH-10877]
 * quotas: Fix duplicate quotas on performance standby nodes. [GH-10855]
 * quotas/rate-limit: Fix quotas enforcing old rate limit quota paths [GH-10689]
   replication (enterprise): Don't write request count data on DR Secondaries.
 * Fixes DR Secondaries becoming out of sync approximately every 30s. [GH-10970]
 * secrets/azure (enterprise): Forward service principal credential
   creation to the primary cluster if called on a performance
   standby or performance secondary. [GH-10902]

Revision 1.64 / (download) - annotate - [select for diffs], Sat May 8 15:02:29 2021 UTC (6 weeks, 5 days ago) by bsiegert
Branch: MAIN
Changes since 1.63: +2 -2 lines
Diff to previous 1.63 (colored)

Revbump all Go packages after go116 update

Revision 1.63 / (download) - annotate - [select for diffs], Fri Mar 19 17:37:05 2021 UTC (3 months ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2021Q1-base, pkgsrc-2021Q1
Changes since 1.62: +2 -1 lines
Diff to previous 1.62 (colored)

Revbump all Go packages after go115 update

Revision 1.62 / (download) - annotate - [select for diffs], Mon Feb 1 10:49:11 2021 UTC (4 months, 3 weeks ago) by he
Branch: MAIN
Changes since 1.61: +2 -3 lines
Diff to previous 1.61 (colored)

Upgrade security/vault to version 1.6.2:

Pkgsrc changes:
 * None

Upstream changes:

January 29, 2021

 * IP Address Disclosure: We fixed a vulnerability where, under
   some error conditions, Vault would return an error message
   disclosing internal IP addresses. This vulnerability affects
   Vault and Vault Enterprise and is fixed in 1.6.2 (CVE-2021-3024).
 * Limited Unauthenticated Remove Peer: As of Vault 1.6, the
   remove-peer command on DR secondaries did not require authentication.
   This issue impacts the stability of HA architecture, as a bad
   actor could remove all standby nodes from a DR secondary. This
   issue affects Vault Enterprise 1.6.0 and 1.6.1, and is fixed in
   1.6.2 (CVE-2021-3282).
 * Mount Path Disclosure: Vault previously returned different HTTP
   status codes for existent and non-existent mount paths. This
   behavior would allow unauthenticated brute force attacks to
   reveal which paths had valid mounts. This issue affects Vault
   and Vault Enterprise and is fixed in 1.6.2 (CVE-2020-25594).

 * go: Update go version to 1.15.7 [GH-10730]

 * ui: Adds check for feature flag on application, and updates
   namespace toolbar on login if present [GH-10588]

 * core (enterprise): "vault status" command works when a namespace
   is set. [GH-10725]
 * core: reduce memory used by leases [GH-10726]
 * storage/raft (enterprise): Listing of peers is now allowed on DR secondary
   cluster nodes, as an update operation that takes in DR operation token for
   authenticating the request.

 * agent: Set namespace for template server in agent. [GH-10757]
 * core: Make the response to an unauthenticated request to
   sys/internal endpoints consistent regardless of mount existence.
 * metrics: Protect emitMetrics from panicking during post-seal [GH-10708]
 * secrets/gcp: Fix issue with account and iam_policy roleset WALs
   not being removed after attempts when GCP project no longer
   exists [GH-10759]
 * storage/raft (enterprise): Automated snapshots with Azure required
 * azure_blob_environment, which should have had as a default
 * storage/raft (enterprise): Autosnapshots config and storage
   weren't excluded from
 * performance replication, causing conflicts and errors.
 * ui: Fix bug that double encodes secret route when there are
   spaces in the path and makes you unable to view the version
   history. [GH-10596]
 * ui: Fix expected response from feature-flags endpoint [GH-10684]

Revision 1.61 / (download) - annotate - [select for diffs], Sat Jan 23 14:23:10 2021 UTC (5 months ago) by bsiegert
Branch: MAIN
Changes since 1.60: +2 -1 lines
Diff to previous 1.60 (colored)

Revbump all Go packages after go115 update

Revision 1.60 / (download) - annotate - [select for diffs], Tue Jan 5 11:02:51 2021 UTC (5 months, 2 weeks ago) by he
Branch: MAIN
Changes since 1.59: +7 -5 lines
Diff to previous 1.59 (colored)

Upgrade vault to version 1.6.1:

Pkgsrc changes:
 * Added a patch to cope with docker client default settings (build
   also on NetBSD)

Upstream changes:

December 16, 2020

 * LDAP Auth Method: We addressed an issue where error messages
   returned by the LDAP auth methold allowed user enumeration
   [GH-10537]. This vulnerability affects Vault OSS and Vault Enterprise
   and is fixed in 1.5.6 and 1.6.1 (CVE-2020-35177).
 * Sentinel EGP: We've fixed incorrect handling of namespace paths
   to prevent users within namespaces from applying Sentinel EGP
   policies to paths above their namespace. This vulnerability
   affects Vault Enterprise and is fixed in 1.5.6 and 1.6.1

 * auth/ldap: Improve consistency in error messages [GH-10537]
 * core/metrics: Added "vault operator usage" command. [GH-10365]
 * secrets/gcp: Truncate ServiceAccount display names longer than
   100 characters. [GH-10558]

 * agent: Only set the namespace if the VAULT_NAMESPACE env var
   isn't present [GH-10556]
 * auth/jwt: Fixes bound_claims validation for provider-specific
   group and user info fetching. [GH-10546]
 * core (enterprise): Vault EGP policies attached to path * were
   not correctly scoped to the namespace.
 * core: Avoid deadlocks by ensuring that if grabLockOrStop returns
   stopped=true, the lock will not be held. [GH-10456]
 * core: Fix client.Clone() to include the address [GH-10077]
 * core: Fix rate limit resource quota migration from 1.5.x to
   1.6.x by ensuring purgeInterval and staleAge are set appropriately.
 * core: Make all APIs that report init status consistent, and make
   them report initialized=true when a Raft join is in progress.
 * secrets/database/influxdb: Fix issue where not all errors from
   InfluxDB were being handled [GH-10384]
 * secrets/database/mysql: Fixes issue where the DisplayName within
   generated usernames was the incorrect length [GH-10433]
 * secrets/database: Sanitize private_key field when reading database
   plugin config [GH-10416]
 * secrets/transit: allow for null string to be used for optional
   parameters in encrypt and decrypt [GH-10386]
 * storage/raft (enterprise): The parameter aws_s3_server_kms_key
   was misnamed and didn't work. Renamed to aws_s3_kms_key, and
   make it work so that when provided the given key will be used
   to encrypt the snapshot using AWS KMS.
 * transform (enterprise): Fix bug tokenization handling metadata
   on exportable stores
 * transform (enterprise): Fix transform configuration not handling
   stores parameter on the legacy path
 * transform (enterprise): Make expiration timestamps human readable
 * transform (enterprise): Return false for invalid tokens on the
   validate endpoint rather than returning an HTTP error
 * transform (enterprise): Fix bug where tokenization store changes
   are persisted but don't take effect
 * ui: Fix bug in Transform secret engine when a new role is added
   and then removed from a transformation [GH-10417]
 * ui: Fix footer URL linking to the correct version changelog.
 * ui: Fox radio click on secrets and auth list pages. [GH-10586]

November 11th, 2020


Binaries for 32-bit macOS (i.e. the darwin_386 build) will no longer
be published. This target was dropped in the latest version of the
Go compiler.

 * agent: Agent now properly returns a non-zero exit code on error,
   such as one due to template rendering failure. Using
   error_on_missing_key in the template config will cause agent to
   immediately exit on failure. In order to make agent properly
   exit due to continuous failure from template rendering errors,
   the old behavior of indefinitely restarting the template server
   is now changed to exit once the default retry attempt of 12
   times (with exponential backoff) gets exhausted. [GH-9670]
 * token: Periodic tokens generated by auth methods will have the
   period value stored in its token entry. [GH-7885]
 * core: New telemetry metrics reporting mount table size and number
   of entries [GH-10201]
 * go: Updated Go version to 1.15.4 [GH-10366]

 * Couchbase Secrets: Vault can now manage static and dynamic
   credentials for Couchbase. [GH-9664]
 * Expanded Password Policy Support: Custom password policies are
   now supported for all database engines.
 * Integrated Storage Auto Snapshots (Enterprise): This feature
   enables an operator to schedule snapshots of the integrated
   storage backend and ensure those snapshots are persisted elsewhere.
 * Integrated Storage Cloud Auto Join: This feature for integrated
   storage enables Vault nodes running in the cloud to automatically
   discover and join a Vault cluster via operator-supplied metadata.
 * Key Management Secrets Engine (Enterprise; Tech Preview): This
   new secret engine allows securely distributing and managing keys
   to Azure cloud KMS services.
 * Seal Migration: With Vault 1.6, we will support migrating from
   an auto unseal mechanism to a different mechanism of the same
   type. For example, if you were using an AWS KMS key to automatically
   unseal, you can now migrate to a different AWS KMS key.
 * Tokenization (Enterprise; Tech Preview): Tokenization supports
   creating irreversible "tokens" from sensitive data. Tokens can
   be used in less secure environments, protecting the original
 * Vault Client Count: Vault now counts the number of active entities
   (and non-entity tokens) per month and makes this information
   available via the "Metrics" section of the UI.

 * auth/approle: Role names can now be referenced in templated
   policies through the approle.metadata.role_name property [GH-9529]
 * auth/aws: Improve logic check on wildcard BoundIamPrincipalARNs
   and include role name on error messages on check failure [GH-10036]
 * auth/jwt: Add support for fetching groups and user information
   from G Suite during authentication. [GH-123]
 * auth/jwt: Adding EdDSA (ed25519) to supported algorithms [GH-129]
 * auth/jwt: Improve cli authorization error [GH-137]
 * auth/jwt: Add OIDC namespace_in_state option [GH-140]
 * secrets/transit: fix missing plaintext in bulk decrypt response [GH-9991]
 * command/server: Delay informational messages in -dev mode until
   logs have settled. [GH-9702]
 * command/server: Add environment variable support for disable_mlock.
 * core/metrics: Add metrics for storage cache [GH_10079]
 * core/metrics: Add metrics for leader status [GH 10147]
 * physical/azure: Add the ability to use Azure Instance Metadata
   Service to set the credentials for Azure Blob storage on the
   backend. [GH-10189]
 * sdk/framework: Add a time type for API fields. [GH-9911]
 * secrets/database: Added support for password policies to all
   databases [GH-9641, and more]
 * secrets/database/cassandra: Added support for static credential
   rotation [GH-10051]
 * secrets/database/elasticsearch: Added support for static credential
   rotation [GH-19]
 * secrets/database/hanadb: Added support for root credential &
   static credential rotation [GH-10142]
 * secrets/database/hanadb: Default password generation now includes
   dashes. Custom statements may need to be updated to include
   quotes around the password field [GH-10142]
 * secrets/database/influxdb: Added support for static credential
   rotation [GH-10118]
 * secrets/database/mongodbatlas: Added support for root credential
   rotation [GH-14]
 * secrets/database/mongodbatlas: Support scopes field in creations
   statements for MongoDB Atlas database plugin [GH-15]
 * seal/awskms: Add logging during awskms auto-unseal [GH-9794]
 * storage/azure: Update SDK library to use azure-storage-blob-go
   since previous library has been deprecated. [GH-9577]
 * secrets/ad: rotate-root now supports POST requests like other
   secret engines [GH-70]
 * ui: Add ui functionality for the Transform Secret Engine [GH-9665]
 * ui: Pricing metrics dashboard [GH-10049]

 * auth/jwt: Fix bug preventing config edit UI from rendering [GH-141]
 * cli: Don't open or overwrite a raft snapshot file on an unsuccessful
   vault operator raft snapshot [GH-9894]
 * core: Implement constant time version of shamir GF(2^8) math [GH-9932]
 * core: Fix resource leak in plugin API (plugin-dependent, not
   all plugins impacted) [GH-9557]
 * core: Fix race involved in enabling certain features via a
   license change
 * core: Fix error handling in HCL parsing of objects with invalid
   syntax [GH-410]
 * identity: Check for timeouts in entity API [GH-9925]
 * secrets/database: Fix handling of TLS options in mongodb connection
   strings [GH-9519]
 * secrets/gcp: Ensure that the IAM policy version is appropriately
   set after a roleset's bindings have changed. [GH-93]
 * ui: Mask LDAP bindpass while typing [GH-10087]
 * ui: Update language in promote dr modal flow [GH-10155]
 * ui: Update language on replication primary dashboard for clarity
 * core: Fix bug where updating an existing path quota could
   introduce a conflict. [GH-10285]

December 16, 2020

 * LDAP Auth Method: We addressed an issue where error messages
   returned by the LDAP auth methold allowed user enumeration
   [GH-10537]. This vulnerability affects Vault OSS and Vault
   Enterprise and is fixed in 1.5.6 and 1.6.1 (CVE-2020-35177).
 * Sentinel EGP: We've fixed incorrect handling of namespace paths
   to prevent users within namespaces from applying Sentinel EGP
   policies to paths above their namespace. This vulnerability
   affects Vault Enterprise and is fixed in 1.5.6 and 1.6.1.

 * auth/ldap: Improve consistency in error messages [GH-10537]

 * core (enterprise): Vault EGP policies attached to path * were
   not correctly scoped to the namespace.
 * core: Fix bug where updating an existing path quota could
   introduce a conflict [GH-10285]
 * core: Fix client.Clone() to include the address [GH-10077]
 * quotas (enterprise): Reset cache before loading quotas in the
   db during startup
 * secrets/transit: allow for null string to be used for optional
   parameters in encrypt and decrypt [GH-10386]

October 21, 2020

 * auth/aws, core/seal, secret/aws: Set default IMDS timeouts to
   match AWS SDK [GH-10133]

 * auth/aws: Restrict region selection when in the aws-us-gov
   partition to avoid IAM errors [GH-9947]
 * core (enterprise): Allow operators to add and remove (Raft)
   peers in a DR secondary cluster using Integrated Storage.
 * core (enterprise): Add DR operation token to the remove peer
   API and CLI command (when DR secondary).
 * core (enterprise): Fix deadlock in handling EGP policies
 * core (enterprise): Fix extraneous error messages in DR Cluster
 * secrets/mysql: Conditionally overwrite TLS parameters for MySQL
   secrets engine [GH-9729]
 * secrets/ad: Fix bug where password_policy setting was not using
   correct key when ad/config was read [GH-71]
 * ui: Fix issue with listing roles and methods on the same auth
   methods with different names [GH-10122]

September 24th, 2020

 * Batch Token Expiry: We addressed an issue where batch token
   leases could outlive their TTL because we were not scheduling
   the expiration time correctly. This vulnerability affects Vault
   OSS and Vault Enterprise 1.0 and newer and is fixed in 1.4.7
   and 1.5.4 (CVE-2020-25816).

 * secrets/pki: Handle expiration of a cert not in storage as a
   success [GH-9880]
 * auth/kubernetes: Add an option to disable defaulting to the
   local CA cert and service account JWT when running in a Kubernetes
   pod [GH-97]
 * secrets/gcp: Add check for 403 during rollback to prevent repeated
   deletion calls [GH-97]
 * core: Disable usage metrics collection on performance standby
   nodes. [GH-9966]
 * credential/aws: Added X-Amz-Content-Sha256 as a default STS
   request header [GH-10009]

 * agent: Fix disable_fast_negotiation not being set on the auth
   method when configured by user. [GH-9892]
 * core (enterprise): Fix hang when cluster-wide plugin reload
   cleanup is slow on unseal
 * core (enterprise): Fix an error in cluster-wide plugin reload
   cleanup following such a reload
 * core: Fix crash when metrics collection encounters zero-length
   keys in KV store [GH-9811]
 * mfa (enterprise): Fix incorrect handling of PingID responses
   that could result in auth requests failing
 * replication (enterprise): Improve race condition when using a
   newly created token on a performance standby node
 * replication (enterprise): Only write failover cluster addresses
   if they've changed
 * ui: fix bug where dropdown for identity/entity management is not
   reflective of actual policy [GH-9958]

Revision 1.59 / (download) - annotate - [select for diffs], Fri Nov 13 19:26:21 2020 UTC (7 months, 1 week ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2020Q4-base, pkgsrc-2020Q4
Changes since 1.58: +2 -2 lines
Diff to previous 1.58 (colored)

Revbump all Go packages after go115 update

Revision 1.58 / (download) - annotate - [select for diffs], Sun Nov 8 21:59:32 2020 UTC (7 months, 2 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.57: +2 -2 lines
Diff to previous 1.57 (colored)

Revbump all Go packages after Go 1.15 update.

Revision 1.57 / (download) - annotate - [select for diffs], Thu Oct 15 13:08:29 2020 UTC (8 months, 1 week ago) by bsiegert
Branch: MAIN
Changes since 1.56: +2 -1 lines
Diff to previous 1.56 (colored)

Revbump all Go packages after go115 update.

Revision 1.56 / (download) - annotate - [select for diffs], Thu Sep 10 22:10:59 2020 UTC (9 months, 1 week ago) by he
Branch: MAIN
CVS Tags: pkgsrc-2020Q3-base, pkgsrc-2020Q3
Changes since 1.55: +2 -3 lines
Diff to previous 1.55 (colored)

Upgrade vault to version 1.5.3:

Pkgsrc changes:
 * Added a patch to cope with fromStatT on NetBSD
 * Added a patch to cope with docker client default settings (build
   also on NetBSD)

Upstream changes:

1.5.3 (August 27th, 2020)

All security content from 1.5.2, 1.5.1, 1.4.5, 1.4.4, 1.3.9, 1.3.8,
1.2.6, and 1.2.5 has been made fully open source, and the git tags for
1.5.3, 1.4.6, 1.3.10, and 1.2.7 will build correctly for open source

 * auth/aws: Made header handling for IAM authentication more robust
 * secrets/ssh: Fixed a bug with role option for SSH signing algorithm
   to allow more than RSA signing

## 1.5.1

* pki: The tidy operation will now remove revoked certificates if the
  parameter `tidy_revoked_certs` is set to `true`. This will result in
  certificate entries being immediately removed, as opposed to
  awaiting until its NotAfter time. Note that this only affects
  certificates that have been already
  revoked. [[GH-9609](]

* auth/jwt: Add support for fetching groups and user information from
  G Suite during
  authentication. [[GH-9574](]
* secrets/openldap: Add "ad" schema that allows the engine to
  correctly rotate AD
  passwords. [[GH-9740](]
* ui: Wrap TTL option on transit engine export action is updated to a
  new component.

* secrets/gcp: Ensure that the IAM policy version is appropriately set
  after a roleset's bindings have
  changed. [[GH-9603](]
* replication (enterprise): Fix status API output incorrectly stating
  replication is in `idle` state.
* core: Fix panic when printing over-long info fields at startup

## 1.5.0
### July 21st, 2020

* storage/raft: The storage configuration now accepts a new
  `max_entry_size` config that will limit the total size in bytes of
  any entry committed via raft. It defaults to `"1048576"`
  (1MiB). [[GH-9027](]
* token: Token creation with custom token ID via `id` will no longer
  allow periods (`.`) as part of the input string.
  The final generated token value may contain periods, such as the
  `s.` prefix for service token
  indication. [[GH-8646](]
* token: Token renewals will now return token policies within the
  `token_policies` , identity policies within `identity_policies`, and
  the full policy set within
  `policies`. [[GH-8535](]
* cubbyhole: Reject reads and writes to an empty ("")
  path. [[GH-8971](]
* core: Remove the addition of newlines to parsed configuration when
  using integer/boolean values
* audit: Token TTL and issue time are now provided in the auth portion
  of audit logs. [[GH-9091](]

* audit: Replication status requests are no longer
  audited. [[GH-8877](]
* audit: Added mount_type field to requests and
  responses. [[GH-9167](]
* auth/aws: Add support for Web Identity credentials
* auth/jwt: Support users that are members of more than 200 groups on Azure
* auth/kubernetes: Allow disabling `iss` validation
* core: Add the Go version used to build a Vault binary to the server message
  output. [[GH-9078](]
* core: Added Password Policies for user-configurable password generation
* core: New telemetry metrics covering token counts, token creation, KV
  secret counts, lease
  creation. [[GH-9239](]
* cli: Support reading TLS parameters from file for the `vault operator raft
  join` command. [[GH-9060](]
* plugin: Add SDK method, `Sys.ReloadPlugin`, and CLI command, `vault plugin
  reload`, for reloading
  plugins. [[GH-8777](]
* plugin (enterprise): Add a scope field to plugin reload, which when global,
  reloads the plugin anywhere in a
  cluster. [[GH-9347](]
* sdk/framework: Support accepting TypeFloat parameters over the API
* secrets/aws: Add iam_groups parameter to role create/update
* secrets/database: Add static role rotation for MongoDB Atlas database
* secrets/database: Add static role rotation for MSSQL database plugin
* secrets/database: Allow InfluxDB to use insecure TLS without cert bundle
* secrets/gcp: Support BigQuery dataset ACLs in absence of IAM endpoints
* secrets/pki: Allow 3072-bit RSA keys
* secrets/ssh: Add a CA-mode role option to specify signing algorithm
* secrets/transit: Transit requests that make use of keys now include a new
  field  `key_version` in their responses
* secrets/transit: Improving transit batch encrypt and decrypt latencies
* sentinel: Add a sentinel config section, and "additional_enabled_modules",
  a list of Sentinel modules that may be imported in addition to the
* ui: Update TTL picker styling on SSH secret engine
* ui: Only render the JWT input field of the Vault login form on mounts
  configured for JWT auth
* cli: Add a new subcommand, `vault monitor`, for tailing server logs in the
  console. [[GH-8477](]
* ui: Add replication dashboards.  Improve replication management
  workflows. [[GH-8705]](

* agent: Restart template server when it shuts down
* auth/oci: Fix issue where users of the Oracle Cloud Infrastructure (OCI)
  auth method could not authenticate when the plugin backend was mounted at a
  non-default path.
* core: Extend replicated cubbyhole fix in 1.4.0 to cover case where a
  performance primary is also a DR primary
* secrets/aws: Fix issue where performance standbys weren't able to generate
  STS credentials after an IAM access key rotation in AWS and root IAM
  credential update in Vault
* secrets/database: Fix issue where rotating root database credentials while
  Vault's storage backend is unavailable causes Vault to lose access to the
  database [[GH-8782](]
* secrets/database: Fix issue that prevents performance standbys from
  connecting to databases after a root credential rotation
* secrets/gcp: Fix issue were updates were not being applied to the
  `token_scopes` of a roleset.
* secrets/kv: Return the value of delete_version_after when reading
  kv/config, even if it is set to the default.
* ui: Add Toggle component into core addon so it is available in KMIP and
  other Ember Engines.
* ui: Disallow max versions value of large than 9999999999999999 on kv2
  secrets engine. [[GH-9242](]

## 1.4.3 (TBD)

* auth/aws: Add support for Web Identity credentials
* core: Add the Go version used to build a Vault binary to the server message
  output. [[GH-9078](]
* secrets/database: Add static role rotation for MongoDB Atlas database
  plugin [[GH-9311](]
* ui: Link to the Vault Changelog in the UI footer

* auth/oci: Fix issue where users of the Oracle Cloud Infrastructure (OCI)
  auth method could not authenticate when the plugin backend was mounted at a
  non-default path. [[GH-9278](]
* replication: The issue causing cubbyholes in namespaces on performance
  secondaries to not work, which was fixed in 1.4.0, was still an issue when
  the primary was both a performance primary and DR primary.
* secrets/aws: Fix issue where performance standbys weren't able to generate
  STS credentials after an IAM access key rotation in AWS and root IAM
  credential update in Vault
* secrets/database: Fix issue that prevents performance standbys from
  connecting to databases after a root credential rotation
* secrets/gcp: Fix issue were updates were not being applied to the
  `token_scopes` of a roleset.

## 1.4.2 (May 21st, 2020)

* core: Proxy environment variables are now redacted before being logged, in
  case the URLs include a username:password. This vulnerability,
  CVE-2020-13223, is fixed in 1.3.6 and 1.4.2, but affects 1.4.0 and 1.4.1,
  as well as older versions of Vault
* secrets/gcp: Fix a regression in 1.4.0 where the system TTLs were being
  used instead of the configured backend TTLs for dynamic service
  accounts. This vulnerability is CVE-2020-12757.

* storage/raft: The storage stanza now accepts `leader_ca_cert_file`,
  `leader_client_cert_file`, and  `leader_client_key_file` parameters to read
  and parse TLS certificate information from paths on disk.
  Existing non-path based parameters will continue to work, but their values
  will need to be provided as a single-line string with newlines delimited by
  `\n`.  [[GH-8894](]
* storage/raft: The `vault status` CLI command and the `sys/leader` API now
  contain the committed and applied raft indexes.

* auth/aws: Fix token renewal issues caused by the metadata changes in 1.4.1
* auth/ldap: Fix 1.4.0 regression that could result in auth failures when
  LDAP auth config includes upndomain.
* secrets/ad: Forward rotation requests from standbys to active clusters
* secrets/database: Prevent generation of usernames that are not allowed by
  the MongoDB Atlas API
* secrets/database: Return an error if a manual rotation of static account
  credentials fails [[GH-9035](]
* secrets/openldap: Forward all rotation requests from standbys to active
  clusters [[GH-9028](]
* secrets/transform (enterprise): Fix panic that could occur when accessing
  cached template entries, such as a requests that accessed templates
  directly or indirectly from a performance standby node.
* serviceregistration: Fix a regression for Consul service registration that
  ignored using the listener address as the redirect address unless api_addr
  was provided. It now properly uses the same redirect address as the one
  used by Vault's Core object.
* storage/raft: Advertise the configured cluster address to the rest of the
  nodes in the raft cluster. This fixes an issue where a node advertising is not using a unique hostname.
* storage/raft: Fix panic when multiple nodes attempt to join the cluster at
  once. [[GH-9008](]
* sys: The path provided in `sys/internal/ui/mounts/:path` is now
  namespace-aware. This fixes an issue with `vault kv` subcommands that had
  namespaces provided in the path returning permission denied all the time.
* ui: Fix snowman that appears when namespaces have more than one period

## 1.4.1 (April 30th, 2020)

* auth/aws: The default set of metadata fields added in 1.4.1 has been
  changed to `account_id` and `auth_type`
* storage/raft: Disallow `ha_storage` to be specified if `raft` is set as the
  `storage` type. [[GH-8707](]

* auth/aws: The set of metadata stored during login is now configurable
* auth/aws: Improve region selection to avoid errors seen if the account
  hasn't enabled some newer AWS regions
* auth/azure: Enable login from Azure VMs with user-assigned identities
* auth/gcp: The set of metadata stored during login is now configurable
* auth/gcp: The type of alias name used during login is now configurable
* auth/ldap: Improve error messages during LDAP operation failures
* identity: Add a batch delete API for identity entities
* identity: Improve performance of logins when no group updates are needed
* metrics: Add `vault.identity.num_entities` metric
* secrets/kv: Allow `delete-version-after` to be reset to 0 via the CLI
* secrets/rabbitmq: Improve error handling and reporting
* ui: Provide One Time Password during Operation Token generation process

* auth/okta: Fix MFA regression (introduced in
  [GH-8143]( from 1.4.0
* auth/userpass: Fix upgrade value for `token_bound_cidrs` being ignored due
  to incorrect key provided
* config/seal: Fix segfault when seal block is removed
* core: Fix an issue where users attempting to build Vault could receive Go
  module checksum errors
* core: Fix blocked requests if a SIGHUP is issued during a long-running
  request has the state lock held.
  Also fixes deadlock that can happen if `vault debug` with the config target
  is ran during this time.
* core: Always rewrite the .vault-token file as part of a `vault login` to
  ensure permissions and ownership are set correctly
* database/mongodb: Fix context deadline error that may result due to retry
  attempts on failed commands
* http: Fix superflous call messages from the http package on logs caused by
  missing returns after `respondError` calls
* namespace (enterprise): Fix namespace listing to return `key_info` when a
  scoping namespace is also provided.
* seal/gcpkms: Fix panic that could occur if all seal parameters were
  provided via environment variables
* storage/raft: Fix memory allocation and incorrect metadata tracking issues
  with snapshots [[GH-8793](]
* storage/raft: Fix panic that could occur if `disable_clustering` was set to
  true on Raft storage cluster
* storage/raft: Handle errors returned from the API during snapshot
  operations [[GH-8861](]
* sys/wrapping: Allow unwrapping of wrapping tokens which contain nil data

## 1.4.0 (April 7th, 2020)

* cli: The raft configuration command has been renamed to list-peers to avoid

* **Kerberos Authentication**: Vault now supports Kerberos authentication
  using a SPNEGO token.
   Login can be performed using the Vault CLI, API, or agent.
* **Kubernetes Service Discovery**: A new Kubernetes service discovery
  feature where, if configured, Vault will tag Vault pods with their current
  health status. For more, see
* **MongoDB Atlas Secrets**: Vault can now generate dynamic credentials for
  both MongoDB Atlas databases as well as the [Atlas programmatic
* **OpenLDAP Secrets Engine**: We now support password management of existing
  OpenLDAP user entries. For more, see [#8360]
* **Redshift Database Secrets Engine**: The database secrets engine now
  supports static and dynamic secrets for the Amazon Web Services (AWS)
  Redshift service.
* **Service Registration Config**: A newly introduced `service_registration`
  configuration stanza, that allows for service registration to be configured
  separately from the storage backend. For more, see [#7887]
* **Transform Secrets Engine (Enterprise)**: A new secrets engine that
  handles secure data transformation and tokenization against provided input
* **Integrated Storage**: Promoted out of beta and into general availability
  for both open-source and enterprise workloads.

* agent: add option to force the use of the auth-auth token, and ignore the
  Vault token in the request
* api: Restore and fix DNS SRV Lookup
* audit: HMAC http_raw_body in audit log; this ensures that large
  authenticated Prometheus metrics responses get replaced with short HMAC
  values [[GH-8130](]
* audit: Generate-root, generate-recovery-token, and
  generate-dr-operation-token requests and responses are now
  audited. [[GH-8301](]
* auth/aws: Reduce the number of simultaneous STS client credentials needed
* auth/azure: subscription ID, resource group, vm and vmss names are now
  stored in alias metadata
* auth/jwt: Additional OIDC callback parameters available for CLI logins
  [[GH-80]( &
* auth/jwt: Bound claims may be optionally configured using globs
* auth/jwt: Timeout during OIDC CLI login if process doesn't complete within
  2 minutes
* auth/jwt: Add support for the `form_post` response mode
* auth/jwt: add optional client_nonce to authorization flow
* auth/okta: Upgrade okta sdk lib, which should improve handling of groups
* aws: Add support for v2 of the instance metadata service (see [issue
  7924]( for all linked PRs)
* core: Separate out service discovery interface from storage interface to allow
  new types of service discovery not coupled to storage
* core: Add support for telemetry option `metrics_prefix`
* core: Entropy Augmentation can now be used with AWS KMS and Vault Transit
* core: Allow tls_min_version to be set to TLS 1.3
* cli: Incorrect TLS configuration will now correctly fail
* identity: Allow specifying a custom `client_id` for identity tokens
* metrics/prometheus: improve performance with high volume of metrics updates
* replication (enterprise): Fix race condition causing clusters with high
  throughput writes to sometimes fail to enter streaming-wal mode
* replication (enterprise): Secondary clusters can now perform an extra gRPC
  call to all nodes in a primary
  cluster in an attempt to resolve the active node's address
* replication (enterprise): The replication status API now outputs
  `last_performance_wal`, `last_dr_wal`, and `connection_state` values
* replication (enterprise): DR secondary clusters can now be recovered by the
  `replication/dr/secondary/recover` API
* replication (enterprise): We now allow for an alternate means to create a
  Disaster Recovery token, by using a batch token that is created with an ACL
  that allows for access to one or more of the DR endpoints.
* secrets/database/mongodb: Switched internal MongoDB driver to mongo-driver
* secrets/database/mongodb: Add support for x509 client authorization to
  MongoDB [[GH-8329](]
* secrets/database/oracle: Add support for static credential rotation
* secrets/consul: Add support to specify TLS options per Consul backend
* secrets/gcp: Allow specifying the TTL for a service key
* secrets/gcp: Add support for rotating root keys
* secrets/gcp: Handle version 3 policies for Resource Manager IAM requests
* secrets/nomad: Add support to specify TLS options per Nomad backend
* secrets/ssh: Allowed users can now be templated with identity information
* secrets/transit: Adding RSA3072 key support
* storage/consul: Vault returns now a more descriptive error message when
  only a client cert or a client key has been provided
* storage/raft: Nodes in the raft cluster can all be given possible leader
  addresses for them to continuously try and join one of them, thus
  automating the process of join to a greater extent
* storage/raft: Fix a potential deadlock that could occur on leadership
  transition [[GH-8547](]
* storage/raft: Refresh TLS keyring on snapshot restore
* storage/etcd: Bumped etcd client API SDK
  [[GH-7931]( &
  [GH-4961]( &
  [GH-4349]( &
* ui: Make Transit Key actions more prominent
* ui: Add Core Usage Metrics
* ui: Add refresh Namespace list on the Namespace dropdown, and redesign of
  Namespace dropdown menu
* ui: Update transit actions to codeblocks & automatically encode plaintext
  unless indicated [[GH-8462](]
* ui: Display the results of transit key actions in a modal window
* ui: Transit key version styling updates & ability to copy key from dropdown

* agent: Fix issue where TLS options are ignored for agent template feature
* auth/jwt: Use lower case role names for `default_role` to match the `role`
  case convention
* auth/ldap: Fix a bug where the UPNDOMAIN parameter was wrongly used to
  lookup the group membership of the given user
* cli: Support autocompletion for nested mounts
* cli: Fix CLI namespace autocompletion
* identity: Fix incorrect caching of identity token JWKS responses
* metrics/stackdriver: Fix issue that prevents the stackdriver metrics
  library to create unnecessary stackdriver descriptors
* replication: Fix issue causing cubbyholes in namespaces on performance
  secondaries to not work.
* replication (enterprise): Unmounting a dynamic secrets backend could
  sometimes lead to replication errors.  Change the order of operations to
  prevent that.
* seal (enterprise): Fix seal migration when transactional seal wrap backend
  is in use.
* secrets/database/influxdb: Fix potential panic if connection to the
  InfluxDB database cannot be established
* secrets/database/mysql: Ensures default static credential rotation
  statements are used
* secrets/database/mysql: Fix inconsistent query parameter names: {{name}} or
  {{username}} for different queries. Now it allows for either for backwards
  compatibility [[GH-8240](]
* secrets/database/postgres: Fix inconsistent query parameter names: {{name}}
  or {{username}} for different queries. Now it allows for either for
  backwards compatibility
* secrets/pki: Support FQDNs in DNS Name
* storage/raft: Allow seal migration to be performed on Vault clusters using
  raft storage [[GH-8103](]
* telemetry: Prometheus requests on standby nodes will now return an error
  instead of forwarding the request to the active node
* ui: Fix broken popup menu on the transit secrets list page
* ui: Update headless Chrome flag to fix `yarn run test:oss`
* ui: Update CLI to accept empty strings as param value to reset
  previously-set values
* ui: Fix bug where error states don't clear when moving between action tabs
  on Transit [[GH-8354](]

## 1.3.6 (May 21st, 2020)

* core: proxy environment variables are now redacted before being logged, in
  case the URLs include a username:password. This vulnerability,
  CVE-2020-13223, is fixed in 1.3.6 and 1.4.2, but affects 1.4 and 1.4.1, as
  well as older versions of Vault

* auth/aws: Fix token renewal issues caused by the metadata changes in 1.3.5
* replication: Fix mount filter bug that allowed replication filters to hide
  local mounts on a performance secondary

## 1.3.5 (April 28th, 2020)

* auth/aws: The default set of metadata fields added in 1.3.2 has been
  changed to `account_id` and `auth_type`

* auth/aws: The set of metadata stored during login is now configurable

## 1.3.4 (March 19th, 2020)

* A vulnerability was identified in Vault and Vault Enterprise such that,
  under certain circumstances,  an Entity's Group membership may
  inadvertently include Groups the Entity no longer has permissions to. This
  vulnerability, CVE-2020-10660, affects Vault and Vault Enterprise versions
  0.9.0 and newer, and is fixed in 1.3.4.
* A vulnerability was identified in Vault Enterprise such that, under certain
  circumstances, existing nested-path policies may give access to Namespaces
  created after-the-fact. This vulnerability, CVE-2020-10661, affects Vault
  Enterprise versions 0.11 and newer, and is fixed in 1.3.4.

## 1.3.3 (March 5th, 2020)

* approle: Fix excessive locking during tidy, which could potentially block
  new approle logins for long enough to cause an outage
* cli: Fix issue where Raft snapshots from standby nodes created an empty
  backup file [[GH-8097](]
* identity: Fix incorrect caching of identity token JWKS responses
* kmip: role read now returns tls_client_ttl
* kmip: fix panic when templateattr not provided in rekey request
* secrets/database/influxdb: Fix potential panic if connection to the
  InfluxDB database cannot be established
* storage/mysql: Fix potential crash when using MySQL as coordination for
  high availability [[GH-8300](]
* storage/raft: Fix potential crash when using Raft as coordination for high
  availability [[GH-8356](]
* ui: Fix missing License menu item
* ui: Fix bug where default auth method on login is defaulted to auth method
  that is listing-visibility=unauth instead of "other"
* ui: Fix bug where KMIP details were not shown in the UI Wizard
* ui: Show Error messages on Auth Configuration page when you hit permission
  errors [[GH-8500](]
* ui: Remove duplicate form inputs for the GitHub config
* ui: Correct HMAC capitalization
* ui: Fix danger message in DR
* ui: Fix certificate field for LDAP config

## 1.3.2 (January 22nd, 2020)

 * When deleting a namespace on Vault Enterprise, in certain circumstances,
   the deletion process will fail to revoke dynamic secrets for a mount in
   that namespace. This will leave any dynamic secrets in remote systems
   alive and will fail to clean them up. This vulnerability, CVE-2020-7220,
   affects Vault Enterprise 0.11.0 and newer.

 * auth/aws: Add aws metadata to identity alias
 * auth/kubernetes: Allow both names and namespaces to be set to "*"

* auth/azure: Fix Azure compute client to use correct base URL
* auth/ldap: Fix renewal of tokens without configured policies that are
  generated by an LDAP login
* auth/okta: Fix renewal of tokens without configured policies that are
  generated by an Okta login
* core: Fix seal migration error when attempting to migrate from auto unseal
  to shamir [[GH-8172](]
* core: Fix seal migration config issue when migrating from auto unseal to
  auto unseal [[GH-8172](]
* plugin: Fix issue where a plugin unwrap request potentially used an expired
  token [[GH-8058](]
* replication: Fix issue where a forwarded request from a performance/standby
  node could run into a timeout
* secrets/database: Fix issue where a manual static role rotation could
  potentially panic [[GH-8098](]
* secrets/database: Fix issue where a manual root credential rotation request
  is not forwarded to the primary node
* secrets/database: Fix issue where a manual static role rotation request is
  not forwarded to the primary node
* secrets/database/mysql: Fix issue where special characters for a MySQL
  password were encoded
* ui: Fix deleting namespaces
* ui: Fix Error handler on kv-secret edit and kv-secret view pages
* ui: Fix OIDC callback to check storage
* ui: Change `.box-radio` height to min-height to prevent overflow issues

## 1.3.1 (December 18th, 2019)

* agent: Add ability to set `exit-after-auth` via the CLI
* auth/ldap: Add a `request_timeout` configuration option to prevent
  connection requests from hanging
* auth/kubernetes: Add audience to tokenreview API request for Kube
  deployments where issuer is not Kube.
* secrets/ad: Add a `request_timeout` configuration option to prevent
  connection requests from hanging
* storage/postgresql: Add support for setting `connection_url` from
  enviornment variable `VAULT_PG_CONNECTION_URL`
* telemetry: Add `enable_hostname_label` option to telemetry stanza
* telemetry: Add accept header check for prometheus mime type

* agent: Fix issue where Agent exits before all templates are rendered when
  using and `exit_after_auth`
* auth/aws: Fixes region-related issues when using a custom `sts_endpoint` by
  adding a `sts_region` parameter
* auth/token: Fix panic when getting batch tokens on a performance standby
  from a role that does not exist
* core: Improve warning message for lease TTLs
* identity: Fix identity token panic during invalidation
* plugin: Fix a panic that could occur if a mount/auth entry was unable to
  mount the plugin backend and a request that required the system view to be
  retrieved was made
* replication: Add `generate-public-key` endpoint to list of allowed
  endpoints for existing DR secondaries
* secrets/gcp: Fix panic if bindings aren't provided in roleset
* secrets/pki: Prevent generating certificate on performance standby when
* secrets/transit: Prevent restoring keys to new names that are sub paths
* storage/s3: Fix a bug in configurable S3 paths that was preventing use of
  S3 as a source during `operator migrate` operations
* ui: Ensure secrets with a period in their key can be viewed and copied
* ui: Fix status menu after demotion
* ui: Fix select dropdowns in Safari when running Mojave

## 1.3 (November 14th, 2019)

 * Secondary cluster activation: There has been a change to the way that
   activating performance and DR secondary clusters works when using public
   keys for encryption of the parameters rather than a wrapping token. This
   flow was experimental and never documented. It is now officially supported
   and documented but is not backwards compatible with older Vault releases.
 * Cluster cipher suites: On its cluster port, Vault will no longer advertise
   the full TLS 1.2 cipher suite list by default. Although this port is only
   used for Vault-to-Vault communication and would always pick a strong
   cipher, it could cause false flags on port scanners and other security
   utilities that assumed insecure ciphers were being used. The previous
   behavior can be achieved by setting the value of the (undocumented)
   `cluster_cipher_suites` config flag to `tls12`.
 * API/Agent Renewal behavior: The API now allows multiple options for how it
   deals with renewals. The legacy behavior in the Agent/API is for the renewer
   (now called the lifetime watcher) to exit on a renew error, leading to a
   reauthentication. The new default behavior is for the lifetime watcher to
   ignore 5XX errors and simply retry as scheduled, using the existing lease
   duration. It is also possible, within custom code, to disable renewals
   entirely, which allows the lifetime watcher to simply return when it
   believes it is time for your code to renew or reauthenticate.

 * **Vault Debug**: A new top-level subcommand, `debug`, is added that allows
   operators to retrieve debugging information related to a particular Vault
   node. Operators can use this simple workflow to capture triaging
   information, which can then be consumed programmatically or by support and
   engineering teams.  It has the abilitity to probe for config, host,
   metrics, pprof, server status, and replication status.
 * **Recovery Mode**: Vault server can be brought up in recovery mode to
   resolve outages caused due to data store being in bad state. This is a
   privileged mode that allows `sys/raw` API calls to perform surgical
   corrections to the data tore. Bad storage state can be caused by
   bugs. However, this is usually observed when known (and fixed) bugs are
   hit by older versions of Vault.
 * **Entropy Augmentation (Enterprise)**: Vault now supports sourcing entropy
   from external source for critical security parameters. Currently an HSM
   that supports PKCS#11 is the only supported source.
 * **Active Directory Secret Check-In/Check-Out**: In the Active Directory
   secrets engine, users or applications can check out a service account for
   use, and its password will be rotated when it's checked back in.
 * **Vault Agent Template**: Vault Agent now supports rendering templates
   containing Vault secrets to disk, similar to Consul Template
 * **Transit Key Type Support**: Signing and verification is now supported
   with the P-384 (secp384r1) and P-521 (secp521r1) ECDSA curves
   [[GH-7551](] and encryption
   and decryption is now supported via AES128-GCM96
 * **SSRF Protection for Vault Agent**: Vault Agent has a configuration
   option to require a specific header before allowing requests
 * **AWS Auth Method Root Rotation**: The credential used by the AWS auth
   method can now be rotated, to ensure that only Vault knows the credentials
   it is using [[GH-7131](]
 * **New UI Features**: The UI now supports managing users and groups for the
   Userpass, Cert, Okta, and Radius auth methods.
 * **Shamir with Stored Master Key**: The on disk format for Shamir seals has
   changed, allowing for a secondary cluster using Shamir downstream from a
   primary cluster using Auto
   Unseal. [[GH-7694](]
 * **Stackdriver Metrics Sink**: Vault can now send metrics to
   [Stackdriver]( See the
   documentation]( for
   details. [[GH-6957](]
 * **Filtered Paths Replication (Enterprise)**: Based on the predecessor
   Filtered Mount Replication, Filtered Paths Replication allows now
   filtering of namespaces in addition to mounts.
 * **Token Renewal via Accessor**: Tokens can now be renewed via the accessor
   value through the new `auth/token/renew-accessor` endpoint if the caller's
   token has permission to access that endpoint.
 * **Improved Integrated Storage (Beta)**: Improved raft write performance,
   added support for non-voter nodes, along with UI support for: using raft
   storage, joining a raft cluster, and downloading and restoring a

 * agent: Add ability to set the TLS SNI name used by Agent
 * agent & api: Change default renewer behavior to ignore 5XX errors
 * auth/jwt: The redirect callback host may now be specified for CLI logins
 * auth/jwt: Bound claims may now contain boolean values
 * auth/jwt: CLI logins can now open the browser when running in WSL
 * core: Exit ScanView if context has been cancelled
 * core: re-encrypt barrier and recovery keys if the unseal key is updated
 * core: Don't advertise the full set of TLS 1.2 cipher suites on the cluster
   port, even though only strong ciphers were used
 * core (enterprise): Add background seal re-wrap
 * core/metrics: Add config parameter to allow unauthenticated sys/metrics
   access. [[GH-7550](]
 * metrics: Upgrade DataDog library to improve performance
 * replication (enterprise): Write-Ahead-Log entries will not duplicate the
   data belonging to the encompassing physical entries of the transaction,
   thereby improving the performance and storage capacity.
 * replication (enterprise): Added more replication metrics
 * replication (enterprise): Reindex process now compares subpages for a more
   accurate indexing process.
 * replication (enterprise): Reindex API now accepts a new `skip_flush`
   parameter indicating all the changes should not be flushed while the tree
   is locked.
 * secrets/aws: The root config can now be read
 * secrets/database/cassandra: Add ability to skip verfication of connection
 * secrets/gcp: Fix panic during rollback if the roleset has been deleted
 * storage/azure: Add config parameter to Azure storage backend to allow
   specifying the ARM endpoint
 * storage/cassandra: Improve storage efficiency by eliminating unnecessary
   copies of value data
 * storage/raft: Improve raft write performance by utilizing FSM Batching
 * storage/raft: Add support for non-voter nodes
 * sys: Add a new `sys/host-info` endpoint for querying information about
   the host [[GH-7330](]
 * sys: Add a new set of endpoints under `sys/pprof/` that allows profiling
   information to be extracted
 * sys: Add endpoint that counts the total number of active identity entities
 * sys: `sys/seal-status` now has a `storage_type` field denoting what type
   of storage the cluster is configured to use
 * sys: Add a new `sys/internal/counters/tokens` endpoint, that counts the
   total number of active service token accessors in the shared token
 * sys/config: Add  a new endpoint under `sys/config/state/sanitized` that
   returns the configuration state of the server. It excludes config values
   from `storage`, `ha_storage`, and `seal` stanzas and some values
   from `telemetry` due to potential sensitive entries in those fields.
 * ui: when using raft storage, you can now join a raft cluster, download a
   snapshot, and restore a snapshot from the UI
 * ui: clarify when secret version is deleted in the secret version history
   dropdown [[GH-7714](]

 * agent: Fix a data race on the token value for inmemsink
 * api: Fix Go API using lease revocation via URL instead of body
 * api: Allow setting a function to control retry behavior
 * auth/gcp: Fix a bug where region information in instance groups names could
   cause an authorization attempt to fail
 * cli: Fix a bug where a token of an unknown format (e.g. in ~/.vault-token)
   could cause confusing error messages during `vault login`
 * cli: Fix a bug where the `namespace list` command with JSON formatting
   always returned an empty object
 * cli: Command timeouts are now always specified solely by the
   value. [[GH-7469](]
 * core: Don't allow registering a non-root zero TTL token lease. This is
   purely defense in depth as the lease would be revoked immediately anyways,
   but there's no real reason to allow registration.
 * identity (enterprise): Fixed identity case sensitive loading in secondary
   cluster [[GH-7327](]
 * identity: Ensure only replication primary stores the identity case
   sensitivity state
 * raft: Fixed VAULT_CLUSTER_ADDR env being ignored at startup
 * secrets/pki: Don't allow duplicate SAN names in issued certs
 * sys/health: Pay attention to the values provided for `standbyok` and
   `perfstandbyok` rather than simply using their presence as a key to flip on
   that behavior [[GH-7323](]
 * ui: using the `wrapped_token` query param will work with `redirect_to` and
   will automatically log in as intended
 * ui: fix an error when initializing from the UI using PGP keys
 * ui: show all active kv v2 secret versions even when `delete_version_after`
   is configured [[GH-7685](]
 * ui: Ensure that items in the top navigation link to pages that users have
   access to [[GH-7590](]

## 1.2.4 (November 7th, 2019)

 * In a non-root namespace, revocation of a token scoped to a non-root
   namespace did not trigger the expected revocation of dynamic secret leases
   associated with that token. As a result, dynamic secret leases in non-root
   namespaces may outlive the token that created them.  This vulnerability,
   CVE-2019-18616, affects Vault Enterprise 0.11.0 and newer.
 * Disaster Recovery secondary clusters did not delete already-replicated data
   after a mount filter has been created on an upstream Performance secondary
   cluster. As a result, encrypted secrets may remain replicated on a Disaster
   Recovery secondary cluster after application of a mount filter excluding
   those secrets from replication. This vulnerability, CVE-2019-18617, affects
   Vault Enterprise 0.8 and newer.
 * Update version of Go to 1.12.12 to fix Go bug which
   corresponds to CVE-2019-17596.

 * auth/aws: If a custom `sts_endpoint` is configured, Vault Agent and the
   CLI should provide the corresponding region via the `region` parameter
   (which already existed as a CLI parameter, and has now been added to
   Agent). The automatic region detection added to the CLI and Agent in 1.2
   has been removed.

  * cli: Ignore existing token during CLI login
  * core: Log proxy settings from environment on startup
  * core: Cache whether we've been initialized to reduce load on storage

 * agent: Fix handling of gzipped responses
 * cli: Fix panic when pgp keys list is empty
 * cli: Command timeouts are now always specified solely by the
   value. [[GH-7469](]
 * core: add hook for initializing seals for migration
 * core (enterprise): Migrating from one auto unseal method to another never
   worked on enterprise, now it does.
 * identity: Add required field `response_types_supported` to identity token
   `.well-known/openid-configuration` response
 * identity: Fixed nil pointer panic when merging entities
 * replication (Enterprise): Fix issue causing performance standbys nodes
   disconnecting when under high loads.
 * secrets/azure: Fix panic that could occur if client retries timeout
 * secrets/database: Fix bug in combined DB secrets engine that can result in
   writes to static-roles endpoints timing out
 * secrets/pki: Improve tidy to continue when value is nil
 * ui (Enterprise): Allow kv v2 secrets that are gated by Control Groups to
   be viewed in the UI

Revision 1.55 / (download) - annotate - [select for diffs], Thu Sep 3 07:29:35 2020 UTC (9 months, 2 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.54: +2 -2 lines
Diff to previous 1.54 (colored)

Revbump all Go packages after default Go version was changed to 1.15.1

Revision 1.54 / (download) - annotate - [select for diffs], Fri Aug 14 20:01:22 2020 UTC (10 months, 1 week ago) by bsiegert
Branch: MAIN
Changes since 1.53: +2 -2 lines
Diff to previous 1.53 (colored)

Revbump all Go packages after go114 update

Revision 1.53 / (download) - annotate - [select for diffs], Fri Jul 17 18:04:28 2020 UTC (11 months, 1 week ago) by bsiegert
Branch: MAIN
Changes since 1.52: +2 -2 lines
Diff to previous 1.52 (colored)

Revbump all Go packages after go114 update.

Revision 1.52 / (download) - annotate - [select for diffs], Wed Jun 17 09:54:16 2020 UTC (12 months, 1 week ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2020Q2-base, pkgsrc-2020Q2
Changes since 1.51: +2 -2 lines
Diff to previous 1.51 (colored)

Revbump Go packages after Go 1.14.4 update.

Revision 1.51 / (download) - annotate - [select for diffs], Wed May 27 19:37:42 2020 UTC (12 months, 4 weeks ago) by wiz
Branch: MAIN
Changes since 1.50: +2 -2 lines
Diff to previous 1.50 (colored)

*: reset MAINTAINER for fhajny on his request

Revision 1.50 / (download) - annotate - [select for diffs], Sun Apr 12 11:01:45 2020 UTC (14 months, 1 week ago) by bsiegert
Branch: MAIN
Changes since 1.49: +2 -2 lines
Diff to previous 1.49 (colored)

Revbump all Go packages after default version switch to 1.14.

Revision 1.49 / (download) - annotate - [select for diffs], Sat Mar 21 16:57:04 2020 UTC (15 months ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2020Q1-base, pkgsrc-2020Q1
Changes since 1.48: +2 -2 lines
Diff to previous 1.48 (colored)

Revbump all Go packages after go113 update.

Revision 1.48 / (download) - annotate - [select for diffs], Sun Feb 2 14:19:10 2020 UTC (16 months, 3 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.47: +2 -2 lines
Diff to previous 1.47 (colored)

Revbump all Go packages after go113 update.

Revision 1.47 / (download) - annotate - [select for diffs], Fri Jan 10 13:32:11 2020 UTC (17 months, 2 weeks ago) by bsiegert
Branch: MAIN
Changes since 1.46: +2 -2 lines
Diff to previous 1.46 (colored)

Revbump Go packages after Go default version bump.

Revision 1.46 / (download) - annotate - [select for diffs], Fri Dec 13 07:43:52 2019 UTC (18 months, 1 week ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2019Q4-base, pkgsrc-2019Q4
Changes since 1.45: +2 -1 lines
Diff to previous 1.45 (colored)

Revbump all Go packages after Go 1.12.14 update.

Revision / (download) - annotate - [select for diffs], Sun Nov 17 08:30:17 2019 UTC (19 months, 1 week ago) by spz
Branch: pkgsrc-2019Q3
Changes since 1.43: +2 -2 lines
Diff to previous 1.43 (colored) next main 1.44 (colored)

Pullup ticket #6083 - requested by leot
lang/go112: security update
lang/go: update available version

Revisions pulled up:
- lang/go/                                            1.70
- lang/go112/PLIST                                              1.8
- lang/go112/distinfo                                           1.8

Revision bump for:
- archivers/go-xz/Makefile
- chat/coyim/Makefile
- chat/matterircd/Makefile
- databases/go-etcd/Makefile
- databases/go-ldap/Makefile
- databases/influxdb/Makefile
- databases/postgres_exporter/Makefile
- databases/prometheus/Makefile
- devel/git-lfs/Makefile
- devel/go-afero/Makefile
- devel/go-amber/Makefile
- devel/go-appengine/Makefile
- devel/go-assert/Makefile
- devel/go-blackfriday/Makefile
- devel/go-buffruneio/Makefile
- devel/go-cast/Makefile
- devel/go-check/Makefile
- devel/go-cli/Makefile
- devel/go-cobra/Makefile
- devel/go-colorable/Makefile
- devel/go-colortext/Makefile
- devel/go-colour/Makefile
- devel/go-consul-api/Makefile
- devel/go-debounce/Makefile
- devel/go-ed25519/Makefile
- devel/go-emoji/Makefile
- devel/go-errors/Makefile
- devel/go-flags-svent/Makefile
- devel/go-fnmatch/Makefile
- devel/go-fs/Makefile
- devel/go-fsnotify/Makefile
- devel/go-fsync/Makefile
- devel/go-gitmap/Makefile
- devel/go-glog/Makefile
- devel/go-gls/Makefile
- devel/go-gocode/Makefile
- devel/go-godef/Makefile
- devel/go-godirwalk/Makefile
- devel/go-godotenv/Makefile
- devel/go-golang-lru/Makefile
- devel/go-goorgeous/Makefile
- devel/go-gopkgs/Makefile
- devel/go-goptlib/Makefile
- devel/go-goreturns/Makefile
- devel/go-gox/Makefile
- devel/go-hashstructure/Makefile
- devel/go-homedir/Makefile
- devel/go-humanize/Makefile
- devel/go-i18n/Makefile
- devel/go-immutable-radix/Makefile
- devel/go-ini/Makefile
- devel/go-iochan/Makefile
- devel/go-isatty/Makefile
- devel/go-jwalterweatherman/Makefile
- devel/go-kingpin.v3-unstable/Makefile
- devel/go-locker/Makefile
- devel/go-logrus/Makefile
- devel/go-mapstructure/Makefile
- devel/go-mapstructure-bep/Makefile
- devel/go-mow-cli/Makefile
- devel/go-nbreader/Makefile
- devel/go-nitro/Makefile
- devel/go-osext/Makefile
- devel/go-pflag/Makefile
- devel/go-properties/Makefile
- devel/go-protobuf/Makefile
- devel/go-purell/Makefile
- devel/go-ratelimit/Makefile
- devel/go-repr/Makefile
- devel/go-review/Makefile
- devel/go-sanitized_anchor_name/Makefile
- devel/go-shellwords/Makefile
- devel/go-shuffle/Makefile
- devel/go-siphash/Makefile
- devel/go-sync/Makefile
- devel/go-sys/Makefile
- devel/go-termbox/Makefile
- devel/go-testify/Makefile
- devel/go-thrift/Makefile
- devel/go-tools/Makefile
- devel/go-try/Makefile
- devel/go-viper/Makefile
- devel/go-yaml/Makefile
- devel/golint/Makefile
- devel/google-api-go-client/Makefile
- graphics/go-image/Makefile
- graphics/go-imaging/Makefile
- graphics/go-resize/Makefile
- graphics/go-smartcrop/Makefile
- lang/go-hcl/Makefile
- mail/postforward/Makefile
- math/go-stats/Makefile
- math/go-units/Makefile
- misc/go-genproto/Makefile
- misc/go-genproto-googleapis-rpc/Makefile
- net/aws-sdk-go/Makefile
- net/dnscrypt-proxy2/Makefile
- net/gcloud-golang-metadata/Makefile
- net/go-dns/Makefile
- net/go-dnstap/Makefile
- net/go-framestream/Makefile
- net/go-grpc/Makefile
- net/go-net/Makefile
- net/go-ovh/Makefile
- net/go-websocket/Makefile
- net/hub/Makefile
- net/obfs4proxy/Makefile
- net/syncthing/Makefile
- pkgtools/pkglint/Makefile
- security/2fa/Makefile
- security/go-asn1-ber/Makefile
- security/go-crypt/Makefile
- security/go-crypto/Makefile
- security/go-mkcert/Makefile
- security/go-oauth2/Makefile
- security/go-sftp/Makefile
- security/vault/Makefile
- sysutils/beats/Makefile
- sysutils/consul/Makefile
- sysutils/fzf/Makefile
- sysutils/goreman/Makefile
- sysutils/lf/Makefile
- sysutils/node_exporter/Makefile
- sysutils/vultr/Makefile
- textproc/go-chroma/Makefile
- textproc/go-diff/Makefile
- textproc/go-glob/Makefile
- textproc/go-inflect/Makefile
- textproc/go-md2man/Makefile
- textproc/go-mmark/Makefile
- textproc/go-prose/Makefile
- textproc/go-regexp2/Makefile
- textproc/go-runewidth/Makefile
- textproc/go-sentences/Makefile
- textproc/go-tablewriter/Makefile
- textproc/go-text/Makefile
- textproc/sift/Makefile
- www/caddy/Makefile
- www/gitea/Makefile
- www/go-ace/Makefile
- www/go-cssmin/Makefile
- www/go-gogs-client/Makefile
- www/go-gohtml/Makefile
- www/go-libsass/Makefile
- www/go-minify/Makefile
- www/go-parse/Makefile
- www/go-spritewell/Makefile
- www/go-tocss/Makefile
- www/go-toml-burntsushi/Makefile
- www/go-toml-pelletier/Makefile
- www/go-urlesc/Makefile
- www/go-webhooks/Makefile
- www/grafana/Makefile
- www/hugo/Makefile
- www/pup/Makefile

   Module Name:    pkgsrc
   Committed By:   bsiegert
   Date:           Fri Oct 18 14:48:29 UTC 2019

   Modified Files:
           pkgsrc/lang/go112: PLIST distinfo

   Log Message:
   Update go112 to 1.12.12.

   qo1.12.11 (released 2019/10/17) includes security fixes to the crypto/dsa
   package. See the Go 1.12.11 milestone on our issue tracker for details.

   go1.12.12 (released 2019/10/17) includes fixes to the go command, runtime,
   syscall and net packages. See the Go 1.12.12 milestone on our issue tracker
   for details.

   To generate a diff of this commit:
   cvs rdiff -u -r1.69 -r1.70 pkgsrc/lang/go/
   cvs rdiff -u -r1.7 -r1.8 pkgsrc/lang/go112/PLIST pkgsrc/lang/go112/distinfo

Revision 1.45 / (download) - annotate - [select for diffs], Wed Oct 23 15:00:05 2019 UTC (20 months ago) by he
Branch: MAIN
Changes since 1.44: +2 -3 lines
Diff to previous 1.44 (colored)

Upgrade security/vault to version 1.2.3.

Pkgsrc changes:
 * Fix == in shell script test.
 * Add some patches to make this build on NetBSD.

Upstream changes:

## 1.2.3 (September 12, 2019)

 * Oracle Cloud (OCI) Integration: Vault now support using Oracle
   Cloud for storage, auto unseal, and authentication.

 * auth/jwt: Groups claim matching now treats a string response
   as a single element list [JWT-63]
 * auth/kubernetes: enable better support for projected tokens
   API by allowing user to specify issuer [GH-65]
 * auth/pcf: The PCF auth plugin was renamed to the CF auth plugin,
   maintaining full backwards compatibility [GH-7346]
 * replication: Premium packages now come with unlimited performance
   standby nodes

 * agent: Allow batch tokens and other non-renewable tokens to be
   used for agent operations [GH-7441]
 * auth/jwt: Fix an error where newer (v1.2) token_* configuration
   parameters were not being applied to tokens generated using
   the OIDC login flow [JWT-67]
 * seal/transit: Allow using Vault Agent for transit seal operations
 * storage/couchdb: Fix a file descriptor leak [GH-7345]
 * ui: Fix a bug where the status menu would disappear when trying
   to revoke a token [GH-7337]
 * ui: Fix a regression that prevented input of custom items in
   search-select [GH-7338]
 * ui: Fix an issue with the namespace picker being unable to
   render nested namespaces named with numbers and sorting of
   namespaces in the picker [GH-7333]

## 1.2.2 (August 15, 2019)

 * auth/pcf: The signature format has been updated to use the
   standard Base64 encoding instead of the URL-safe variant.
   Signatures created using the previous format will continue to
   be accepted [PCF-27]
 * core: The http response code returned when an identity token
   key is not found has been changed from 400 to 404

 * identity: Remove 512 entity limit for groups [GH-7317]

 * auth/approle: Fix an error where an empty token_type string
   was not being correctly handled as TokenTypeDefault [GH-7273]
 * auth/radius: Fix panic when logging in [GH-7286]
 * ui: the string-list widget will now honor multiline input [GH-7254]
 * ui: various visual bugs in the KV interface were addressed [GH-7307]
 * ui: fixed incorrect URL to access help in LDAP auth [GH-7299]

1.2.1 (August 6th, 2019)

 * agent: Fix a panic on creds pulling in some error conditions
   in aws and alicloud auth methods [GH-7238]
 * auth/approle: Fix error reading role-id on a role created
   pre-1.2 [GH-7231]
 * auth/token: Fix sudo check in non-root namespaces on create
 * core: Fix health checks with perfstandbyok=true returning the
   wrong status code [GH-7240]
 * ui: The web CLI will now parse input as a shell string, with
   special characters escaped [GH-7206]
 * ui: The UI will now redirect to a page after authentication
 * ui (Enterprise): The list of namespaces is now cleared when
   logging out [GH-7186]

## 1.2.0 (July 30th, 2019)

 * Token store roles use new, common token fields for the values
   that overlap with other auth backends. period, explicit_max_ttl,
   and bound_cidrs will continue to work, with priority being
   given to the token_ prefixed versions of those parameters. They
   will also be returned when doing a read on the role if they
   were used to provide values initially; however, in Vault 1.4
   if period or explicit_max_ttl is zero they will no longer be
   returned. (explicit_max_ttl was already not returned if empty.)
 * Due to underlying changes in Go version 1.12 and Go > 1.11.5,
   Vault is now stricter about what characters it will accept in
   path names. Whereas before it would filter out unprintable
   characters (and this could be turned off), control characters
   and other invalid characters are now rejected within Go's HTTP
   library before the request is passed to Vault, and this cannot
   be disabled. To continue using these (e.g. for already-written
   paths), they must be properly percent-encoded (e.g. \r becomes
   %0D, \x00 becomes %00, and so on).
 * The user-configured regions on the AWSKMS seal stanza will now
   be preferred over regions set in the enclosing environment.
   This is a breaking change.
 * All values in audit logs now are omitted if they are empty.
   This helps reduce the size of audit log entries by not reproducing
   keys in each entry that commonly don't contain any value, which
   can help in cases where audit log entries are above the maximum
   UDP packet size and others.
 * Both PeriodicFunc and WALRollback functions will be called if
   both are provided. Previously WALRollback would only be called
   if PeriodicFunc was not set. See GH-6717 for details.
 * Vault now uses Go's official dependency management system, Go
   Modules, to manage dependencies. As a result to both reduce
   transitive dependencies for API library users and plugin authors,
   and to work around various conflicts, we have moved various
   helpers around, mostly under an sdk/ submodule. A couple of
   functions have also moved from plugin helper code to the api/
   submodule. If you are a plugin author, take a look at some of
   our official plugins and the paths they are importing for
 * AppRole uses new, common token fields for values that overlap
   with other auth backends. period and policies will continue to
   work, with priority being given to the token_ prefixed versions
   of those parameters. They will also be returned when doing a
   read on the role if they were used to provide values initially.
 * In AppRole, "default" is no longer automatically added to the
   policies parameter. This was a no-op since it would always be
   added anyways by Vault's core; however, this can now be explicitly
   disabled with the new token_no_default_policy field.
 * In AppRole, bound_cidr_list is no longer returned when reading
   a role
 * rollback: Rollback will no longer display log messages when it
   runs; it will only display messages on error.
 * Database plugins will now default to 4 max_open_connections
   rather than 2.

 * Integrated Storage: Vault 1.2 includes a tech preview of a new
   way to manage storage directly within a Vault cluster. This
   new integrated storage solution is based on the Raft protocol
   which is also used to back HashiCorp Consul and HashiCorp Nomad.
 * Combined DB credential rotation: Alternative mode for the
   Combined DB Secret Engine to automatically rotate existing
   database account credentials and set Vault as the source of
   truth for credentials.
 * Identity Tokens: Vault's Identity system can now generate
   OIDC-compliant ID tokens. These customizable tokens allow
   encapsulating a signed, verifiable snapshot of identity
   information and metadata. They can be use by other applications-even
   those without Vault authorization-as a way of establishing
   identity based on a Vault entity.
 * Pivotal Cloud Foundry plugin: New auth method using Pivotal
   Cloud Foundry certificates for Vault authentication.
 * ElasticSearch database plugin: New ElasticSearch database plugin
   issues unique, short-lived ElasticSearch credentials.
 * New UI Features: An HTTP Request Volume Page and new UI for
   editing LDAP Users and Groups have been added.
 * HA support for Postgres: PostgreSQL versions >= 9.5 may now
   but used as and HA storage backend.
 * KMIP secrets engine (Enterprise): Allows Vault to operate as
   a KMIP Server, seamlessly brokering cryptographic operations
   for traditional infrastructure.
 * Common Token Fields: Auth methods now use common fields for
   controlling token behavior, making it easier to understand
   configuration across methods.
 * Vault API explorer: The Vault UI now includes an embedded API
   explorer where you can browse the endpoints avaliable to you
   and make requests. To try it out, open the Web CLI and type

 * agent: Allow EC2 nonce to be passed in [GH-6953]
 * agent: Add optional namespace parameter, which sets the default
   namespace for the auto-auth functionality [GH-6988]
 * agent: Add cert auto-auth method [GH-6652]
 * api: Add support for passing data to delete operations via
   DeleteWithData [GH-7139]
 * audit/file: Dramatically speed up file operations by changing
   locking/marshaling order [GH-7024]
 * auth/jwt: A JWKS endpoint may now be configured for signature
   verification [JWT-43]
 * auth/jwt: A new verbose_oidc_logging role parameter has been
   added to help troubleshoot OIDC configuration [JWT-57]
 * auth/jwt: bound_claims will now match received claims that are
   lists if any element of the list is one of the expected values
 * auth/jwt: Leeways for nbf and exp are now configurable, as is
   clock skew leeway [JWT-53]
 * auth/kubernetes: Allow service names/namespaces to be configured
   as globs [KUBEAUTH-58]
 * auth/token: Allow the support of the identity system for the
   token backend via token roles [GH-6267]
 * auth/token: Add a large set of token configuration options to
   token store roles [GH-6662]
 * cli: path-help now allows -format=json to be specified, which
   will output OpenAPI [GH-7006]
 * cli: Add support for passing parameters to vault delete operations
 * cli: Add a log-format CLI flag that can specify either "standard"
   or "json" for the log format for the vault servercommand.
 * cli: Add -dev-no-store-token to allow dev servers to not store
   the generated token at the tokenhelper location [GH-7104]
 * identity: Allow a group alias' canonical ID to be modified
 * namespaces: Namespaces can now be created and deleted from
   performance replication secondaries
 * plugins: Change the default for max_open_connections for DB
   plugins to 4 [GH-7093]
 * replication: Client TLS authentication is now supported when
   enabling or updating a replication secondary
 * secrets/database: Cassandra operations will now cancel on client
   timeout [GH-6954]
 * secrets/kv: Add optional delete_version_after parameter, which
   takes a duration and can be set on the mount and/or the metadata
   for a specific key [GH-7005]
 * storage/postgres: LIST now performs better on large datasets
 * storage/s3: A new path parameter allows selecting the path
   within a bucket for Vault data [GH-7157]
 * ui: KV v1 and v2 will now gracefully degrade allowing a write
   without read workflow in the UI [GH-6570]
 * ui: Many visual improvements with the addition of Toolbars
   [GH-6626], the restyling of the Confirm Action component
   [GH-6741], and using a new set of glyphs for our Icon component
 * ui: Lazy loading parts of the application so that the total
   initial payload is smaller [GH-6718]
 * ui: Tabbing to auto-complete in filters will first complete a
   common prefix if there is one [GH-6759]
 * ui: Removing jQuery from the application makes the initial JS
   payload smaller [GH-6768]

 * audit: Log requests and responses due to invalid wrapping token
   provided [GH-6541]
 * audit: Fix bug preventing request counter queries from working
   with auditing enabled [GH-6767
 * auth/aws: AWS Roles are now upgraded and saved to the latest
   version just after the AWS credential plugin is mounted.
 * auth/aws: Fix a case where a panic could stem from a malformed
   assumed-role ARN when parsing this value [GH-6917]
 * auth/aws: Fix an error complaining about a read-only view that
   could occur during updating of a role when on a performance
   replication secondary [GH-6926]
 * auth/jwt: Fix a regression introduced in 1.1.1 that disabled
   checking of client_id for OIDC logins [JWT-54]
 * auth/jwt: Fix a panic during OIDC CLI logins that could occur
   if the Vault server response is empty [JWT-55]
 * auth/jwt: Fix issue where OIDC logins might intermittently fail
   when using performance standbys [JWT-61]
 * identity: Fix a case where modifying aliases of an entity could
   end up moving the entity into the wrong namespace
 * namespaces: Fix a behavior (currently only known to be benign)
   where we wouldn't delete policies through the official functions
   before wiping the namespaces on deletion
 * secrets/database: Escape username/password before using in
   connection URL [GH-7089]
 * secrets/pki: Forward revocation requests to active node when
   on a performance standby [GH-7173]
 * ui: Fix timestamp on some transit keys [GH-6827]
 * ui: Show Entities and Groups in Side Navigation [GH-7138]
 * ui: Ensure dropdown updates selected item on HTTP Request
   Metrics page

## 1.1.4/1.1.5 (July 25th/30th, 2019)


Although 1.1.4 was tagged, we realized very soon after the tag was
publicly pushed that an intended fix was accidentally left out. As
a result, 1.1.4 was not officially announced and 1.1.5 should be
used as the release after 1.1.3.

 * identity: Allow a group alias' canonical ID to be modified
 * namespaces: Improve namespace deletion performance [GH-6939]
 * namespaces: Namespaces can now be created and deleted from
   performance replication secondaries

 * api: Add backwards compat support for API env vars [GH-7135]
 * auth/aws: Fix a case where a panic could stem from a malformed
   assumed-role ARN when parsing this value [GH-6917]
 * auth/ldap: Add use_pre111_group_cn_behavior flag to allow
   recovering from a regression caused by a bug fix starting in
   1.1.1 [GH-7208]
 * auth/aws: Use a role cache to avoid separate locking paths
 * core: Fix a deadlock if a panic happens during request handling
 * core: Fix an issue that may cause key upgrades to not be cleaned
   up properly [GH-6949]
 * core: Don't shutdown if key upgrades fail due to canceled
   context [GH-7070]
 * core: Fix panic caused by handling requests while vault is
 * identity: Fix reading entity and groups that have spaces in
   their names [GH-7055]
 * identity: Ensure entity alias operations properly verify
   namespace [GH-6886]
 * mfa: Fix a nil pointer panic that could occur if invalid Duo
   credentials were supplied
 * replication: Forward step-down on perf standbys to match HA
 * replication: Fix various read only storage errors on performance
 * replication: Stop forwarding before stopping replication to
   eliminate some possible bad states
 * secrets/database: Allow cassandra queries to be cancled [GH-6954]
 * storage/consul: Fix a regression causing vault to not connect
   to consul over unix sockets [GH-6859]
 * ui: Fix saving of TTL and string array fields generated by Open
   API [GH-7094]

## 1.1.3 (June 5th, 2019)

 * agent: Now supports proxying request query parameters [GH-6772]
 * core: Mount table output now includes a UUID indicating the
   storage path [GH-6633]
 * core: HTTP server timeout values are now configurable [GH-6666]
 * replication: Improve performance of the reindex operation on
   secondary clusters when mount filters are in use
 * replication: Replication status API now returns the state and
   progress of a reindex

 * api: Return the Entity ID in the secret output [GH-6819]
 * auth/jwt: Consider bound claims when considering if there is at least one
   bound constraint [JWT-49]
 * auth/okta: Fix handling of group names containing slashes [GH-6665]
 * cli: Add deprecated stored-shares flag back to the init command [GH-6677]
 * cli: Fix a panic when the KV command would return no data [GH-6675]
 * cli: Fix issue causing CLI list operations to not return proper format when
   there is an empty response [GH-6776]
 * core: Correctly honor non-HMAC request keys when auditing requests [GH-6653]
 * core: Fix the `x-vault-unauthenticated` value in OpenAPI for a number of
   endpoints [GH-6654]
 * core: Fix issue where some OpenAPI parameters were incorrectly listed as
   being sent as a header [GH-6679]
 * core: Fix issue that would allow duplicate mount names to be used [GH-6771]
 * namespaces: Fix behavior when using `root` instead of `root/` as the
   namespace header value
 * pki: fix a panic when a client submits a null value [GH-5679]
 * replication: Properly update mount entry cache on a secondary to apply all
   new values after a tune
 * replication: Properly close connection on bootstrap error
 * replication: Fix an issue causing startup problems if a namespace policy
   wasn't replicated properly
 * replication: Fix longer than necessary WAL replay during an initial reindex
 * replication: Fix error during mount filter invalidation on DR
   secondary clusters
 * secrets/ad: Make time buffer configurable [AD-35]
 * secrets/gcp: Check for nil config when getting credentials [SGCP-35]
 * secrets/gcp: Fix error checking in some cases where the returned value could
   be 403 instead of 404 [SGCP-37]
 * secrets/gcpkms: Disable key rotation when deleting a key [GCPKMS-10]
 * storage/consul: recognize `https://` address even if schema not specified
 * storage/dynamodb: Fix an issue where a deleted lock key in DynamoDB (HA)
   could cause constant switching of the active node [GH-6637]
 * storage/dynamodb: Eliminate a high-CPU condition that could occur if an
   error was received from the DynamoDB API [GH-6640]
 * storage/gcs: Correctly use configured chunk size values [GH-6655]
 * storage/mssql: Use the correct database when pre-created schemas exist
 * ui: Fix issue with select arrows on drop down menus [GH-6627]
 * ui: Fix an issue where sensitive input values weren't being saved to the
   server [GH-6586]
 * ui: Fix web cli parsing when using quoted values [GH-6755]
 * ui: Fix a namespace workflow mapping identities from external namespaces by
   allowing arbitrary input in search-select component [GH-6728]
 * core: Fix issue that would allow duplicate mount names to be used [GH-6771]
 * namespaces: Fix behavior when using `root` instead of `root/` as the
   namespace header value
 * pki: fix a panic when a client submits a null value [GH-5679]
 * replication: Properly update mount entry cache on a secondary to apply all
   new values after a tune
 * replication: Properly close connection on bootstrap error
 * replication: Fix an issue causing startup problems if a namespace policy
   wasn't replicated properly
 * replication: Fix longer than necessary WAL replay during an initial reindex
 * replication: Fix error during mount filter invalidation on DR
   secondary clusters
 * secrets/ad: Make time buffer configurable [AD-35]
 * secrets/gcp: Check for nil config when getting credentials [SGCP-35]
 * secrets/gcp: Fix error checking in some cases where the returned value could
   be 403 instead of 404 [SGCP-37]
 * secrets/gcpkms: Disable key rotation when deleting a key [GCPKMS-10]
 * storage/consul: recognize `https://` address even if schema not specified
 * storage/dynamodb: Fix an issue where a deleted lock key in DynamoDB (HA)
   could cause constant switching of the active node [GH-6637]
 * storage/dynamodb: Eliminate a high-CPU condition that could occur if an
   error was received from the DynamoDB API [GH-6640]
 * storage/gcs: Correctly use configured chunk size values [GH-6655]
 * storage/mssql: Use the correct database when pre-created schemas exist
 * ui: Fix issue with select arrows on drop down menus [GH-6627]
 * ui: Fix an issue where sensitive input values weren't being saved to the
   server [GH-6586]
 * ui: Fix web cli parsing when using quoted values [GH-6755]
 * ui: Fix a namespace workflow mapping identities from external namespaces by
   allowing arbitrary input in search-select component [GH-6728]

## 1.1.2 (April 18th, 2019)

This is a bug fix release containing the two items below. It is otherwise
unchanged from 1.1.1.

 * auth/okta: Fix a potential dropped error [GH-6592]
 * secrets/kv: Fix a regression on upgrade where a KVv2 mount could fail to be
   mounted on unseal if it had previously been mounted but not written to

## 1.1.1 (April 11th, 2019)

 * Given: (a) performance replication is enabled; (b) performance standbys are
   in use on the performance replication secondary cluster; and (c) mount
   filters are in use, if a mount that was previously available to a secondary
   is updated to be filtered out, although the data would be removed from the
   secondary cluster, the in-memory cache of the data would not be purged on
   the performance standby nodes. As a result, the previously-available data
   could still be read from memory if it was ever read from disk, and if this
   included mount configuration data this could result in token or lease

 * agent: Allow auto-auth to be used with caching without having to define any
   sinks [GH-6468]
 * agent: Disallow some nonsensical config file combinations [GH-6471]
 * auth/ldap: Fix CN check not working if CN was not all in uppercase [GH-6518]
 * auth/jwt: The CLI helper for OIDC logins will now open the
   browser to the correct URL when running on Windows [JWT-37]
 * auth/jwt: Fix OIDC login issue where configured TLS certs weren't
   being used [JWT-40]
 * auth/jwt: Fix an issue where the `oidc_scopes` parameter was
   not being included in the response to a role read request [JWT-35]
 * core: Fix seal migration case when migrating to Shamir and a seal block
   wasn't explicitly specified [GH-6455]
 * core: Fix unwrapping when using namespaced wrapping tokens [GH-6536]
 * core: Fix incorrect representation of required properties in OpenAPI output
 * core: Fix deadlock that could happen when using the UI [GH-6560]
 * identity: Fix updating groups removing existing members [GH-6527]
 * identity: Properly invalidate group alias in performance secondary [GH-6564]
 * identity: Use namespace context when loading entities and groups to ensure
   merging of duplicate entries works properly [GH-6563]
 * replication: Fix performance standby election failure [GH-6561]
 * replication: Fix mount filter invalidation on performance standby nodes
 * replication: Fix license reloading on performance standby nodes
 * replication: Fix handling of control groups on performance standby nodes
 * replication: Fix some forwarding scenarios with request bodies using
   performance standby nodes [GH-6538]
 * secret/gcp: Fix roleset binding when using JSON [GCP-27]
 * secret/pki: Use `uri_sans` param in when not using CSR parameters [GH-6505]
 * storage/dynamodb: Fix a race condition possible in HA configurations
   that could leave the cluster without a leader [GH-6512]
 * ui: Fix an issue where in production builds OpenAPI model
   generation was failing, causing any form using it to render
   labels with missing fields [GH-6474]
 * ui: Fix issue nav-hiding when moving between namespaces [GH-6473]
 * ui: Secrets will always show in the nav regardless of access to
   cubbyhole [GH-6477]
 * ui: fix SSH OTP generation [GH-6540]
 * ui: add polyfill to load UI in IE11 [GH-6567]
 * ui: Fix issue where some elements would fail to work properly if using ACLs
   with segment-wildcard paths (`/+/` segments) [GH-6525]

## 1.1.0 (March 18th, 2019)

 * auth/jwt: The `groups_claim_delimiter_pattern` field has been removed. If the
   groups claim is not at the top level, it can now be specified as a
 * auth/jwt: Roles now have a "role type" parameter with a default type of
   "oidc". To configure new JWT roles, a role type of "jwt" must be explicitly
 * cli: CLI commands deprecated in 0.9.2 are now removed. Please see the CLI
   help/warning output in previous versions of Vault for updated commands.
 * core: Vault no longer automatically mounts a K/V backend at the "secret/"
   path when initializing Vault
 * core: Vault's cluster port will now be open at all times on HA standby nodes
 * plugins: Vault no longer supports running netRPC plugins. These were
   deprecated in favor of gRPC based plugins and any plugin built since 0.9.4
   defaults to gRPC. Older plugins may need to be recompiled against the latest
   Vault dependencies.

 * **Vault Agent Caching**: Vault Agent can now be configured to act as a
   caching proxy to Vault. Clients can send requests to Vault Agent and the
   request will be proxied to the Vault server and cached locally in Agent.
   Currently Agent will cache generated leases and tokens and keep them
   renewed. The proxy can also use the Auto Auth feature so clients do not need
   to authenticate to Vault, but rather can make requests to Agent and have
   Agent fully manage token lifecycle.
 * **OIDC Redirect Flow Support**: The JWT auth backend now supports OIDC
   roles. These allow authentication via an OIDC-compliant provider via the
   user's browser. The login may be initiated from the Vault UI or through
   the `vault login` command.
 * **ACL Path Wildcard**: ACL paths can now use the `+` character to enable
   wild card matching for a single directory in the path definition.
 * **Transit Auto Unseal**: Vault can now be configured to use the Transit
   Secret Engine in another Vault cluster as an auto unseal provider.

 * auth/jwt: A default role can be set. It will be used during
   JWT/OIDC logins if a role is not specified.
 * auth/jwt: Arbitrary claims data can now be copied into token &
   alias metadata.
 * auth/jwt: An arbitrary set of bound claims can now be configured for a role.
 * auth/jwt: The name "oidc" has been added as an alias for the
   jwt backend. Either name may be specified in the `auth enable` command.
 * command/server: A warning will be printed when 'tls_cipher_suites'
   includes a blacklisted cipher suite or all cipher suites are blacklisted
   by the HTTP/2 specification [GH-6300]
 * core/metrics: Prometheus pull support using a new sys/metrics
   endpoint. [GH-5308]
 * core: On non-windows platforms a SIGUSR2 will make the server log a dump of
   all running goroutines' stack traces for debugging purposes [GH-6240]
 * replication: The initial replication indexing process on newly
   initialized or upgraded clusters now runs asynchronously
 * sentinel: Add token namespace id and path, available in rules as and token.namespace.path
 * ui: The UI is now leveraging OpenAPI definitions to pull in
   fields for various forms.  This means, it will not be necessary to add
   fields on the go and JS sides in the future.  [GH-6209]

 * auth/jwt: Apply `bound_claims` validation across all login paths
 * auth/jwt: Update `bound_audiences` validation during non-OIDC
   logins to accept any matched audience, as documented and handled
   in OIDC logins [JWT-30]
 * auth/token: Fix issue where empty values for token role update call were
   ignored [GH-6314]
 * core: The `operator migrate` command will no longer hang on empty key names
 * identity: Fix a panic at login when external group has a nil alias [GH-6230]
 * namespaces: Clear out identity store items upon namespace deletion
 * replication/perfstandby: Fixed a bug causing performance standbys to wait
   longer than necessary after forwarding a write to the active node
 * replication/mountfilter: Fix a deadlock that could occur when mount filters
   were updated [GH-6426]
 * secret/kv: Fix issue where a v1уз2 upgrade could run on a performance
   standby when using a local mount
 * secret/ssh: Fix for a bug where attempting to delete the last ssh role
   in the zeroaddress configuration could fail [GH-6390]
 * secret/totp: Uppercase provided keys so they don't fail base32 validation
 * secret/transit: Multiple HMAC, Sign or Verify operations can now be
   performed with one API call using the new `batch_input` parameter [GH-5875]
 * sys: `sys/internal/ui/mounts` will no longer return secret or auth mounts
   that have been filtered. Similarly, `sys/internal/ui/mount/:path` will
   return a error response if a filtered mount path is requested. [GH-6412]
 * ui: Fix for a bug where you couldn't access the data tab after clicking on
   wrap details on the unwrap page [GH-6404]
 * ui: Fix an issue where the policies tab was erroneously hidden [GH-6301]
 * ui: Fix encoding issues with kv interfaces [GH-6294]

## (March 14th, 2019) (Enterprise Only)


 * A regression was fixed in replication mount filter code introduced in Vault
   1.0 that caused the underlying filtered data to be replicated to
   secondaries. This data was not accessible to users via Vault's API but via a
   combination of privileged configuration file changes/Vault commands it could
   be read.  Upgrading to this version or 1.1 will fix this issue and cause the
   replicated data to be deleted from filtered secondaries. More information
   was sent to customer contacts on file.

## 1.0.3 (February 12th, 2019)

 * New AWS authentication plugin mounts will default to using the generated
   role ID as the Identity alias name. This applies to both EC2 and IAM auth.
   Existing mounts that explicitly set this value will not be affected but
   mounts that specified no preference will switch over on upgrade.
 * The default policy now allows a token to look up its associated identity
   entity either by name or by id [GH-6105]
 * The Vault UI's navigation and onboarding wizard now only displays items that
   are permitted in a users' policy [GH-5980, GH-6094]
 * An issue was fixed that caused recovery keys to not work on
   secondary clusters when using a different unseal mechanism/key
   than the primary. This would be hit if the cluster was rekeyed
   or initialized after 1.0. We recommend rekeying the recovery
   keys on the primary cluster if you meet the above requirements.

 * **cURL Command Output**: CLI commands can now use the `-output-curl-string`
   flag to print out an equivalent cURL command.
 * **Response Headers From Plugins**: Plugins can now send back headers that
   will be included in the response to a client. The set of allowed headers can
   be managed by the operator.

 * auth/aws: AWS EC2 authentication can optionally create entity aliases by
   role ID [GH-6133]
 * auth/jwt: The supported set of signing algorithms is now configurable [JWT
   plugin GH-16]
 * core: When starting from an uninitialized state, HA nodes will now attempt
   to auto-unseal using a configured auto-unseal mechanism after the active
   node initializes Vault [GH-6039]
 * secret/database: Add socket keepalive option for Cassandra [GH-6201]
 * secret/ssh: Add signed key constraints, allowing enforcement of key types
   and minimum key sizes [GH-6030]
 * secret/transit: ECDSA signatures can now be marshaled in JWS-compatible
   fashion [GH-6077]
 * storage/etcd: Support SRV service names [GH-6087]
 * storage/aws: Support specifying a KMS key ID for server-side encryption

 * core: Fix a rare case where a standby whose connection is entirely torn down
   to the active node, then reconnects to the same active node, may not
   successfully resume operation [GH-6167]
 * cors: Don't duplicate headers when they're written [GH-6207]
 * identity: Persist merged entities only on the primary [GH-6075]
 * replication: Fix a potential race when a token is created and then used with
   a performance standby very quickly, before an associated entity has been
   replicated. If the entity is not found in this scenario, the request will
   forward to the active node.
 * replication: Fix issue where recovery keys would not work on secondary
   clusters if using a different unseal mechanism than the primary.
 * replication: Fix a "failed to register lease" error when using performance
 * storage/postgresql: The `Get` method will now return an Entry object with
   the `Key` member correctly populated with the full path that was requested
   instead of just the last path element [GH-6044]

## 1.0.2 (January 15th, 2019)

 * When creating a child token from a parent with `bound_cidrs`, the list of
   CIDRs would not be propagated to the child token, allowing the child token
   to be used from any address.

 * secret/aws: Role now returns `credential_type` instead of `credential_types`
   to match role input. If a legacy role that can supply more than one
   credential type, they will be concatenated with a `,`.
 * physical/dynamodb, autoseal/aws: Instead of Vault performing environment
   variable handling, and overriding static (config file) values if found, we
   use the default AWS SDK env handling behavior, which also looks for
   deprecated values. If you were previously providing both config values and
   environment values, please ensure the config values are unset if you want to
   use environment values.
 * Namespaces (Enterprise): Providing "root" as the header value for
   `X-Vault-Namespace` will perform the request on the root namespace. This is
   equivalent to providing an empty value. Creating a namespace called "root" in
   the root namespace is disallowed.

 * **InfluxDB Database Plugin**: Use Vault to dynamically create
   and manage InfluxDB users

 * auth/aws: AWS EC2 authentication can optionally create entity aliases by
   image ID [GH-5846]
 * autoseal/gcpckms: Reduce the required permissions for the GCPCKMS autounseal
 * physical/foundationdb: TLS support added. [GH-5800]

 * api: Fix a couple of places where we were using the `LIST` HTTP verb
   (necessary to get the right method into the wrapping lookup function) and
   not then modifying it to a `GET`; although this is officially the verb Vault
   uses for listing and it's fully legal to use custom verbs, since many WAFs
   and API gateways choke on anything outside of RFC-standardized verbs we fall
   back to `GET` [GH-6026]
 * autoseal/aws: Fix reading session tokens when AWS access key/secret key are
   also provided [GH-5965]
 * command/operator/rekey: Fix help output showing `-delete-backup` when it
   should show `-backup-delete` [GH-5981]
 * core: Fix bound_cidrs not being propagated to child tokens
 * replication: Correctly forward identity entity creation that originates from
   performance standby nodes (Enterprise)
 * secret/aws: Make input `credential_type` match the output type (string, not
   array) [GH-5972]
 * secret/cubbyhole: Properly cleanup cubbyhole after token revocation [GH-6006]
 * secret/pki: Fix reading certificates on windows with the file
   storage backend [GH-6013]
 * ui (enterprise): properly display perf-standby count on the
   license page [GH-5971]
 * ui: fix disappearing nested secrets and go to the nearest parent
   when deleting a secret - [GH-5976]
 * ui: fix error where deleting an item via the context menu would fail if the
   item name contained dots [GH-6018]
 * ui: allow saving of kv secret after an errored save attempt [GH-6022]
 * ui: fix display of kv-v1 secret containing a key named "keys" [GH-6023]

## 1.0.1 (December 14th, 2018)

 * Update version of Go to 1.11.3 to fix Go bug which corresponds to
 * Database user revocation: If a client has configured custom revocation
   statements for a role with a value of `""`, that statement would be executed
   verbatim, resulting in a lack of actual revocation but success for the
   operation. Vault will now strip empty statements from any provided; as a
   result if an empty statement is provided, it will behave as if no statement
   is provided, falling back to the default revocation statement.

 * secret/database: On role read, empty statements will be returned as empty
   slices instead of potentially being returned as JSON null values. This makes
   it more in line with other parts of Vault and makes it easier for statically
   typed languages to interpret the values.

 * cli: Strip iTerm extra characters from password manager input [GH-5837]
 * command/server: Setting default kv engine to v1 in -dev mode can now be
   specified via -dev-kv-v1 [GH-5919]
 * core: Add operationId field to OpenAPI output [GH-5876]
 * ui: Added ability to search for Group and Policy IDs when creating Groups
   and Entities instead of typing them in manually

 * auth/azure: Cache azure authorizer [15]
 * auth/gcp: Remove explicit project for service account in GCE authorizer [58]
 * cli: Show correct stored keys/threshold for autoseals [GH-5910]
 * cli: Fix backwards compatibility fallback when listing plugins [GH-5913]
 * core: Fix upgrades when the seal config had been created on early versions
   of vault [GH-5956]
 * namespaces: Correctly reload the proper mount when tuning or reloading the
   mount [GH-5937]
 * secret/azure: Cache azure authorizer [19]
 * secret/database: Strip empty statements on user input [GH-5955]
 * secret/gcpkms: Add path for retrieving the public key [5]
 * secret/pki: Fix panic that could occur during tidy operation when malformed
   data was found [GH-5931]
 * secret/pki: Strip empty line in ca_chain output [GH-5779]
 * ui: Fixed a bug where the web CLI was not usable via the `fullscreen`
   command - [GH-5909]
 * ui: Fix a bug where you couldn't write a jwt auth method config [GH-5936]

## 0.11.6 (December 14th, 2018)

This release contains the three security fixes from 1.0.0 and 1.0.1 and the
following bug fixes from 1.0.0/1.0.1:

 * namespaces: Correctly reload the proper mount when tuning or reloading the
   mount [GH-5937]
 * replication/perfstandby: Fix audit table upgrade on standbys [GH-5811]
 * replication/perfstandby: Fix redirect on approle update [GH-5820]
 * secrets/kv: Fix issue where storage version would get incorrectly downgraded

It is otherwise identical to 0.11.5.

## 1.0.0 (December 3rd, 2018)

 * When debugging a customer incident we discovered that in the case of
   malformed data from an autoseal mechanism, Vault's master key could be
   logged in Vault's server log. For this to happen, the data would need to be
   modified by the autoseal mechanism after being submitted to it by Vault but
   prior to encryption, or after decryption, prior to it being returned to
   Vault. To put it another way, it requires the data that Vault submits for
   encryption to not match the data returned after decryption. It is not
   sufficient for the autoseal mechanism to return an error, and it cannot be
   triggered by an outside attacker changing the on-disk ciphertext as all
   autoseal mechanisms use authenticated encryption. We do not believe that
   this is generally a cause for concern; since it involves the autoseal
   mechanism returning bad data to Vault but with no error, in a working Vault
   configuration this code path should never be hit, and if hitting this issue
   Vault will not be unsealing properly anyways so it will be obvious what is
   happening and an immediate rekey of the master key can be performed after
   service is restored. We have filed for a CVE (CVE-2018-19786) and a CVSS V3
   score of 5.2 has been assigned.

 * Tokens are now prefixed by a designation to indicate what type of token they
   are. Service tokens start with `s.` and batch tokens start with `b.`.
   Existing tokens will still work (they are all of service type and will be
   considered as such). Prefixing allows us to be more efficient when consuming
   a token, which keeps the critical path of requests faster.
 * Paths within `auth/token` that allow specifying a token or accessor in the
   URL have been removed. These have been deprecated since March 2016 and
   undocumented, but were retained for backwards compatibility. They shouldn't
   be used due to the possibility of those paths being logged, so at this point
   they are simply being removed.
 * Vault will no longer accept updates when the storage key has invalid UTF-8
   character encoding [GH-5819]
 * Mount/Auth tuning the `options` map on backends will now upsert any provided
   values, and keep any of the existing values in place if not provided. The
   options map itself cannot be unset once it's set, but the keypairs within the
   map can be unset if an empty value is provided, with the exception of the
   `version` keypair which is handled differently for KVv2 purposes.
 * Agent no longer automatically reauthenticates when new credentials are
   detected. It's not strictly necessary and in some cases was causing
   reauthentication much more often than intended.
 * HSM Regenerate Key Support Removed: Vault no longer supports destroying and
   regenerating encryption keys on an HSM; it only supports creating them.
   Although this has never been a source of a customer incident, it is simply a
   code path that is too trivial to activate, especially by mistyping
   `regenerate_key` instead of `generate_key`.
 * Barrier Config Upgrade (Enterprise): When upgrading from Vault 0.8.x, the
   seal type in the barrier config storage entry will be upgraded from
   "hsm-auto" to "awskms" or "pkcs11" upon unseal if using AWSKMS or HSM seals.
   If performing seal migration, the barrier config should first be upgraded
   prior to starting migration.
 * Go API client uses pooled HTTP client: The Go API client now uses a
   connection-pooling HTTP client by default. For CLI operations this makes no
   difference but it should provide significant performance benefits for those
   writing custom clients using the Go API library. As before, this can be
   changed to any custom HTTP client by the caller.
 * Builtin Secret Engines and Auth Methods are integrated deeper into the
   plugin system. The plugin catalog can now override builtin plugins with
   custom versions of the same name. Additionally the plugin system now
   requires a plugin `type` field when configuring plugins, this can be "auth",
   "database", or "secret".

 * **Auto-Unseal in Open Source**: Cloud-based auto-unseal has been migrated
   from Enterprise to Open Source. We've created a migrator to allow migrating
   between Shamir seals and auto unseal methods.
 * **Batch Tokens**: Batch tokens trade off some features of service tokens for no
   storage overhead, and in most cases can be used across performance
   replication clusters.
 * **Replication Speed Improvements**: We've worked hard to speed up a lot of
   operations when using Vault Enterprise Replication.
 * **GCP KMS Secrets Engine**: This new secrets engine provides a Transit-like
   pattern to keys stored within GCP Cloud KMS.
 * **AppRole support in Vault Agent Auto-Auth**: You can now use AppRole
   credentials when having Agent automatically authenticate to Vault
 * **OpenAPI Support**: Descriptions of mounted backends can be served directly
   from Vault
 * **Kubernetes Projected Service Account Tokens**: Projected Service Account
   Tokens are now supported in Kubernetes auth
 * **Response Wrapping in UI**: Added ability to wrap secrets and easily copy
   the wrap token or secret JSON in the UI

 * agent: Support for configuring the location of the kubernetes service account
 * auth/token: New tokens are indexed in storage HMAC-SHA256 instead of SHA1
 * secret/totp: Allow @ character to be part of key name [GH-5652]
 * secret/consul: Add support for new policy based tokens added in Consul 1.4
 * ui: Improve the token auto-renew warning, and automatically begin renewal
   when a user becomes active again [GH-5662]
 * ui: The unbundled UI page now has some styling [GH-5665]
 * ui: Improved banner and popup design [GH-5672]
 * ui: Added token type to auth method mount config [GH-5723]
 * ui: Display additonal wrap info when unwrapping. [GH-5664]
 * ui: Empty states have updated styling and link to relevant actions and
   documentation [GH-5758]
 * ui: Allow editing of KV V2 data when a token doesn't have capabilities to
   read secret metadata [GH-5879]

 * agent: Fix auth when multiple redirects [GH-5814]
 * cli: Restore the `-policy-override` flag [GH-5826]
 * core: Fix rekey progress reset which did not happen under certain
   circumstances. [GH-5743]
 * core: Migration from autounseal to shamir will clean up old keys [GH-5671]
 * identity: Update group memberships when entity is deleted [GH-5786]
 * replication/perfstandby: Fix audit table upgrade on standbys [GH-5811]
 * replication/perfstandby: Fix redirect on approle update [GH-5820]
 * secrets/azure: Fix valid roles being rejected for duplicate ids despite
   having distinct scopes
 * storage/gcs: Send md5 of values to GCS to avoid potential corruption
 * secrets/kv: Fix issue where storage version would get incorrectly downgraded
 * secrets/kv: Disallow empty paths on a `kv put` while accepting empty paths
   for all other operations for backwards compatibility
 * ui: Allow for secret creation in kv v2 when cas_required=true [GH-5823]
 * ui: Fix dr secondary operation token generation via the ui [GH-5818]
 * ui: Fix the PKI context menu so that items load [GH-5824]
 * ui: Update DR Secondary Token generation command [GH-5857]
 * ui: Fix pagination bug where controls would be rendered once for each
   item when viewing policies [GH-5866]
 * ui: Fix bug where `sys/leases/revoke` required 'sudo' capability to show
   the revoke button in the UI [GH-5647]
 * ui: Fix issue where certain pages wouldn't render in a namespace [GH-5692]

## 0.11.5 (November 13th, 2018)

 * agent: Fix issue when specifying two file sinks [GH-5610]
 * auth/userpass: Fix minor timing issue that could leak the presence of a
   username [GH-5614]
 * autounseal/alicloud: Fix issue interacting with the API (Enterprise)
 * autounseal/azure: Fix key version tracking (Enterprise)
 * cli: Fix panic that could occur if parameters were not provided [GH-5603]
 * core: Fix buggy behavior if trying to remount into a namespace
 * identity: Fix duplication of entity alias entity during alias transfer
   between entities [GH-5733]
 * namespaces: Fix tuning of auth mounts in a namespace
 * ui: Fix bug where editing secrets as JSON doesn't save properly [GH-5660]
 * ui: Fix issue where IE 11 didn't render the UI and also had a broken form
   when trying to use tool/hash [GH-5714]

## 0.11.4 (October 23rd, 2018)

 * core: HA lock file is no longer copied during `operator migrate` [GH-5503].
   We've categorized this as a change, but generally this can be considered
   just a bug fix, and no action is needed.

 * **Transit Key Trimming**: Keys in transit secret engine can now be trimmed to
   remove older unused key versions
 * **Web UI support for KV Version 2**: Browse, delete, undelete and destroy
   individual secret versions in the UI
 * **Azure Existing Service Principal Support**: Credentials can
   now be generated against an existing service principal

 * core: Add last WAL in leader/health output for easier debugging [GH-5523]
 * identity: Identity names will now be handled case insensitively by default.
   This includes names of entities, aliases and groups [GH-5404]
 * secrets/aws: Added role-option max_sts_ttl to cap TTL for AWS STS
   credentials [GH-5500]
 * secret/database: Allow Cassandra user to be non-superuser so long as it has
   role creation permissions [GH-5402]
 * secret/radius: Allow setting the NAS Identifier value in the generated
   packet [GH-5465]
 * secret/ssh: Allow usage of JSON arrays when setting zero addresses [GH-5528]
 * secret/transit: Allow trimming unused keys [GH-5388]
 * ui: Support KVv2 [GH-5547], [GH-5563]
 * ui: Allow viewing and updating Vault license via the UI
 * ui: Onboarding will now display your progress through the chosen tutorials
 * ui: Dynamic secret backends obfuscate sensitive data by default and
   visibility is toggleable

 * agent: Fix potential hang during agent shutdown [GH-5026]
 * auth/ldap: Fix listing of users/groups that contain slashes [GH-5537]
 * core: Fix memory leak during some expiration calls [GH-5505]
 * core: Fix generate-root operations requiring empty `otp` to be provided
   instead of an empty body [GH-5495]
 * identity: Remove lookup check during alias removal from entity [GH-5524]
 * secret/pki: Fix TTL/MaxTTL check when using `sign-verbatim` [GH-5549]
 * secret/pki: Fix regression in 0.11.2+ causing the NotBefore value of
   generated certificates to be set to the Unix epoch if the role value was not
   set, instead of using the default of 30 seconds [GH-5481]
 * storage/mysql: Use `varbinary` instead of `varchar` when creating HA tables

## 0.11.3 (October 8th, 2018)

 * Revocation: A regression in 0.11.2 (OSS) and 0.11.0 (Enterprise) caused
   lease IDs containing periods (`.`) to not be revoked properly. Upon startup
   when revocation is tried again these should now revoke successfully.

 * auth/ldap: Listing of users and groups return absolute paths [GH-5537]
 * secret/pki: OID SANs can now specify `*` to allow any value [GH-5459]

 * auth/ldap: Fix panic if specific values were given to be escaped [GH-5471]
 * cli/auth: Fix panic if `vault auth` was given no parameters [GH-5473]
 * secret/database/mongodb: Fix panic that could occur at high load [GH-5463]
 * secret/pki: Fix CA generation not allowing OID SANs [GH-5459]

Revision 1.44 / (download) - annotate - [select for diffs], Fri Oct 18 14:58:56 2019 UTC (20 months ago) by bsiegert
Branch: MAIN
Changes since 1.43: +2 -2 lines
Diff to previous 1.43 (colored)

Revbump all Go packages after lang/go112 update

Revision 1.43 / (download) - annotate - [select for diffs], Thu Sep 26 20:10:52 2019 UTC (20 months, 4 weeks ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2019Q3-base
Branch point for: pkgsrc-2019Q3
Changes since 1.42: +2 -2 lines
Diff to previous 1.42 (colored)

Revbump all Go packages after 1.12.10 update.

ok wiz@ for PMC

Revision 1.42 / (download) - annotate - [select for diffs], Wed Aug 14 15:45:46 2019 UTC (22 months, 1 week ago) by bsiegert
Branch: MAIN
Changes since 1.41: +2 -2 lines
Diff to previous 1.41 (colored)

Recursive bump of all packages using Go after Go 1.12.8 update.

Revision 1.41 / (download) - annotate - [select for diffs], Mon May 27 15:18:30 2019 UTC (2 years ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2019Q2-base, pkgsrc-2019Q2
Changes since 1.40: +2 -2 lines
Diff to previous 1.40 (colored)

Revbump all Go packages after go112 update.

Revision 1.40 / (download) - annotate - [select for diffs], Tue Apr 16 18:41:11 2019 UTC (2 years, 2 months ago) by bsiegert
Branch: MAIN
Changes since 1.39: +2 -2 lines
Diff to previous 1.39 (colored)

Revbump all Go packages after go112 update

Revision 1.39 / (download) - annotate - [select for diffs], Sat Mar 16 08:35:41 2019 UTC (2 years, 3 months ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2019Q1-base, pkgsrc-2019Q1
Changes since 1.38: +2 -2 lines
Diff to previous 1.38 (colored)

Revbump all Go packages after Go 1.12.1 update.

Revision 1.38 / (download) - annotate - [select for diffs], Sat Mar 9 10:05:11 2019 UTC (2 years, 3 months ago) by bsiegert
Branch: MAIN
Changes since 1.37: +2 -2 lines
Diff to previous 1.37 (colored)

all: revbump Go packages, now that they use go112 to build

Revision / (download) - annotate - [select for diffs], Fri Feb 8 12:03:17 2019 UTC (2 years, 4 months ago) by spz
Branch: pkgsrc-2018Q4
Changes since 1.36: +2 -2 lines
Diff to previous 1.36 (colored) next main 1.37 (colored)

revbump go dependents after lang/go111 and lang/go110 updates

Revision 1.37 / (download) - annotate - [select for diffs], Thu Jan 24 10:00:43 2019 UTC (2 years, 5 months ago) by bsiegert
Branch: MAIN
Changes since 1.36: +2 -2 lines
Diff to previous 1.36 (colored)

Revbump Go packages after lang/go111 update.

Revision 1.36 / (download) - annotate - [select for diffs], Wed Dec 19 15:47:03 2018 UTC (2 years, 6 months ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2018Q4-base
Branch point for: pkgsrc-2018Q4
Changes since 1.35: +2 -2 lines
Diff to previous 1.35 (colored)

Revbump all Go packages after go111 update.

Revision 1.35 / (download) - annotate - [select for diffs], Sat Dec 15 21:12:23 2018 UTC (2 years, 6 months ago) by wiz
Branch: MAIN
Changes since 1.34: +2 -2 lines
Diff to previous 1.34 (colored)

*: update email for fhajny

Revision 1.34 / (download) - annotate - [select for diffs], Sun Nov 4 18:38:06 2018 UTC (2 years, 7 months ago) by bsiegert
Branch: MAIN
Changes since 1.33: +2 -1 lines
Diff to previous 1.33 (colored)

Revbump all Go packages after go111 update.

Revision 1.33 / (download) - annotate - [select for diffs], Sun Oct 7 20:19:38 2018 UTC (2 years, 8 months ago) by fhajny
Branch: MAIN
Changes since 1.32: +2 -2 lines
Diff to previous 1.32 (colored)

## 0.11.2 (October 2nd, 2018)


- `sys/seal-status` now includes an `initialized` boolean in the
  output. If Vault is not initialized, it will return a `200` with
  this value set `false` instead of a `400`.
- `passthrough_request_headers` will now deny certain headers from
  being provided to backends based on a global denylist.


- AWS Secret Engine Root Credential Rotation: The credential used by
  the AWS secret engine can now be rotated, to ensure that only Vault
  knows the credentials it is using.
- Storage Backend Migrator: A new `operator migrate` command allows
  offline migration of data between two storage backends.
- AliCloud KMS Auto Unseal and Seal Wrap Support (Enterprise):
  AliCloud KMS can now be used a support seal for  Auto Unseal and
  Seal Wrapping.


- auth/okta: Fix reading deprecated `token` parameter if a token was
  previously set in the configuration
- core: Re-add deprecated capabilities information for now
- core: Fix handling of cyclic token relationships
- storage/mysql: Fix locking on MariaDB
- replication: Fix DR API when using a token
- identity: Ensure old group alias is removed when a new one is
- storage/alicloud: Don't call uname on package init
- secrets/jwt: Fix issue where request context would be canceled too
- ui: fix need to have update for aws iam creds generation
- ui: fix calculation of token expiry


- auth/aws: The identity alias name can now configured to be either
  IAM unique ID of the IAM Principal, or ARN of the caller identity
- auth/cert: Add allowed_organizational_units support
- cli: Format TTLs for non-secret responses
- identity: Support operating on entities and groups by their names
- plugins: Add `env` parameter when registering plugins to the catalog
  to allow operators to include environment variables during plugin
- secrets/aws: WAL Rollback improvements
- secrets/aws: Allow specifying STS role-default TTLs
- secrets/pki: Add configuration support for setting NotBefore
- core: Support for passing the Vault token via an Authorization
  Bearer header
- replication: Reindex process now runs in the background and does not
  block other vault operations
- storage/zookeeper: Enable TLS based communication with Zookeeper
- ui: you can now init a cluster with a seal config
- ui: added the option to force promote replication clusters
- replication: Allow promotion of a secondary when data is syncing
  with a "force" flag

Revision 1.32 / (download) - annotate - [select for diffs], Thu Sep 6 20:41:53 2018 UTC (2 years, 9 months ago) by fhajny
Branch: MAIN
CVS Tags: pkgsrc-2018Q3-base, pkgsrc-2018Q3
Changes since 1.31: +2 -2 lines
Diff to previous 1.31 (colored)

security/vault: Update to 0.11.1.


- Random Byte Reading in Barrier: Prior to this release, Vault was not
  properly checking the error code when reading random bytes for the IV for
  AES operations in its cryptographic barrier. Specifically, this means that
  such an IV could potentially be zero multiple times, causing nonce re-use
  and weakening the security of the key. On most platforms this should never
  happen because reading from kernel random sources is non-blocking and always
  successful, but there may be platform-specific behavior that has not been
  accounted for. (Vault has tests to check exactly this, and the tests have
  never seen nonce re-use.)


- AliCloud Agent Support: Vault Agent can now authenticate against the
  AliCloud auth method.
- UI: Enable AliCloud auth method and Azure secrets engine via the UI.


- core: Logging level for most logs (not including secrets/auth plugins) can
  now be changed on-the-fly via `SIGHUP`, reading the desired value from
  Vault's config file


- core: Ensure we use a background context when stepping down
- core: Properly check error return from random byte reading
- core: Re-add `sys/` top-route injection for now
- core: Properly store the replication checkpoint file if it's larger than the
  storage engine's per-item limit
- identity: Update MemDB with identity group alias while loading groups
- secrets/database: Fix nil pointer when revoking some leases
- secrets/pki: Fix sign-verbatim losing extra Subject attributes
- secrets/pki: Remove certificates from store when tidying revoked
  certificates and simplify API
- ui: JSON editor will not coerce input to an object, and will now show an
  error about Vault expecting an object
- ui: authentication form will now default to any methods that have been tuned
  to show up for unauthenticated users

Revision 1.31 / (download) - annotate - [select for diffs], Mon Sep 3 18:59:08 2018 UTC (2 years, 9 months ago) by fhajny
Branch: MAIN
Changes since 1.30: +6 -3 lines
Diff to previous 1.30 (colored)

security/vault: Update to 0.11.0.


- Request Timeouts: A default request timeout of 90s is now enforced. This
  setting can be overwritten in the config file. If you anticipate requests
  taking longer than 90s this setting should be updated before upgrading.
- (NOTE: will be re-added into 0.11.1 as it broke more than anticipated. There
  will be some further guidelines around when this will be removed again.)
  * `sys/` Top Level Injection: For the last two years for backwards
  compatibility data for various `sys/` routes has been injected into both the
  Secret's Data map and into the top level of the JSON response object.
  However, this has some subtle issues that pop up from time to time and is
  becoming increasingly complicated to maintain, so it's finally being
- Path Fallback for List Operations: For a very long time Vault has
  automatically adjusted `list` operations to always end in a `/`, as list
  operations operates on prefixes, so all list operations by definition end
  with `/`. This was done server-side so affects all clients. However, this
  has also led to a lot of confusion for users writing policies that assume
  that the path that they use in the CLI is the path used internally. Starting
  in 0.11, ACL policies gain a new fallback rule for listing: they will use a
  matching path ending in `/` if available, but if not found, they will look
  for the same path without a trailing `/`. This allows putting `list`
  capabilities in the same path block as most other capabilities for that
  path, while not providing any extra access if `list` wasn't actually
  provided there.
- Performance Standbys On By Default: If you flavor/license of Vault
  Enterprise supports Performance Standbys, they are on by default. You can
  disable this behavior per-node with the `disable_performance_standby`
  configuration flag.
- AWS Secret Engine Roles: The AWS Secret Engine roles are now explicit about
  the type of AWS credential they are generating; this reduces reduce
  ambiguity that existed previously as well as enables new features for
  specific credential types. Writing role data and generating credentials
  remain backwards compatible; however, the data returned when reading a
  role's configuration has changed in backwards-incompatible ways. Anything
  that depended on reading role data from the AWS secret engine will break
  until it is updated to work with the new format.


- Namespaces (Enterprise): A set of features within Vault Enterprise
  that allows Vault environments to support *Secure Multi-tenancy* within a
  single Vault Enterprise infrastructure. Through namespaces, Vault
  administrators can support tenant isolation for teams and individuals as
  well as empower those individuals to self-manage their own tenant
- Performance Standbys (Enterprise): Standby nodes can now service
  requests that do not modify storage. This provides near-horizontal scaling
  of a cluster in some workloads, and is the intra-cluster analogue of
  the existing Performance Replication feature, which replicates to distinct
  clusters in other datacenters, geos, etc.
- AliCloud OSS Storage: AliCloud OSS can now be used for Vault storage.
- AliCloud Auth Plugin: AliCloud's identity services can now be used to
  grant access to Vault. See the plugin repository for more information.
- Azure Secrets Plugin: There is now a plugin (pulled in to Vault) that
  allows generating credentials to allow access to Azure. See the plugin
  repository for more information.
- HA Support for MySQL Storage: MySQL storage now supports HA.
- ACL Templating: ACL policies can now be templated using identity Entity,
  Groups, and Metadata.
- UI Onboarding wizards: The Vault UI can provide contextual help and
  guidance, linking out to relevant links or guides on for
  various workflows in Vault.


- agent: Add `exit_after_auth` to be able to use the Agent for a single
- auth/approle: Add ability to set token bound CIDRs on individual Secret IDs
- cli: Add support for passing parameters to `vault read` operations
- secrets/aws: Make credential types more explicit
- secrets/nomad: Support for longer token names
- secrets/pki: Allow disabling CRL generation
- storage/azure: Add support for different Azure environments
- storage/file: Sort keys in list responses
- storage/mysql: Support special characters in database and table names.


- auth/jwt: Always validate `aud` claim even if `bound_audiences` isn't set
  (IOW, error in this case)
- core: Prevent Go's HTTP library from interspersing logs in a different
  format and/or interleaved
- identity: Properly populate `mount_path` and `mount_type` on group lookup
- identity: Fix persisting alias metadata
- identity: Fix carryover issue from previously fixed race condition that
  could cause Vault not to start up due to two entities referencing the same
  alias. These entities are now merged.
- replication: Fix issue causing some pages not to flush to storage
- secrets/database: Fix inability to update custom SQL statements on
  database roles.
- secrets/pki: Disallow putting the CA's serial on its CRL. While technically
  legal, doing so inherently means the CRL can't be trusted anyways, so it's
  not useful and easy to footgun.
- storage/gcp,spanner: Fix data races

Revision 1.30 / (download) - annotate - [select for diffs], Sun Jul 8 13:54:39 2018 UTC (2 years, 11 months ago) by bsiegert
Branch: MAIN
Changes since 1.29: +2 -2 lines
Diff to previous 1.29 (colored)

Do not use "naked" go invocations.

Use ${GO} instead.

Revision 1.29 / (download) - annotate - [select for diffs], Tue Jun 12 17:50:27 2018 UTC (3 years ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2018Q2-base, pkgsrc-2018Q2
Changes since 1.28: +2 -1 lines
Diff to previous 1.28 (colored)

Revbump all Go packages after lang/go update.

Revision 1.28 / (download) - annotate - [select for diffs], Fri Apr 27 14:02:41 2018 UTC (3 years, 1 month ago) by fhajny
Branch: MAIN
Changes since 1.27: +2 -2 lines
Diff to previous 1.27 (colored)

security/vault: Update to 0.10.1.


- `vault kv` and Vault versions: In 0.10.1 some issues with `vault kv` against
  v1 K/V engine mounts are fixed. However, using 0.10.1 for both the server
  and CLI versions is required.
- Mount information visibility: Users that have access to any path within a
  mount can now see information about that mount, such as its type and
  options, via some API calls.
- Identity and Local Mounts: Local mounts would allow creating Identity
  entities but these would not be able to be used successfully (even locally)
  in replicated scenarios. We have now disallowed entities and groups from
  being created for local mounts in the first place.


- X-Forwarded-For support: `X-Forwarded-For` headers can now be used to set the
  client IP seen by Vault. See the TCP listener configuration
  page for details.
- CIDR IP Binding for Tokens: Tokens now support being bound to specific
  CIDR(s) for usage. Currently this is implemented in Token Roles; usage can be
  expanded to other authentication backends over time.
- `vault kv patch` command: A new `kv patch` helper command that allows
  modifying only some values in existing data at a K/V path, but uses
  check-and-set to ensure that this modification happens safely.
- AppRole Local Secret IDs: Roles can now be configured to generate secret IDs
  local to the cluster. This enables performance secondaries to generate and
  consume secret IDs without contacting the primary.
- AES-GCM Support for PKCS#11 [BETA] (Enterprise): For supporting HSMs,
  AES-GCM can now be used in lieu of AES-CBC/HMAC-SHA256. This has currently
  only been fully tested on AWS CloudHSM.
- Auto Unseal/Seal Wrap Key Rotation Support (Enterprise): Auto Unseal
  mechanisms, including PKCS#11 HSMs, now support rotation of encryption keys,
  and migration between key and encryption types, such as from AES-CBC to
  AES-GCM, can be performed at the same time (where supported).


- auth/approle: Support for cluster local secret IDs. This enables secondaries
  to generate secret IDs without contacting the primary
- auth/token: Add to the token lookup response, the policies inherited due to
  identity associations
- auth/token: Add CIDR binding to token roles
- cli: Add `vault kv patch`
- core: Add X-Forwarded-For support
- core: Add token CIDR-binding support
- identity: Add the ability to disable an entity. Disabling an entity does not
  revoke associated tokens, but while the entity is disabled they cannot be
- physical/consul: Allow tuning of session TTL and lock wait time
- replication: Dynamically adjust WAL cleanup over a period of time based on
  the rate of writes committed
- secret/ssh: Update dynamic key install script to use shell locking to avoid
  concurrent modifications
- ui: Access to `sys/mounts` is no longer needed to use the UI - the list of
  engines will show you the ones you implicitly have access to (because you have
  access to to secrets in those engines)


- cli: Fix `vault kv` backwards compatibility with KV v1 engine mounts
- identity: Persist entity memberships in external identity groups across
- identity: Fix error preventing authentication using local mounts on
  performance secondary replication clusters
- replication: Fix issue causing secondaries to not connect properly to a
  pre-0.10 primary until the primary was upgraded
- secret/gcp: Fix panic on rollback when a roleset wasn't created properly
- secret/gcp: Fix panic on renewal
- ui: Fix IE11 form submissions in a few parts of the application
- ui: Fix IE file saving on policy pages and init screens
- ui: Fixed an issue where the AWS secret backend would show the wrong menu
- ui: Fixed an issue where policies with commas would not render in the
  interface properly
- ui: Corrected the saving of mount tune ttls for auth methods
- ui: Credentials generation no longer checks capabilities before making
  api calls. This should fix needing "update" capabilites to read IAM
  credentials in the AWS secrets engine

Revision 1.27 / (download) - annotate - [select for diffs], Wed Apr 11 15:35:49 2018 UTC (3 years, 2 months ago) by fhajny
Branch: MAIN
Changes since 1.26: +2 -3 lines
Diff to previous 1.26 (colored)

security/vault: Update to 0.10.0.


- Log sanitization for Combined Database Secret Engine: In certain failure
  scenarios with incorrectly formatted connection urls, the raw connection
  errors were being returned to the user with the configured database
  credentials. Errors are now sanitized before being returned to the user.


- Database plugin compatibility: The database plugin interface was enhanced to
  support some additional functionality related to root credential rotation
  and supporting templated URL strings. The changes were made in a
  backwards-compatible way and all builtin plugins were updated with the new
  features. Custom plugins not built into Vault will need to be upgraded to
  support templated URL strings and root rotation. Additionally, the
  Initialize method was deprecated in favor of a new Init method that supports
  configuration modifications that occur in the plugin back to the primary
  data store.
- Removal of returned secret information: For a long time Vault has returned
  configuration given to various secret engines and auth methods with secret
  values (such as secret API keys or passwords) still intact, and with a
  warning to the user on write that anyone with read access could see the
  secret. This was mostly done to make it easy for tools like Terraform to
  judge whether state had drifted. However, it also feels quite un-Vault-y to
  do this and we've never felt very comfortable doing so. In 0.10 we have gone
  through and removed this behavior from the various backends; fields which
  contained secret values are simply no longer returned on read. We are
  working with the Terraform team to make changes to their provider to
  accommodate this as best as possible, and users of other tools may have to
  make adjustments, but in the end we felt that the ends did not justify the
  means and we needed to prioritize security over operational convenience.
- LDAP auth method case sensitivity: We now treat usernames and groups
  configured locally for policy assignment in a case insensitive fashion by
  default. Existing configurations will continue to work as they do now;
  however, the next time a configuration is written `case_sensitive_names`
  will need to be explicitly set to `true`.
- TTL handling within core: All lease TTL handling has been centralized within
  the core of Vault to ensure consistency across all backends. Since this was
  previously delegated to individual backends, there may be some slight
  differences in TTLs generated from some backends.
- Removal of default `secret/` mount: In 0.12 we will stop mounting `secret/`
  by default at initialization time (it will still be available in `dev`


- OSS UI: The Vault UI is now fully open-source. Similarly to the CLI, some
  features are only available with a supporting version of Vault, but the code
  base is entirely open.
- Versioned K/V: The `kv` backend has been completely revamped, featuring
  flexible versioning of values, check-and-set protections, and more. A new
  `vault kv` subcommand allows friendly interactions with it. Existing mounts
  of the `kv` backend can be upgraded to the new versioned mode (downgrades
  are not currently supported). The old "passthrough" mode is still the
  default for new mounts; versioning can be turned on by setting the
  `-version=2` flag for the `vault secrets enable` command.
- Database Root Credential Rotation: Database configurations can now rotate
  their own configured admin/root credentials, allowing configured credentials
  for a database connection to be rotated immediately after sending them into
  Vault, invalidating the old credentials and ensuring only Vault knows the
  actual valid values.
- Azure Authentication Plugin: There is now a plugin (pulled in to Vault) that
  allows authenticating Azure machines to Vault using Azure's Managed Service
  Identity credentials. See the [plugin
  repository]( for more
- GCP Secrets Plugin: There is now a plugin (pulled in to Vault) that allows
  generating secrets to allow access to GCP. See the [plugin
  repository]( for more
- Selective Audit HMACing of Request and Response Data Keys: HMACing in audit
  logs can be turned off for specific keys in the request input map and
  response `data` map on a per-mount basis.
- Passthrough Request Headers: Request headers can now be selectively passed
  through to backends on a per-mount basis. This is useful in various cases
  when plugins are interacting with external services.
- HA for Google Cloud Storage: The GCS storage type now supports HA.
- UI support for identity: Add and edit entities, groups, and their associated
- UI auth method support: Enable, disable, and configure all of the built-in
  authentication methods.
- UI (Enterprise): View and edit Sentinel policies.


- core: Centralize TTL generation for leases in core
- identity: API to update group-alias by ID
- secret/cassandra: Update Cassandra storage delete function to not use batch
- storage/mysql: Allow setting max idle connections and connection lifetime

- storage/gcs: Add HA support
- ui: Add Nomad to the list of available secret engines
- ui: Adds ability to set static headers to be returned by the UI


- api: Fix retries not working
- auth/gcp: Invalidate clients on config change
- auth/token: Revoke-orphan and tidy operations now correctly cleans up the
  parent prefix entry in the underlying storage backend. These operations also
  mark corresponding child tokens as orphans by removing the parent/secondary
  index from the entries.
- command: Re-add `-mfa` flag and migrate to OSS binary
- core: Fix issue occurring from mounting two auth backends with the same path
  with one mount having `auth/` in front
- mfa: Invalidation of MFA configurations (Enterprise)
- replication: Fix a panic on some non-64-bit platforms
- replication: Fix invalidation of policies on performance secondaries
- secret/pki: When tidying if a value is unexpectedly nil, delete it and move
- storage/s3: Fix panic if S3 returns no Content-Length header
- ui: Fixed an issue where the UI was checking incorrect paths when operating
  on transit keys. Capabilities are now checked when attempting to encrypt /
  decrypt, etc.
- ui: Fixed IE 11 layout issues and JS errors that would stop the application
  from running.
- ui: Fixed the link that gets rendered when a user doesn't have permissions
  to view the root of a secret engine. The link now sends them back to the list
  of secret engines.
- replication: Fix issue with DR secondaries when using mount specified local
- cli: Fix an issue where generating a dr operation token would not output the

Revision 1.26 / (download) - annotate - [select for diffs], Fri Mar 30 11:56:25 2018 UTC (3 years, 2 months ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2018Q1-base, pkgsrc-2018Q1
Changes since 1.25: +2 -1 lines
Diff to previous 1.25 (colored)

Revbump all Go packages after 1.10.1 update.

ok wiz@ for committing during freeze

Revision 1.25 / (download) - annotate - [select for diffs], Fri Mar 23 12:00:12 2018 UTC (3 years, 3 months ago) by fhajny
Branch: MAIN
Changes since 1.24: +2 -3 lines
Diff to previous 1.24 (colored)

security/vault: Update to 0.9.6


- The AWS authentication backend now allows binds for inputs as either a
  comma-delimited string or a string array. However, to keep consistency with
  input and output, when reading a role the binds will now be returned as
  string arrays rather than strings.
- In order to prefix-match IAM role and instance profile ARNs in AWS auth
  backend, you now must explicitly opt-in by adding a `*` to the end of the
  ARN. Existing configurations will be upgraded automatically, but when
  writing a new role configuration the updated behavior will be used.


- Replication Activation Enhancements: When activating a replication
  secondary, a public key can now be fetched first from the target cluster.
  This public key can be provided to the primary when requesting the
  activation token. If provided, the public key will be used to perform a
  Diffie-Hellman key exchange resulting in a shared key that encrypts the
  contents of the activation token. The purpose is to protect against
  accidental disclosure of the contents of the token if unwrapped by the wrong
  party, given that the contents of the token are highly sensitive. If
  accidentally unwrapped, the contents of the token are not usable by the
  unwrapping party. It is important to note that just as a malicious operator
  could unwrap the contents of the token, a malicious operator can pretend to
  be a secondary and complete the Diffie-Hellman exchange on their own; this
  feature provides defense in depth but still requires due diligence around
  replication activation, including multiple eyes on the commands/tokens and
  proper auditing.


- api: Update renewer grace period logic. It no longer is static, but rather
  dynamically calculates one based on the current lease duration after each
- auth/approle: Allow array input for bound_cidr_list
- auth/aws: Allow using lists in role bind parameters
- auth/aws: Allow binding by EC2 instance IDs
- auth/aws: Allow non-prefix-matched IAM role and instance profile ARNs
- auth/ldap: Set a very large size limit on queries
- core: Log info notifications of revoked leases for all leases/reasons, not
  just expirations
- physical/couchdb: Removed limit on the listing of items
- secret/pki: Support certificate policies
- secret/pki: Add ability to have CA:true encoded into intermediate CSRs, to
  improve compatibility with some ADFS scenarios
- secret/transit: Allow selecting signature algorithm as well as hash
  algorithm when signing/verifying
- server: Make sure `tls_disable_client_cert` is actually a true value rather
  than just set
- storage/dynamodb: Allow specifying max retries for dynamo client
- storage/gcs: Allow specifying chunk size for transfers, which can reduce
  memory utilization
- sys/capabilities: Add the ability to use multiple paths for capability


- auth/aws: Fix honoring `max_ttl` when a corresponding role `ttl` is not also
- auth/okta: Fix honoring configured `max_ttl` value
- auth/token: If a periodic token being issued has a period greater than the
  max_lease_ttl configured on the token store mount, truncate it. This matches
  renewal behavior; before it was inconsistent between issuance and renewal.
- cli: Improve error messages around `vault auth help` when there is no CLI
  helper for a particular method

Revision 1.24 / (download) - annotate - [select for diffs], Sun Mar 4 15:52:19 2018 UTC (3 years, 3 months ago) by bsiegert
Branch: MAIN
Changes since 1.23: +2 -1 lines
Diff to previous 1.23 (colored)

Revbump all Go packages after Go 1.10 update.

Revision 1.23 / (download) - annotate - [select for diffs], Tue Feb 27 12:32:35 2018 UTC (3 years, 3 months ago) by fhajny
Branch: MAIN
Changes since 1.22: +5 -7 lines
Diff to previous 1.22 (colored)

security/vault: Simplify Makefile, enable a basic test target.

Revision 1.22 / (download) - annotate - [select for diffs], Tue Feb 27 11:20:42 2018 UTC (3 years, 3 months ago) by fhajny
Branch: MAIN
Changes since 1.21: +2 -2 lines
Diff to previous 1.21 (colored)

security/vault: Update to 0.9.5

## 0.9.5 (February 26th, 2018)


- auth: Allow sending default_lease_ttl and max_lease_ttl values when enabling
  auth methods.
- secret/database: Add list functionality to `database/config` endpoint
- physical/consul: Allow setting a specific service address
- replication: When bootstrapping a new secondary, if the initial cluster
  connection fails, Vault will attempt to roll back state so that
  bootstrapping can be tried again, rather than having to recreate the
  downstream cluster. This will still require fetching a new secondary
  activation token.


- auth/aws: Update libraries to fix regression verifying PKCS#7 identity
- listener: Revert to Go 1.9 for now to allow certificates with non-DNS names
  in their DNS SANs to be used for Vault's TLS connections
- replication: Fix issue with a performance secondary/DR primary node losing
  its DR primary status when performing an update-primary operation
- replication: Fix issue where performance secondaries could be unable to
  automatically connect to a performance primary after that performance
  primary has been promoted to a DR primary from a DR secondary
- ui: Fix behavior when a value contains a `.`

## 0.9.4 (February 20th, 2018)


- Role Tags used with the EC2 style of AWS auth were being improperly parsed;
  as a result they were not being used to properly restrict values.
  Implementations following our suggestion of using these as defense-in-depth
  rather than the only source of restriction should not have significant


- ChaCha20-Poly1305 support in `transit`: You can now encrypt and decrypt
  with ChaCha20-Poly1305 in `transit`. Key derivation and convergent
  encryption is also supported.
- Okta Push support in Okta Auth Backend: If a user account has MFA
  required within Okta, an Okta Push MFA flow can be used to successfully
  finish authentication.
- PKI Improvements: Custom OID subject alternate names can now be set,
  subject to allow restrictions that support globbing. Additionally, Country,
  Locality, Province, Street Address, and Postal Code can now be set in
  certificate subjects.
- Manta Storage: Joyent Triton Manta can now be used for Vault storage
- Google Cloud Spanner Storage: Google Cloud Spanner can now be used for
  Vault storage


- auth/centrify: Add CLI helper
- audit: Always log failure metrics, even if zero, to ensure the values appear
  on dashboards
- cli: Disable color when output is not a TTY
- cli: Add `-format` flag to all subcommands
- cli: Do not display deprecation warnings when the format is not table
- core: If over a predefined lease count (256k), log a warning not more than
  once a minute. Too many leases can be problematic for many of the storage
  backends and often this number of leases is indicative of a need for
  workflow improvements.
- secret/nomad: Have generated ACL tokens cap out at 64 characters
- secret/pki: Country, Locality, Province, Street Address, and Postal Code can
  now be set on certificates
- secret/pki: UTF-8 Other Names can now be set in Subject Alternate Names in
  issued certs; allowed values can be set per role and support globbing
- secret/pki: Add a flag to make the common name optional on certs
- secret/pki: Ensure only DNS-compatible names go into DNS SANs; additionally,
  properly handle IDNA transformations for these DNS names
- secret/ssh: Add `valid-principles` flag to CLI for CA mode
- storage/manta: Add Manta storage
- ui (Enterprise): Support for ChaCha20-Poly1305 keys in the transit engine.

- api/renewer: Honor increment value in renew auth calls
- auth/approle: Fix inability to use limited-use-count secret IDs on
  replication performance secondaries
- auth/approle: Cleanup of secret ID accessors during tidy and removal of
  dangling accessor entries
- auth/aws-ec2: Avoid masking of role tag response
- auth/cert: Verify DNS SANs in the authenticating certificate
- auth/okta: Return configured durations as seconds, not nanoseconds
- auth/okta: Get all okta groups for a user vs. default 200 limit
- auth/token: Token creation via the CLI no longer forces periodic token
  creation. Passing an explicit zero value for the period no longer create
  periodic tokens.
- command: Fix interpreted formatting directives when printing raw fields
- command: Correctly format output when using -field and -format flags at the
  same time
- command/rekey: Re-add lost `stored-shares` parameter
- command/ssh: Create and reuse the api client
- command/status: Fix panic when status returns 500 from leadership lookup
- identity: Fix race when creating entities
- plugin/gRPC: Fixed an issue with list requests and raw responses coming from
  plugins using gRPC transport
- plugin/gRPC: Fix panic when special paths are not set
- secret/pki: Verify a name is a valid hostname before adding to DNS SANs
- secret/transit: Fix auditing when reading a key after it has been backed up
  or restored
- secret/transit: Fix storage/memory consistency when persistence fails
- storage/consul: Validate that service names are RFC 1123 compliant
- storage/etcd3: Fix memory ballooning with standby instances
- storage/etcd3: Fix large lists (like token loading at startup) not being
- storage/postgresql: Fix compatibility with versions using custom string
  version tags
- storage/zookeeper: Update vendoring to fix freezing issues
- ui (Enterprise): Decoding the replication token should no longer error and
  prevent enabling of a secondary replication cluster via the ui.
- plugin/gRPC: Add connection info to the request object

Revision 1.21 / (download) - annotate - [select for diffs], Tue Jan 30 16:37:35 2018 UTC (3 years, 4 months ago) by fhajny
Branch: MAIN
Changes since 1.20: +2 -2 lines
Diff to previous 1.20 (colored)

Update security/vault to 0.9.3.

## 0.9.3 (January 28th, 2018)

A regression from a feature merge disabled the Nomad secrets backend in 0.9.2.
This release re-enables the Nomad secrets backend; it is otherwise identical to

## 0.9.2 (January 26th, 2018)


* Okta Auth Backend: While the Okta auth backend was successfully verifying
  usernames and passwords, it was not checking the returned state of the
  account, so accounts that had been marked locked out could still be used to
  log in. Only accounts in SUCCESS or PASSWORD_WARN states are now allowed.
* Periodic Tokens: A regression in 0.9.1 meant that periodic tokens created by
  the AppRole, AWS, and Cert auth backends would expire when the max TTL for
  the backend/mount/system was hit instead of their stated behavior of living
  as long as they are renewed. This is now fixed; existing tokens do not have
  to be reissued as this was purely a regression in the renewal logic.
* Seal Wrapping: During certain replication states values written marked for
  seal wrapping may not be wrapped on the secondaries. This has been fixed,
  and existing values will be wrapped on next read or write. This does not
  affect the barrier keys.


* `sys/health` DR Secondary Reporting: The `replication_dr_secondary` bool
  returned by `sys/health` could be misleading since it would be `false` both
  when a cluster was not a DR secondary but also when the node is a standby in
  the cluster and has not yet fully received state from the active node. This
  could cause health checks on LBs to decide that the node was acceptable for
  traffic even though DR secondaries cannot handle normal Vault traffic. (In
  other words, the bool could only convey "yes" or "no" but not "not sure
  yet".) This has been replaced by `replication_dr_mode` and
  `replication_perf_mode` which are string values that convey the current
  state of the node; a value of `disabled` indicates that replication is
  disabled or the state is still being discovered. As a result, an LB check
  can positively verify that the node is both not `disabled` and is not a DR
  secondary, and avoid sending traffic to it if either is true.
* PKI Secret Backend Roles parameter types: For `ou` and `organization`
  in role definitions in the PKI secret backend, input can now be a
  comma-separated string or an array of strings. Reading a role will
  now return arrays for these parameters.
* Plugin API Changes: The plugin API has been updated to utilize golang's
  context.Context package. Many function signatures now accept a context
  object as the first parameter. Existing plugins will need to pull in the
  latest Vault code and update their function signatures to begin using
  context and the new gRPC transport.


* **gRPC Backend Plugins**: Backend plugins now use gRPC for transport,
  allowing them to be written in other languages.
* **Brand New CLI**: Vault has a brand new CLI interface that is significantly
  streamlined, supports autocomplete, and is almost entirely backwards
* **UI: PKI Secret Backend (Enterprise)**: Configure PKI secret backends,
  create and browse roles and certificates, and issue and sign certificates via
  the listed roles.


* auth/aws: Handle IAM headers produced by clients that formulate numbers as
  ints rather than strings [GH-3763]
* auth/okta: Support JSON lists when specifying groups and policies [GH-3801]
* autoseal/hsm: Attempt reconnecting to the HSM on certain kinds of issues,
  including HA scenarios for some Gemalto HSMs.
* cli: Output password prompts to stderr to make it easier to pipe an output
  token to another command [GH-3782]
* core: Report replication status in `sys/health` [GH-3810]
* physical/s3: Allow using paths with S3 for non-AWS deployments [GH-3730]
* physical/s3: Add ability to disable SSL for non-AWS deployments [GH-3730]
* plugins: Args for plugins can now be specified separately from the command,
  allowing the same output format and input format for plugin information
* secret/pki: `ou` and `organization` can now be specified as a
  comma-separated string or an array of strings [GH-3804]
* plugins: Plugins will fall back to using netrpc as the communication protocol
  on older versions of Vault [GH-3833]


* auth/(approle,aws,cert): Fix behavior where periodic tokens generated by
  these backends could not have their TTL renewed beyond the system/mount max
  TTL value [GH-3803]
* auth/aws: Fix error returned if `bound_iam_principal_arn` was given to an
  existing role update [GH-3843]
* core/sealwrap: Speed improvements and bug fixes (Enterprise)
* identity: Delete group alias when an external group is deleted [GH-3773]
* legacymfa/duo: Fix intermittent panic when Duo could not be reached

Revision 1.20 / (download) - annotate - [select for diffs], Tue Jan 2 09:35:44 2018 UTC (3 years, 5 months ago) by fhajny
Branch: MAIN
Changes since 1.19: +2 -2 lines
Diff to previous 1.19 (colored)

Update security/vault to 0.9.1.


- AppRole Case Sensitivity: In prior versions of Vault, `list` operations
  against AppRole roles would require preserving case in the role name, even
  though most other operations within AppRole are case-insensitive with
  respect to the role name. This has been fixed; existing roles will behave as
  they have in the past, but new roles will act case-insensitively in these
- Token Auth Backend Roles parameter types: For `allowed_policies` and
  `disallowed_policies` in role definitions in the token auth backend, input
  can now be a comma-separated string or an array of strings. Reading a role
  will now return arrays for these parameters.
- Transit key exporting: You can now mark a key in the `transit` backend as
  `exportable` at any time, rather than just at creation time; however, once
  this value is set, it still cannot be unset.
- PKI Secret Backend Roles parameter types: For `allowed_domains` and
  `key_usage` in role definitions in the PKI secret backend, input
  can now be a comma-separated string or an array of strings. Reading a role
  will now return arrays for these parameters.
- SSH Dynamic Keys Method Defaults to 2048-bit Keys: When using the dynamic
  key method in the SSH backend, the default is now to use 2048-bit keys if no
  specific key bit size is specified.
- Consul Secret Backend lease handling: The `consul` secret backend can now
  accept both strings and integer numbers of seconds for its lease value. The
  value returned on a role read will be an integer number of seconds instead
  of a human-friendly string.
- Unprintable characters not allowed in API paths: Unprintable characters are
  no longer allowed in names in the API (paths and path parameters), with an
  extra restriction on whitespace characters. Allowed characters are those
  that are considered printable by Unicode plus spaces.


- Transit Backup/Restore: The `transit` backend now supports a backup
  operation that can export a given key, including all key versions and
  configuration, as well as a restore operation allowing import into another
- gRPC Database Plugins: Database plugins now use gRPC for transport,
  allowing them to be written in other languages.
- Nomad Secret Backend: Nomad ACL tokens can now be generated and revoked
  using Vault.
- TLS Cert Auth Backend Improvements: The `cert` auth backend can now
  match against custom certificate extensions via exact or glob matching, and
  additionally supports max_ttl and periodic token toggles.


- auth/cert: Support custom certificate constraints
- auth/cert: Support setting `max_ttl` and `period`
- audit/file: Setting a file mode of `0000` will now disable Vault from
  automatically `chmod`ing the log file
- auth/github: The legacy MFA system can now be used with the GitHub auth
- auth/okta: The legacy MFA system can now be used with the Okta auth backend
- auth/token: `allowed_policies` and `disallowed_policies` can now be specified
  as a comma-separated string or an array of strings
- command/server: The log level can now be specified with `VAULT_LOG_LEVEL`
- core: Period values from auth backends will now be checked and applied to the
  TTL value directly by core on login and renewal requests
- database/mongodb: Add optional `write_concern` parameter, which can be set
  during database configuration. This establishes a session-wide write
  concern for the lifecycle of the mount
- http: Request path containing non-printable characters will return 400 - Bad
- mfa/okta: Filter a given email address as a login filter, allowing operation
  when login email and account email are different
- plugins: Make Vault more resilient when unsealing when plugins are
- secret/pki: `allowed_domains` and `key_usage` can now be specified
  as a comma-separated string or an array of strings
- secret/ssh: Allow 4096-bit keys to be used in dynamic key method
- secret/consul: The Consul secret backend now uses the value of `lease` set
  on the role, if set, when renewing a secret.
- storage/mysql: Don't attempt database creation if it exists, which can help
  under certain permissions constraints


- api/status (enterprise): Fix status reporting when using an auto seal
- auth/approle: Fix case-sensitive/insensitive comparison issue
- auth/cert: Return `allowed_names` on role read
- auth/ldap: Fix incorrect control information being sent
- core: Fix seal status reporting when using an autoseal
- core: Add creation path to wrap info for a control group token
- core: Fix potential panic that could occur using plugins when a node
  transitioned from active to standby
- core: Fix memory ballooning when a connection would connect to the cluster
  port and then go away -- redux!
- core: Replace recursive token revocation logic with depth-first logic, which
  can avoid hitting stack depth limits in extreme cases
- core: When doing a read on configured audited-headers, properly handle case
- core/pkcs11 (enterprise): Fix panic when PKCS#11 library is not readable
- database/mysql: Allow the creation statement to use commands that are not yet
  supported by the prepare statement protocol
- plugin/auth-gcp: Fix IAM roles when using `allow_gce_inference`

Revision 1.19 / (download) - annotate - [select for diffs], Thu Nov 16 11:31:12 2017 UTC (3 years, 7 months ago) by fhajny
Branch: MAIN
CVS Tags: pkgsrc-2017Q4-base, pkgsrc-2017Q4
Changes since 1.18: +2 -2 lines
Diff to previous 1.18 (colored)

Update security/vault to 0.9.0.


- API HTTP client behavior: When calling `NewClient` the API no longer
  modifies the provided client/transport.
- AWS EC2 client nonce behavior: The client nonce generated by the
  backend that gets returned along with the authentication response
  will be audited in plaintext.
- AWS Auth role options: The API will now error when trying to create
  or update a role with the mutually-exclusive options
  `disallow_reauthentication` and `allow_instance_migration`.
- SSH CA role read changes: When reading back a role from the `ssh`
  backend, the TTL/max TTL values will now be an integer number of
  seconds rather than a string. This better matches the API elsewhere
  in Vault.
- SSH role list changes: When listing roles from the `ssh` backend via
  the API, the response data will additionally return a `key_info` map
  that will contain a map of each key with a corresponding object
  containing the `key_type`.
- More granularity in audit logs: Audit request and response entires
  are still in RFC3339 format but now have a granularity of
- High availability related values have been moved out of the
  `storage` and `ha_storage` stanzas, and into the top-level
  configuration. `redirect_addr` has been renamed to `api_addr`.
- A new `seal` stanza has been added to the configuration file, which
  is optional and enables configuration of the seal type to use for
  additional data protection, such as using HSM or Cloud KMS solutions
  to encrypt and decrypt data.


- RSA Support for Transit Backend: Transit backend can now generate
  RSA keys which can be used for encryption and signing.
- Identity System: Now in open source and with significant
  enhancements, Identity is an integrated system for understanding
  users across tokens and enabling easier management of users directly
  and via groups.
- External Groups in Identity: Vault can now automatically assign
  users and systems to groups in Identity based on their membership in
  external groups.
- Seal Wrap / FIPS 140-2 Compatibility (Enterprise): Vault can now
  take advantage of FIPS 140-2-certified HSMs to ensure that Critical
  Security Parameters are protected in a compliant fashion.
- Control Groups (Enterprise): Require multiple members of an Identity
  group to authorize a requested action before it is allowed to run.
- Cloud Auto-Unseal (Enterprise): Automatically unseal Vault using AWS
- Sentinel Integration (Enterprise): Take advantage of HashiCorp
  Sentinel to create extremely flexible access control policies - even
  on unauthenticated endpoints.
- Barrier Rekey Support for Auto-Unseal (Enterprise): When using
  auto-unsealing functionality, the `rekey` operation is now
  supported; it uses recovery keys to authorize the master key rekey.
- Operation Token for Disaster Recovery Actions (Enterprise): When
  using Disaster Recovery replication, a token can be created that can
  be used to authorize actions such as promotion and updating primary
  information, rather than using recovery keys.
- Trigger Auto-Unseal with Recovery Keys (Enterprise): When using
  auto-unsealing, a request to unseal Vault can be triggered by a
  threshold of recovery keys, rather than requiring the Vault process to
  be restarted.
- UI Redesign (Enterprise): All new experience for the Vault
  Enterprise UI. The look and feel has been completely redesigned to
  give users a better experience and make managing secrets fast and
- UI: SSH Secret Backend (Enterprise): Configure an SSH secret
  backend, create and browse roles. And use them to sign keys or
  generate one time passwords.
- UI: AWS Secret Backend (Enterprise): You can now configure the AWS
  backend via the Vault Enterprise UI. In addition you can create
  roles, browse the roles and Generate IAM Credentials from them
  in the UI.


- api: Add ability to set custom headers on each call
- command/server: Add config option to disable requesting client
- core: Disallow mounting underneath an existing path, not just over
- physical/file: Use `700` as permissions when creating directories.
  The files themselves were `600` and are all encrypted, but this
  doesn't hurt.
- secret/aws: Add ability to use custom IAM/STS endpoints
- secret/cassandra: Work around Cassandra ignoring consistency levels
  for a user listing query
- secret/pki: Private keys can now be marshalled as PKCS#8
- secret/pki: Allow entering URLs for `pki` as both comma-separated
  strings and JSON arrays
- secret/ssh: Role TTL/max TTL can now be specified as either a string
  or an integer
- secret/transit: Sign and verify operations now support a `none` hash
  algorithm to allow signing/verifying pre-hashed data
- secret/database: Add the ability to glob allowed roles in the
  Database Backend
- ui (enterprise): Support for RSA keys in the transit backend
- ui (enterprise): Support for DR Operation Token generation,
  promoting, and updating primary on DR Secondary clusters


- api: Fix panic when setting a custom HTTP client but with a nil
- api: Fix authing to the `cert` backend when the CA for the client
  cert is not known to the server's listener
- auth/approle: Create role ID index during read if a role is missing
- auth/aws: Don't allow mutually exclusive options
- auth/radius: Fix logging in in some situations
- core: Fix memleak when a connection would connect to the cluster
  port and then go away
- core: Fix panic if a single-use token is used to step-down or seal
- core: Set rather than add headers to prevent some duplicated headers
  in responses when requests were forwarded to the active node
- physical/etcd3: Fix some listing issues due to how etcd3 does prefix
- physical/etcd3: Fix case where standbys can lose their etcd client
- physical/file: Fix listing when underscores are the first component
  of a path
- plugins: Allow response errors to be returned from backend plugins
- secret/transit: Fix panic if the length of the input ciphertext was
  less than the expected nonce length
- ui (enterprise): Reinstate support for generic secret backends -
  this was erroneously removed in a previous release

Revision 1.18 / (download) - annotate - [select for diffs], Tue Sep 26 07:41:14 2017 UTC (3 years, 8 months ago) by fhajny
Branch: MAIN
Changes since 1.17: +2 -2 lines
Diff to previous 1.17 (colored)

Update security/vault to 0.8.3.


- Policy input/output standardization: For all built-in authentication
  backends, policies can now be specified as a comma-delimited string or an
  array if using JSON as API input; on read, policies will be returned as an
  array; and the `default` policy will not be forcefully added to policies
  saved in configurations. Please note that the `default` policy will continue
  to be added to generated tokens, however, rather than backends adding
  `default` to the given set of input policies (in some cases, and not in
  others), the stored set will reflect the user-specified set.
- `sign-self-issued` modifies Issuer in generated certificates: In 0.8.2 the
  endpoint would not modify the Issuer in the generated certificate, leaving
  the output self-issued. Although theoretically valid, in practice crypto
  stacks were unhappy validating paths containing such certs. As a result,
  `sign-self-issued` now encodes the signing CA's Subject DN into the Issuer
  DN of the generated certificate.
- `sys/raw` requires enabling: While the `sys/raw` endpoint can be extremely
  useful in break-glass or support scenarios, it is also extremely dangerous.
  As of now, a configuration file option `raw_storage_endpoint` must be set in
  order to enable this API endpoint. Once set, the available functionality has
  been enhanced slightly; it now supports listing and decrypting most of
  Vault's core data structures, except for the encryption keyring itself.
- `generic` is now `kv`: To better reflect its actual use, the `generic`
  backend is now `kv`. Using `generic` will still work for backwards


- GCE Support for GCP Auth: GCE instances can now authenticate to Vault
  using machine credentials.
- Support for Kubernetes Service Account Auth: Kubernetes Service Accounts
  can now authenticate to vault using JWT tokens.


- configuration: Provide a config option to store Vault server's process ID
  (PID) in a file
- mfa (Enterprise): Add the ability to use identity metadata in username
- mfa/okta (Enterprise): Add support for configuring base_url for API calls
- secret/pki: `sign-intermediate` will now allow specifying a `ttl` value
  longer than the signing CA certificate's NotAfter value.
- sys/raw: Raw storage access is now disabled by default


- auth/okta: Fix regression that removed the ability to set base_url
- core: Fix panic while loading leases at startup on ARM processors
- secret/pki: Fix `sign-self-issued` encoding the wrong subject public key

Revision 1.17 / (download) - annotate - [select for diffs], Wed Sep 6 11:44:07 2017 UTC (3 years, 9 months ago) by fhajny
Branch: MAIN
CVS Tags: pkgsrc-2017Q3-base, pkgsrc-2017Q3
Changes since 1.16: +2 -2 lines
Diff to previous 1.16 (colored)

## 0.8.2 (September 5th, 2017)


- In prior versions of Vault, if authenticating via AWS IAM and
  requesting a periodic token, the period was not properly respected.
  This could lead to tokens expiring unexpectedly, or a token lifetime
  being longer than expected. Upon token renewal with Vault 0.8.2 the
  period will be properly enforced.


- `vault ssh` users should supply `-mode` and `-role` to reduce the
  number of API calls. A future version of Vault will mark these
  optional values are required. Failure to supply `-mode` or `-role`
  will result in a warning.
- Vault plugins will first briefly run a restricted version of the
  plugin to fetch metadata, and then lazy-load the plugin on first
  request to prevent crash/deadlock of Vault during the unseal process.
  Plugins will need to be built with the latest changes in order for them
  to run properly.


- Lazy Lease Loading: On startup, Vault will now load leases from
  storage in a lazy fashion (token checks and revocation/renewal
  requests still force an immediate load). For larger installations this
  can significantly reduce downtime when switching active nodes or
  bringing Vault up from cold start.
- SSH CA Login with `vault ssh`: `vault ssh` now supports the SSH CA
  backend for authenticating to machines. It also supports remote host
  key verification through the SSH CA backend, if enabled.
- Signing of Self-Issued Certs in PKI: The `pki` backend now supports
  signing self-issued CA certs. This is useful when switching root CAs.


- audit/file: Allow specifying `stdout` as the `file_path` to log to
  standard output
- auth/aws: Allow wildcards in `bound_iam_principal_id`
- auth/okta: Compare groups case-insensitively since Okta is only
- auth/okta: Standarize Okta configuration APIs across backends
- cli: Add subcommand autocompletion that can be enabled with `vault
- cli: Add ability to handle wrapped responses when using `vault auth`.
  What is output depends on the other given flags; see the help output
  for that command for more information.
- core: TLS cipher suites used for cluster behavior can now be set via
  `cluster_cipher_suites` in configuration
- core: The `plugin_name` can now either be specified directly as part
  of the parameter or within the `config` object when mounting a secret
  or auth backend via `sys/mounts/:path` or `sys/auth/:path` respectively
- core: It is now possible to update the `description` of a mount when
  mount-tuning, although this must be done through the HTTP layer
- secret/databases/mongo: If an EOF is encountered, attempt reconnecting
  and retrying the operation
- secret/pki: TTLs can now be specified as a string or an integer number
  of seconds
- secret/pki: Self-issued certs can now be signed via
- storage/gcp: Use application default credentials if they exist


- auth/aws: Properly use role-set period values for IAM-derived token
- auth/okta: Fix updating organization/ttl/max_ttl after initial setting
- core: Fix PROXY when underlying connection is TLS
- core: Policy-related commands would sometimes fail to act
- storage/consul: Fix parsing TLS configuration when using a bare IPv6
- plugins: Lazy-load plugins to prevent crash/deadlock during unseal
- plugins: Skip mounting plugin-based secret and credential mounts when
  setting up mounts if the plugin is no longer present in the catalog.

Revision 1.16 / (download) - annotate - [select for diffs], Wed Sep 6 09:03:04 2017 UTC (3 years, 9 months ago) by wiz
Branch: MAIN
Changes since 1.15: +2 -2 lines
Diff to previous 1.15 (colored)

Follow some redirects.

Revision 1.15 / (download) - annotate - [select for diffs], Thu Aug 17 07:58:53 2017 UTC (3 years, 10 months ago) by fhajny
Branch: MAIN
Changes since 1.14: +2 -2 lines
Diff to previous 1.14 (colored)

Update security/vault to 0.8.1.


- PKI Root Generation: Calling `pki/root/generate` when a CA cert/key already
  exists will now return a `204` instead of overwriting an existing root. If
  you want to recreate the root, first run a delete operation on `pki/root`
  (requires `sudo` capability), then generate it again.


- Oracle Secret Backend: There is now an external plugin to support leased
  credentials for Oracle databases (distributed separately).
- GCP IAM Auth Backend: There is now an authentication backend that allows
  using GCP IAM credentials to retrieve Vault tokens. This is available as
  both a plugin and built-in to Vault.
- PingID Push Support for Path-Baased MFA (Enterprise): PingID Push can
  now be used for MFA with the new path-based MFA introduced in Vault
  Enterprise 0.8.
- Permitted DNS Domains Support in PKI: The `pki` backend now supports
  specifying permitted DNS domains for CA certificates, allowing you to
  narrowly scope the set of domains for which a CA can issue or sign child
- Plugin Backend Reload Endpoint: Plugin backends can now be triggered to
  reload using the `sys/plugins/reload/backend` endpoint and providing either
  the plugin name or the mounts to reload.
- Self-Reloading Plugins: The plugin system will now attempt to reload a
  crashed or stopped plugin, once per request.


- auth/approle: Allow array input for policies in addition to comma-delimited
- auth/aws: Allow using root credentials for IAM authentication
- plugins: Send logs through Vault's logger rather than stdout
- secret/pki: Add `pki/root` delete operation
- secret/pki: Don't overwrite an existing root cert/key when calling generate


- aws: Don't prefer a nil HTTP client over an existing one
- core: If there is an error when checking for create/update existence, return
  500 instead of 400
- secret/database: Avoid creating usernames that are too long for legacy MySQL

Revision 1.14 / (download) - annotate - [select for diffs], Wed Aug 16 12:18:32 2017 UTC (3 years, 10 months ago) by fhajny
Branch: MAIN
Changes since 1.13: +2 -2 lines
Diff to previous 1.13 (colored)

Update security/vault to 0.8.0.


- We've added a note to the docs about the way the GitHub auth backend works
  as it may not be readily apparent that GitHub personal access tokens, which
  are used by the backend, can be used for unauthorized access if they are
  stolen from third party services and access to Vault is public.


- Database Plugin Backends: Passwords generated for these backends now
  enforce stricter password requirements, as opposed to the previous behavior
  of returning a randomized UUID.
- Lease Endpoints: The endpoints 'sys/renew', 'sys/revoke', 'sys/revoke-prefix',
  'sys/revoke-force' have been deprecated and relocated under 'sys/leases'.
- Response Wrapping Lookup Unauthenticated: The 'sys/wrapping/lookup' endpoint
  is now unauthenticated.


- Cassandra Storage: Cassandra can now be used for Vault storage
- CockroachDB Storage: CockroachDB can now be used for Vault storage
- CouchDB Storage: CouchDB can now be used for Vault storage
- SAP HANA Database Plugin: The 'databases' backend can now manage users
  for SAP HANA databases
- Plugin Backends: Vault now supports running secret and auth backends as
- PROXY Protocol Support Vault listeners can now be configured to honor
  PROXY protocol v1 information to allow passing real client IPs into Vault.
- Lease Lookup and Browsing in the Vault Enterprise UI: Vault Enterprise UI
  now supports lookup and listing of leases and the associated actions from the
  'sys/leases' endpoints in the API.
- Filtered Mounts for Performance Mode Replication: Whitelists or
  blacklists of mounts can be defined per-secondary to control which mounts
  are actually replicated to that secondary.
- Disaster Recovery Mode Replication (Enterprise Only): There is a new
  replication mode, Disaster Recovery (DR), that performs full real-time
  replication (including tokens and leases) to DR secondaries.
- Manage New Replication Features in the Vault Enterprise UI: Support for
  Replication features in Vault Enterprise UI has expanded to include new DR
  Replication mode and management of Filtered Mounts in Performance Replication
- Vault Identity (Enterprise Only): Vault's new Identity system allows
  correlation of users across tokens.
- Duo Push, Okta Push, and TOTP MFA For All Authenticated Paths (Enterprise
  Only): A brand new MFA system built on top of Identity allows MFA
  (currently Duo Push, Okta Push, and TOTP) for any authenticated path within


- api: Add client method for a secret renewer background process
- api: Add 'RenewTokenAsSelf'
- api: Client timeout can now be adjusted with the 'VAULT_CLIENT_TIMEOUT' env
  var or with a new API function
- api/cli: Client will now attempt to look up SRV records for the given Vault
- audit/socket: Enhance reconnection logic and don't require the connection to
  be established at unseal time
- audit/file: Opportunistically try re-opening the file on error
- auth/approle: Add role name to token metadata
- auth/okta: Allow specifying 'ttl'/'max_ttl' inside the mount
- cli: Client timeout can now be adjusted with the 'VAULT_CLIENT_TIMEOUT' env
- command/auth: Add '-token-only' flag to 'vault auth' that returns only the
  token on stdout and does not store it via the token helper
- core: CORS allowed origins can now be configured
- core: Add metrics counters for audit log failures
- cors: Allow setting allowed headers via the API instead of always using
- secret/ssh: Allow specifying the key ID format using template values for CA
- server: Add 'tls_client_ca_file' option for specifying a CA file to use for
  client certificate verification when 'tls_require_and_verify_client_cert' is
- storage/cockroachdb: Add CockroachDB storage backend
- storage/couchdb: Add CouchhDB storage backend
- storage/mssql: Add 'max_parallel'
- storage/postgresql: Add 'max_parallel'
- storage/postgresql: Improve listing speed
- storage/s3: More efficient paging when an object has a lot of subobjects
- sys/wrapping: Make 'sys/wrapping/lookup' unauthenticated
- sys/wrapping: Wrapped tokens now store the original request path of the data
- telemetry: Add support for DogStatsD


- api/health: Don't treat standby '429' codes as an error
- api/leases: Fix lease lookup returning lease properties at the top level
- audit: Fix panic when audit logging a read operation on an asymmetric
  'transit' key
- auth/approle: Fix panic when secret and cidr list not provided in role
- auth/aws: Look up proper account ID on token renew
- auth/aws: Store IAM header in all cases when it changes
- auth/ldap: Verify given certificate is PEM encoded instead of failing
- auth/token: Don't allow using the same token ID twice when manually
- cli: Fix issue with parsing keys that start with special characters
- core: Relocated 'sys/leases/renew' returns same payload as original
  'sys/leases' endpoint
- secret/ssh: Fix panic when signing with incorrect key type
- secret/totp: Ensure codes can only be used once. This makes some automated
  workflows harder but complies with the RFC.
- secret/transit: Fix locking when creating a key with unsupported options

Revision 1.13 / (download) - annotate - [select for diffs], Tue Jun 13 06:28:38 2017 UTC (4 years ago) by fhajny
Branch: MAIN
CVS Tags: pkgsrc-2017Q2-base, pkgsrc-2017Q2
Changes since 1.12: +2 -2 lines
Diff to previous 1.12 (colored)

Update security/vault to 0.7.3.

## 0.7.3 (June 7th, 2017)


- Cert auth backend now checks validity of individual certificates
- App-ID path salting was skipped in 0.7.1/0.7.2


- Step-Down is Forwarded


- ed25519 Signing/Verification in Transit with Key Derivation
- Key Version Specification for Encryption in Transit
- Replication Primary Discovery (Enterprise)


- api/health: Add Sys().Health()
- audit: Add auth information to requests that error out
- command/auth: Add `-no-store` option that prevents the auth command
  from storing the returned token into the configured token helper
- core/forwarding: Request forwarding now heartbeats to prevent unused
  connections from being terminated by firewalls or proxies
- plugins/databases: Add MongoDB as an internal database plugin
- storage/dynamodb: Add a method for checking the existence of
  children, speeding up deletion operations in the DynamoDB storage backend
- storage/mysql: Add max_parallel parameter to MySQL backend
- secret/databases: Support listing connections
- secret/databases: Support custom renewal statements in Postgres
  database plugin
- secret/databases: Use the role name as part of generated credentials
- ui (Enterprise): Transit key and secret browsing UI handle large
  lists better
- ui (Enterprise): root tokens are no longer persisted
- ui (Enterprise): support for mounting Database and TOTP secret


- auth/app-id: Fix regression causing loading of salts to be skipped
- auth/aws: Improve EC2 describe instances performance
- auth/aws: Fix lookup of some instance profile ARNs
- auth/aws: Resolve ARNs to internal AWS IDs which makes lookup at
  various points (e.g. renewal time) more robust
- auth/aws: Properly honor configured period when using IAM
- auth/aws: Check that a bound IAM principal is not empty (in the
  current state of the role) before requiring it match the previously
  authenticated client
- auth/cert: Fix panic on renewal
- auth/cert: Certificate verification for non-CA certs
- core/acl: Prevent race condition when compiling ACLs in some
- secret/database: Increase wrapping token TTL; in a loaded scenario
  it could be too short
- secret/generic: Allow integers to be set as the value of `ttl` field
  as the documentation claims is supported
- secret/ssh: Added host key callback to ssh client config
- storage/s3: Avoid a panic when some bad data is returned
- storage/dynamodb: Fix list functions working improperly on Windows
- storage/file: Don't leak file descriptors in some error cases
- storage/swift: Fix pre-v3 project/tenant name reading

Revision 1.12 / (download) - annotate - [select for diffs], Wed May 10 18:21:27 2017 UTC (4 years, 1 month ago) by fhajny
Branch: MAIN
Changes since 1.11: +5 -12 lines
Diff to previous 1.11 (colored)

Update security/vault to 0.7.2.

0.7.2 (May 8th, 2017)


- audit: Fix auditing entries containing certain kinds of time values

0.7.1 (May 5th, 2017)


- LDAP Auth Backend: Group membership queries will now run as the
  binddn user when binddn/bindpass are configured, rather than as the
  authenticating user as was the case previously.


- AWS IAM Authentication
- MSSQL Physical Backend
- Lease Listing and Lookup
- TOTP Secret Backend
- Database Secret Backend & Secure Plugins (Beta)


- auth/cert: Support for constraints on subject Common Name and
  DNS/email Subject Alternate Names in certificates
- auth/ldap: Use the binding credentials to search group membership
  rather than the user credentials
- cli/revoke: Add -self option to allow revoking the currently active
- core: Randomize x coordinate in Shamir shares
- tidy: Improvements to auth/token/tidy and sys/leases/tidy to handle
  more cleanup cases
- secret/pki: Add no_store option that allows certificates to be
  issued without being stored. This removes the ability to look up
  and/or add to a CRL but helps with scaling to very large numbers of
- secret/pki: If used with a role parameter, the sign-verbatim/<role>
  endpoint honors the values of generate_lease, no_store, ttl and
  max_ttl from the given role
- secret/pki: Add role parameter allow_glob_domains that enables
  defining names in allowed_domains containing * glob patterns
- secret/pki: Update certificate storage to not use characters that
  are not supported on some filesystems
- storage/etcd3: Add discovery_srv option to query for SRV records to
  find servers
- storage/s3: Support max_parallel option to limit concurrent
  outstanding requests
- storage/s3: Use pooled transport for http client
- storage/swift: Allow domain values for V3 authentication


- api: Respect a configured path in Vault's address
- auth/aws-ec2: New bounds added as criteria to allow role creation
- auth/ldap: Don't lowercase groups attached to users
- cli: Don't panic if vault write is used with the force flag but no
- core: Help operations should request forward since standbys may not
  have appropriate info
- replication: Fix enabling secondaries when certain mounts already
  existed on the primary
- secret/mssql: Update mssql driver to support queries with colons
- secret/pki: Don't lowercase O/OU values in certs
- secret/pki: Don't attempt to validate IP SANs if none are provided

Revision 1.11 / (download) - annotate - [select for diffs], Thu Apr 13 15:12:06 2017 UTC (4 years, 2 months ago) by bsiegert
Branch: MAIN
Changes since 1.10: +2 -1 lines
Diff to previous 1.10 (colored)

Revbump all Go packages after the Go 1.8.1 update.

Revision 1.10 / (download) - annotate - [select for diffs], Mon Mar 20 15:15:28 2017 UTC (4 years, 3 months ago) by fhajny
Branch: MAIN
CVS Tags: pkgsrc-2017Q1-base, pkgsrc-2017Q1
Changes since 1.9: +2 -2 lines
Diff to previous 1.9 (colored)

Update security/vault to 0.7.0.


* Common name not being validated when `exclude_cn_from_sans` option used in
  `pki` backend


* List Operations Always Use Trailing Slash
* PKI Defaults to Unleased Certificates


* Replication (Enterprise)
* Response Wrapping & Replication in the Vault Enterprise UI
* Expanded Access Control Policies
* SSH Backend As Certificate Authority


* api/request: Passing username and password information in API request
* audit: Logging the token's use count with authentication response and
  logging the remaining uses of the client token with request
* auth/approle: Support for restricting the number of uses on the tokens
* auth/aws-ec2: AWS EC2 auth backend now supports constraints for VPC ID,
  Subnet ID and Region
* auth/ldap: Use the value of the `LOGNAME` or `USER` env vars for the
  username if not explicitly set on the command line when authenticating
* audit: Support adding a configurable prefix (such as `@cee`) before each
* core: Canonicalize list operations to use a trailing slash
* core: Add option to disable caching on a per-mount level
* core: Add ability to require valid client certs in listener config
* physical/dynamodb: Implement a session timeout to avoid having to use
  recovery mode in the case of an unclean shutdown, which makes HA much safer
* secret/pki: O (Organization) values can now be set to role-defined values
  for issued/signed certificates
* secret/pki: Certificates issued/signed from PKI backend do not generate
  leases by default
* secret/pki: When using DER format, still return the private key type
* secret/pki: Add an intermediate to the CA chain even if it lacks an
  authority key ID
* secret/pki: Add role option to use CSR SANs
* secret/ssh: SSH backend as CA to sign user and host certificates
* secret/ssh: Support reading of SSH CA public key from `config/ca` endpoint
  and also return it when CA key pair is generated


* audit: When auditing headers use case-insensitive comparisons
* auth/aws-ec2: Return role period in seconds and not nanoseconds
* auth/okta: Fix panic if user had no local groups and/or policies set
* command/server: Fix parsing of redirect address when port is not mentioned
* physical/postgresql: Fix listing returning incorrect results if there were
  multiple levels of children

Full changelog:

Revision 1.9 / (download) - annotate - [select for diffs], Mon Feb 13 14:23:08 2017 UTC (4 years, 4 months ago) by fhajny
Branch: MAIN
Changes since 1.8: +2 -2 lines
Diff to previous 1.8 (colored)

Update security/vault to 0.6.5.


- Okta Authentication: A new Okta authentication backend allows you to use
  Okta usernames and passwords to authenticate to Vault. If provided with an
  appropriate Okta API token, group membership can be queried to assign
  policies; users and groups can be defined locally as well.
- RADIUS Authentication: A new RADIUS authentication backend allows using
  a RADIUS server to authenticate to Vault. Policies can be configured for
  specific users or for any authenticated user.
- Exportable Transit Keys: Keys in `transit` can now be marked as
  `exportable` at creation time. This allows a properly ACL'd user to retrieve
  the associated signing key, encryption key, or HMAC key. The `exportable`
  value is returned on a key policy read and cannot be changed, so if a key is
  marked `exportable` it will always be exportable, and if it is not it will
  never be exportable.
- Batch Transit Operations: `encrypt`, `decrypt` and `rewrap` operations
  in the transit backend now support processing multiple input items in one
  call, returning the output of each item in the response.
- Configurable Audited HTTP Headers: You can now specify headers that you
  want to have included in each audit entry, along with whether each header
  should be HMAC'd or kept plaintext. This can be useful for adding additional
  client or network metadata to the audit logs.
- Transit Backend UI (Enterprise): Vault Enterprise UI now supports the transit
  backend, allowing creation, viewing and editing of named keys as well as using
  those keys to perform supported transit operations directly in the UI.
- Socket Audit Backend A new socket audit backend allows audit logs to be sent
  through TCP, UDP, or UNIX Sockets.


- auth/aws-ec2: Add support for cross-account auth using STS
- auth/aws-ec2: Support issuing periodic tokens
- auth/github: Support listing teams and users
- auth/ldap: Support adding policies to local users directly, in addition to
  local groups
- command/server: Add ability to select and prefer server cipher suites
- core: Add a nonce to unseal operations as a check (useful mostly for
  support, not as a security principle)
- duo: Added ability to supply extra context to Duo pushes
- physical/consul: Add option for setting consistency mode on Consul gets
- physical/etcd: Full v3 API support; code will autodetect which API version
  to use. The v3 code path is significantly less complicated and may be much
  more stable.
- secret/pki: Allow specifying OU entries in generated certificate subjects
- secret mount ui (Enterprise): the secret mount list now shows all mounted
  backends even if the UI cannot browse them. Additional backends can now be
  mounted from the UI as well.


- auth/token: Fix regression in 0.6.4 where using token store roles as a
  blacklist (with only `disallowed_policies` set) would not work in most
- physical/s3: Page responses in client so list doesn't truncate
- secret/cassandra: Stop a connection leak that could occur on active node
- secret/pki: When using `sign-verbatim`, don't require a role and use the
  CSR's common name

Revision 1.8 / (download) - annotate - [select for diffs], Tue Jan 3 07:44:01 2017 UTC (4 years, 5 months ago) by fhajny
Branch: MAIN
Changes since 1.7: +2 -3 lines
Diff to previous 1.7 (colored)

Update security/vault to 0.6.4


- default Policy Privilege Escalation: If a parent token did not have
  the default policy attached to its token, it could still create
  children with the default policy. This is no longer allowed (unless
  the parent has sudo capability for the creation path). In most cases
  this is low severity since the access grants in the default policy are
  meant to be access grants that are acceptable for all tokens to have.
- Leases Not Expired When Limited Use Token Runs Out of Uses: When
  using limited-use tokens to create leased secrets, if the
  limited-use token was revoked due to running out of uses (rather than
  due to TTL expiration or explicit revocation) it would fail to revoke
  the leased secrets. These secrets would still be revoked when their
  TTL expired, limiting the severity of this issue. An endpoint has been
  added (auth/token/tidy) that can perform housekeeping tasks on the
  token store; one of its tasks can detect this situation and revoke the
  associated leases.


- Policy UI (Enterprise): Vault Enterprise UI now supports viewing,
  creating, and editing policies.


- http: Vault now sets a no-store cache control header to make it more
  secure in setups that are not end-to-end encrypted


- auth/ldap: Don't panic if dialing returns an error and starttls is
  enabled; instead, return the error
- ui (Enterprise): Submitting an unseal key now properly resets the
  form so a browser refresh isn't required to continue.

0.6.3 (December 6, 2016)


- Request size limitation: A maximum request size of 32MB is imposed
  to prevent a denial of service attack with arbitrarily large
- LDAP denies passwordless binds by default: In new LDAP mounts, or
  when existing LDAP mounts are rewritten, passwordless binds will be
  denied by default. The new deny_null_bind parameter can be set to
  false to allow these.
- Any audit backend activated satisfies conditions: Previously, when a
  new Vault node was taking over service in an HA cluster, all audit
  backends were required to be loaded successfully to take over active
  duty. This behavior now matches the behavior of the audit logging
  system itself: at least one audit backend must successfully be loaded.
  The server log contains an error when this occurs. This helps keep a
  Vault HA cluster working when there is a misconfiguration on a standby


- Web UI (Enterprise): Vault Enterprise now contains a built-in web UI
  that offers access to a number of features, including
  init/unsealing/sealing, authentication via userpass or LDAP, and K/V
  reading/writing. The capability set of the UI will be expanding
  rapidly in further releases. To enable it, set ui = true in the top
  level of Vault's configuration file and point a web browser at your
  Vault address.
- Google Cloud Storage Physical Backend: You can now use GCS for
  storing Vault data


- auth/github: Policies can now be assigned to users as well as to
- cli: Set the number of retries on 500 down to 0 by default (no
  retrying). It can be very confusing to users when there is a pause
  while the retries happen if they haven't explicitly set it. With
  request forwarding the need for this is lessened anyways.
- core: Response wrapping is now allowed to be specified by backend
  responses (requires backends gaining support)
- physical/consul: When announcing service, use the scheme of the
  Vault server rather than the Consul client
- secret/consul: Added listing functionality to roles
- secret/postgresql: Added revocation_sql parameter on the role
  endpoint to enable customization of user revocation SQL statements
- secret/transit: Add listing of keys


- api/unwrap, command/unwrap: Increase compatibility of unwrap command
  with Vault 0.6.1 and older
- api/unwrap, command/unwrap: Fix error when no client token exists
- auth/approle: Creating the index for the role_id properly
- auth/aws-ec2: Handle the case of multiple upgrade attempts when
  setting the instance-profile ARN
- auth/ldap: Avoid leaking connections on login
- command/path-help: Use the actual error generated by Vault rather
  than always using 500 when there is a path help error
- command/ssh: Use temporary file for identity and ensure its deletion
  before the command returns
- cli: Fix error printing values with -field if the values contained
  formatting directives
- command/server: Don't say mlock is supported on OSX when it isn't.
- core: Fix bug where a failure to come up as active node (e.g. if an
  audit backend failed) could lead to deadlock
- physical/mysql: Fix potential crash during setup due to a query
- secret/consul: Fix panic on user error

Revision 1.7 / (download) - annotate - [select for diffs], Sun Dec 4 16:30:00 2016 UTC (4 years, 6 months ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2016Q4-base, pkgsrc-2016Q4
Changes since 1.6: +2 -2 lines
Diff to previous 1.6 (colored)

Revbump Go packages after 1.7.4 update.

Revision 1.6 / (download) - annotate - [select for diffs], Sat Oct 29 08:59:49 2016 UTC (4 years, 7 months ago) by bsiegert
Branch: MAIN
Changes since 1.5: +2 -1 lines
Diff to previous 1.5 (colored)

Revbump packages depending on Go after the Go 1.7.3 update.

Revision 1.5 / (download) - annotate - [select for diffs], Wed Oct 26 11:49:11 2016 UTC (4 years, 7 months ago) by fhajny
Branch: MAIN
Changes since 1.4: +2 -3 lines
Diff to previous 1.4 (colored)

Update security/vault to 0.6.2.

- Convergent Encryption v2: New keys in transit using convergent mode will
  use a new nonce derivation mechanism rather than require the user to
  supply a nonce. While not explicitly increasing security, it minimizes the
  likelihood that a user will use the mode improperly and impact the security
  of their keys. Keys in convergent mode that were created in v0.6.1 will
  continue to work with the same mechanism (user-supplied nonce).
- etcd HA off by default: Following in the footsteps of dynamodb, the etcd
  storage backend now requires that ha_enabled be explicitly specified in
  the configuration file. The backend currently has known broken HA behavior,
  so this flag discourages use by default without explicitly enabling it. If
  you are using this functionality, when upgrading, you should set ha_enabled
  to "true" before starting the new versions of Vault.
- Default/Max lease/token TTLs are now 32 days: In previous versions of
  Vault the default was 30 days, but moving it to 32 days allows some
  operations (e.g. reauthenticating, renewing, etc.) to be performed via a
  monthly cron job.
- AppRole Secret ID endpoints changed: Secret ID and Secret ID accessors are
  no longer part of request URLs. The GET and DELETE operations are now
  moved to new endpoints (/lookup and /destroy) which consumes the input from
  the body and not the URL.
- AppRole requires at least one constraint: previously it was sufficient to
  turn off all AppRole authentication constraints (secret ID, CIDR block)
  and use the role ID only. It is now required that at least one additional
  constraint is enabled. Existing roles are unaffected, but any new roles or
  updated roles will require this.
- Reading wrapped responses from cubbyhole/response is deprecated. The
  sys/wrapping/unwrap endpoint should be used instead as it provides
  additional security, auditing, and other benefits. The ability to read
  directly will be removed in a future release.
- Request Forwarding is now on by default: in 0.6.1 this required toggling
  on, but is now enabled by default. This can be disabled via the
  "disable_clustering" parameter in Vault's config, or per-request with the
  X-Vault-No-Request-Forwarding header.
- In prior versions a bug caused the bound_iam_role_arn value in the aws-ec2
  authentication backend to actually use the instance profile ARN. This has
  been corrected, but as a result there is a behavior change. To match using
  the instance profile ARN, a new parameter bound_iam_instance_profile_arn has
  been added. Existing roles will automatically transfer the value over to the
  correct parameter, but the next time the role is updated, the new meanings
  will take effect.

- Secret ID CIDR Restrictions in AppRole: Secret IDs generated under an
  approle can now specify a list of CIDR blocks from where the requests to
  generate secret IDs should originate from. If an approle already has CIDR
  restrictions specified, the CIDR restrictions on the secret ID should be a
  subset of those specified on the role [GH-1910]
- Initial Root Token PGP Encryption: Similar to generate-root, the root
  token created at initialization time can now be PGP encrypted [GH-1883]
- Support Chained Intermediate CAs in pki: The pki backend now allows, when
  a CA cert is being supplied as a signed root or intermediate, a trust
  chain of arbitrary length. The chain is returned as a parameter at
  certificate issue/sign time and is retrievable independently as well.
- Response Wrapping Enhancements: There are new endpoints to look up
  response wrapped token parameters; wrap arbitrary values; rotate wrapping
  tokens; and unwrap with enhanced validation. In addition, list operations
  can now be response-wrapped. [GH-1927]
- Transit features: The transit backend now supports generating random bytes
  and SHA sums; HMACs; and signing and verification functionality using EC
  keys (P-256 curve)

- api: Return error when an invalid (as opposed to incorrect) unseal key is
  submitted, rather than ignoring it [GH-1782]
- api: Add method to call auth/token/create-orphan endpoint [GH-1834]
- api: Rekey operation now redirects from standbys to master [GH-1862]
- audit/file: Sending a SIGHUP to Vault now causes Vault to close and
  re-open the log file, making it easier to rotate audit logs [GH-1953]
- auth/aws-ec2: EC2 instances can get authenticated by presenting the
  identity document and its SHA256 RSA digest [GH-1961]
- auth/aws-ec2: IAM bound parameters on the aws-ec2 backend will perform a
  prefix match instead of exact match [GH-1943]
- auth/aws-ec2: Added a new constraint bound_iam_instance_profile_arn to
  refer to IAM instance profile ARN and fixed the earlier bound_iam_role_arn
  to refer to IAM role ARN instead of the instance profile ARN [GH-1913]
- auth/aws-ec2: Backend generates the nonce by default and clients can
  explicitly disable reauthentication by setting empty nonce [GH-1889]
- auth/token: Added warnings if tokens and accessors are used in URLs
- command/format: The format flag on select CLI commands takes yml as an
  alias for yaml [GH-1899]
- core: Allow the size of the read cache to be set via the config file, and
  change the default value to 1MB (from 32KB) [GH-1784]
- core: Allow single and two-character path parameters for most places
- core: Allow list operations to be response-wrapped [GH-1814]
- core: Provide better protection against timing attacks in Shamir code
- core: Unmounting/disabling backends no longer returns an error if the
  mount didn't exist. This is line with elsewhere in Vault's API where
  DELETE is an idempotent operation. [GH-1903]
- credential/approle: At least one constraint is required to be enabled
  while creating and updating a role [GH-1882]
- secret/cassandra: Added consistency level for use with roles [GH-1931]
- secret/mysql: SQL for revoking user can be configured on the role
- secret/transit: Use HKDF (RFC 5869) as the key derivation function for new
  keys [GH-1812]
- secret/transit: Empty plaintext values are now allowed [GH-1874]

- audit: Fix panic being caused by some values logging as underlying Go
  types instead of formatted strings [GH-1912]
- auth/approle: Fixed panic on deleting approle that doesn't exist [GH-1920]
- auth/approle: Not letting secret IDs and secret ID accessors to get logged
  in plaintext in audit logs [GH-1947]
- auth/aws-ec2: Allow authentication if the underlying host is in a bad
  state but the instance is running [GH-1884]
- auth/token: Fixed metadata getting missed out from token lookup response
  by gracefully handling token entry upgrade [GH-1924]
- cli: Don't error on newline in token file [GH-1774]
- core: Pass back content-type header for forwarded requests [GH-1791]
- core: Fix panic if the same key was given twice to generate-root [GH-1827]
- core: Fix potential deadlock on unmount/remount [GH-1793]
- physical/file: Remove empty directories from the file storage backend
- physical/zookeeper: Remove empty directories from the zookeeper storage
  backend and add a fix to the file storage backend's logic [GH-1964]
- secret/aws: Added update operation to aws/sts path to consider ttl
  parameter [39b75c6]
- secret/aws: Mark STS secrets as non-renewable [GH-1804]
- secret/cassandra: Properly store session for re-use [GH-1802]
- secret/ssh: Fix panic when revoking SSH dynamic keys [GH-1781]

Revision 1.4 / (download) - annotate - [select for diffs], Sat Sep 10 19:47:21 2016 UTC (4 years, 9 months ago) by bsiegert
Branch: MAIN
CVS Tags: pkgsrc-2016Q3-base, pkgsrc-2016Q3
Changes since 1.3: +2 -1 lines
Diff to previous 1.3 (colored)

Revbump all Go packages after the Go 1.7.1 update.

Revision 1.3 / (download) - annotate - [select for diffs], Fri Sep 9 13:26:04 2016 UTC (4 years, 9 months ago) by fhajny
Branch: MAIN
Changes since 1.2: +2 -3 lines
Diff to previous 1.2 (colored)

Update security/vault to 0.6.1.

0.6.1 (August 22, 2016)


- Once the active node is 0.6.1, standby nodes must also be 0.6.1
  in order to connect to the HA cluster.
- Status codes for sealed/uninitialized Vaults have changed to
  503/501 respectively.
- Root tokens (tokens with the root policy) can no longer be
  created except by another root token or the generate-root
- Issued certificates from the pki backend against new roles
  created or modified after upgrading will contain a set of
  default key usages.
- The dynamodb physical data store no longer supports HA by
- The ldap backend no longer searches for memberOf groups as part
  of its normal flow. Instead, the desired group filter must be
- app-id is now deprecated with the addition of the new AppRole


- AppRole Authentication Backend: The approle backend is a
  machine-oriented authentication backend that provides a similar
  concept to App-ID while adding many missing features, including a
  pull model that allows for the backend to generate authentication
  credentials rather than requiring operators or other systems to
  push credentials in.
- Request Forwarding: Vault servers can now forward requests to
  each other rather than redirecting clients. This feature is off
  by default in 0.6.1 but will be on by default in the next release.
- Convergent Encryption in Transit: The transit backend now
  supports a convergent encryption mode where the same plaintext
  will produce the same ciphertext.
- Improved LDAP Group Filters: The ldap auth backend now uses
  templates to define group filters, providing the capability to
  support some directories that could not easily be supported before
  (especially specific Active Directory setups with nested groups).
- Key Usage Control in PKI: Issued certificates from roles created
  or modified after upgrading contain a set of default key usages
  for increased compatibility with OpenVPN and some other software.
- Request Retrying in the CLI and Go API: Requests that fail with
  a 5xx error code will now retry after a backoff. The maximum
  total number of retries (including disabling this functionality)
  can be set with an environment variable.
- Service Discovery in vault init: The new -auto option on vault
  init will perform service discovery using Consul.
- MongoDB Secret Backend: Generate dynamic unique MongoDB database
  credentials based on configured roles.
- Circonus Metrics Integration: Vault can now send metrics to


- audit: Added a unique identifier to each request which will also
  be found in the request portion of the response.
- auth/aws-ec2: Added a new constraint bound_account_id to the
- auth/aws-ec2: Added a new constraint bound_iam_role_arn to the
- auth/aws-ec2: Added ttl field for the role
- auth/ldap, secret/cassandra, physical/consul: Clients with
  tls.Config have the minimum TLS version set to 1.2 by default.
- auth/token: Added endpoint to list accessors
- auth/token: Added disallowed_policies option to token store
- auth/token: root or sudo tokens can now create periodic tokens
  via auth/token/create; additionally, the same token can now be
  periodic and have an explicit max TTL
- build: Add support for building on Solaris/Illumos
- cli: Output formatting in the presence of warnings in the
  response object
- cli: vault auth command supports a -path option to take in the
  path at which the auth backend is enabled, thereby allowing
  authenticating against different paths using the command options
- cli: vault auth -methods will now display the config settings of
  the mount
- cli: vault read/write/unwrap -field now allows selecting token
  response fields
- cli: vault write -field now allows selecting wrapped response
- command/status: Version information and cluster details added to
  the output of vault status command
- core: Response wrapping is now enabled for login endpoints
- core: The duration of leadership is now exported via events
  through telemetry
- core: sys/capabilities-self is now accessible as part of the
  default policy
- core: sys/renew is now accessible as part of the default policy
- core: Unseal keys will now be returned in both hex and base64
  forms, and either can be used
- core: Responses from most /sys endpoints now return normal
  api.Secret structs in addition to the values they carried
- physical/etcd: Support ETCD_ADDR env var for specifying
- physical/consul: Allowing additional tags to be added to Consul
  service registration via service_tags option
- secret/aws: Listing of roles is supported now
- secret/cassandra: Add connect_timeout value for Cassandra
  connection configuration
- secret/mssql,mysql,postgresql: Reading of connection settings is
  supported in all the sql backends
- secret/mysql: Added optional maximum idle connections value to
  MySQL connection configuration
- secret/mysql: Use a combination of the role name and token
  display name in generated user names and allow the length to be
- secret/{cassandra,mssql,mysql,postgresql}: SQL statements can
  now be passed in via one of four ways: a semicolon-delimited
  string, a base64-delimited string, a serialized JSON string array,
  or a base64-encoded serialized JSON string array
- secret/ssh: Added allowed_roles to vault-ssh-helper's config and
  returning role name as part of response of verify API
- secret/ssh: Added passthrough of command line arguments to ssh
- sys/health: Added version information to the response of health
  status endpoint
- sys/health: Cluster information isbe returned as part of health
  status when Vault is unsealed
- sys/mounts: MountTable data is compressed before serializing to
  accommodate thousands of mounts
- website: The token concepts page has been completely rewritten


- auth/aws-ec2: Added a nil check for stored whitelist identity
  object during renewal
- auth/cert: Fix panic if no client certificate is supplied
- auth/token: Don't report that a non-expiring root token is
  renewable, as attempting to renew it results in an error
- cli: Don't retry a command when a redirection is received
- core: Fix regression causing status codes to be 400 in most
  non-5xx error cases
- core: Fix panic that could occur during a leadership transition
- physical/postgres: Remove use of prepared statements as this
  causes connection multiplexing software to break
- physical/consul: Multiple Vault nodes on the same machine
  leading to check ID collisions were resulting in incorrect
  health check responses
- physical/consul: Fix deregistration of health checks on exit
- secret/postgresql: Check for existence of role before attempting
- secret/postgresql: Handle revoking roles that have privileges on
- secret/postgresql(,mysql,mssql): Fix incorrect use of database
  over transaction object which could lead to connection
- secret/pki: Fix parsing CA bundle containing trailing whitespace
- secret/pki: Fix adding email addresses as SANs
- secret/pki: Ensure that CRL values are always UTC, per RFC
- sys/seal-status: Fixed nil Cluster object while checking seal

0.6.0 (June 14th, 2016)


Although sys/revoke-prefix was intended to revoke prefixes of
secrets (via lease IDs, which incorporate path information) and
auth/token/revoke-prefix was intended to revoke prefixes of tokens
(using the tokens' paths and, since 0.5.2, role information), in
implementation they both behaved exactly the same way since a
single component in Vault is responsible for managing lifetimes of
both, and the type of the tracked lifetime was not being checked.
The end result was that either endpoint could revoke both secret
leases and tokens. We consider this a very minor security issue as
there are a number of mitigating factors: both endpoints require
sudo capability in addition to write capability, preventing
blanket ACL path globs from providing access; both work by using
the prefix to revoke as a part of the endpoint path, allowing them
to be properly ACL'd; and both are intended for emergency
scenarios and users should already not generally have access to
either one. In order to prevent confusion, we have simply removed
auth/token/revoke-prefix in 0.6, and sys/revoke-prefix will be
meant for both leases and tokens instead.


- auth/token/revoke-prefix has been removed. See the security
  notice for details.
- Vault will now automatically register itself as the vault
  service when using the consul backend and will perform its own
  health checks.
- List operations that do not find any keys now return a 404
  status code rather than an empty response object
- CA certificates issued from the pki backend no longer have
  associated leases, and any CA certs already issued will ignore
  revocation requests from the lease manager.


- AWS EC2 Auth Backend: Provides a secure introduction mechanism
  for AWS EC2 instances allowing automated retrieval of Vault
- Response Wrapping: Nearly any response within Vault can now be
  wrapped inside a single-use, time-limited token's cubbyhole,
  taking the Cubbyhole Authentication Principles mechanism to its
  logical conclusion.
- Azure Physical Backend: You can now use Azure blob object
  storage as your Vault physical data store
- Swift Physical Backend: You can now use Swift blob object
  storage as your Vault physical data store
- Consul Backend Health Checks: The Consul backend will
  automatically register a vault service and perform its own
  health checking.
- Explicit Maximum Token TTLs: You can now set explicit maximum
  TTLs on tokens that do not honor changes in the system- or
  mount-set values.
- Non-Renewable Tokens: When creating tokens directly through the
  token authentication backend, you can now specify in both token
  store roles and the API whether or not a token should be
  renewable, defaulting to true.
- RabbitMQ Secret Backend: Vault can now generate credentials for
  RabbitMQ. Vhosts and tags can be defined within roles.


- audit: Add the DisplayName value to the copy of the Request
  object embedded in the associated Response, to match the
  original Request object
- audit: Enable auditing of the seal and step-down commands
- backends: Remove most root/sudo paths in favor of normal ACL
- command/auth: Restore the previous authenticated token if the
  auth command fails to authenticate the provided token
- command/write: -format and -field can now be used with the write
- core: Add mlock support for FreeBSD, OpenBSD, and Darwin
- core: Don't keep lease timers around when tokens are revoked
- core: If using the disable_cache option, caches for the policy
  store and the transit backend are now disabled as well
- credential/cert: Renewal requests are rejected if the set of
  policies has changed since the token was issued
- credential/cert: Check CRLs for specific non-CA certs configured
  in the backend
- credential/ldap: If groupdn is not configured, skip searching
  LDAP and only return policies for local groups, plus a warning
- credential/ldap: vault list support for users and groups
- credential/ldap: Support for the memberOf attribute for group
  membership searching
- credential/userpass: Add list support for users
- credential/userpass: Remove user configuration paths from
  requiring sudo, in favor of normal ACL mechanisms
- credential/token: Sanitize policies and add default policies in
  appropriate places
- credential/token: Setting the renewable status of a token is now
  possible via vault token-create and the API.
- secret/aws: Use chain credentials to allow environment/EC2
  instance/shared providers
- secret/aws: Support for STS AssumeRole functionality
- secret/consul: Reading consul access configuration supported.
- secret/pki: Added exclude_cn_from_sans field to prevent adding
  the CN to DNS or Email Subject Alternate Names
- secret/pki: Added list support for certificates
- sys/capabilities: Enforce ACL checks for requests that query the
  capabilities of a token on a given path
- sys/health: Status information can now be retrieved with HEAD


- command/read: Fix panic when using -field with a non-string
- command/token-lookup: Fix TTL showing as 0 depending on how a
  token was created.
- command/various: Tell the JSON decoder to not convert all
  numbers to floats; fixes some various places where numbers were
  showing up in scientific notation
- command/server: Prioritized devRootTokenID and devListenAddress
  flags over their respective env vars
- command/ssh: Provided option to disable host key checking.
- core: Properly persist mount-tuned TTLs for auth backends
- core: Don't accidentally crosswire SIGINT to the reload handler
- credential/github: Make organization comparison case-insensitive
  during login
- credential/github: Fix panic when renewing a token created with
  some earlier versions of Vault
- credential/github: The token used to log in via vault auth can
  now be specified in the VAULT_AUTH_GITHUB_TOKEN environment
- credential/ldap: Fix problem where certain error conditions when
  configuring or opening LDAP connections would cause a panic
  instead of return a useful error message
- credential/token: Fall back to normal parent-token semantics if
  allowed_policies is empty for a role.
- credential/token: Fix issues renewing tokens when using the
  "suffix" capability of token roles
- credential/token: Fix lookup via POST showing the request token
  instead of the desired token
- credential/various: Fix renewal conditions when default policy
  is not contained in the backend config
- physical/s3: Don't panic in certain error cases from bad S3
- secret/consul: Use non-pooled Consul API client to avoid leaving
  files open
- secret/pki: Don't check whether a certificate is destined to be
  a CA certificate if sign-verbatim endpoint is used

0.5.3 (May 27th, 2016)


Consul ACL Token Revocation: An issue was reported to us
indicating that generated Consul ACL tokens were not being
properly revoked. Upon investigation, we found that this behavior
was reproducible in a specific scenario: when a generated lease
for a Consul ACL token had been renewed prior to revocation. In
this case, the generated token was not being properly persisted
internally through the renewal function, leading to an error
during revocation due to the missing token. Unfortunately, this
was coded as a user error rather than an internal error, and the
revocation logic was expecting internal errors if revocation
failed. As a result, the revocation logic believed the revocation
to have succeeded when it in fact failed, causing the lease to be
dropped while the token was still valid within Consul. In this
release, the Consul backend properly persists the token through
renewals, and the revocation logic has been changed to consider
any error type to have been a failure to revoke, causing the lease
to persist and attempt to be revoked later.

Revision 1.2 / (download) - annotate - [select for diffs], Sat Aug 20 09:21:46 2016 UTC (4 years, 10 months ago) by bsiegert
Branch: MAIN
Changes since 1.1: +2 -1 lines
Diff to previous 1.1 (colored)

Revbump packages using Go for Go 1.7 release.

Revision 1.1 / (download) - annotate - [select for diffs], Fri May 6 13:35:52 2016 UTC (5 years, 1 month ago) by fhajny
Branch: MAIN
CVS Tags: pkgsrc-2016Q2-base, pkgsrc-2016Q2

Import vault-0.5.2 as security/vault.

Vault is a tool for securely accessing secrets. A secret is
anything that you want to tightly control access to, such as API
keys, passwords, certificates, and more. Vault provides a unified
interface to any secret, while providing tight access control and
recording a detailed audit log.

This form allows you to request diff's between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.

CVSweb <>