Up to [cvs.NetBSD.org] / pkgsrc / security / vault
Request diff between arbitrary revisions
Default branch: MAIN
Current tag: pkgsrc-
Revision 1.17 / (download) - annotate - [select for diffs], Wed Sep 6 11:44:07 2017 UTC (20 months, 2 weeks ago) by fhajny
CVS Tags: pkgsrc-2017Q3-base, pkgsrc-2017Q3, pkgsrc-
Changes since 1.16: +2 -2 lines
Diff to previous 1.16 (colored)
## 0.8.2 (September 5th, 2017) SECURITY: - In prior versions of Vault, if authenticating via AWS IAM and requesting a periodic token, the period was not properly respected. This could lead to tokens expiring unexpectedly, or a token lifetime being longer than expected. Upon token renewal with Vault 0.8.2 the period will be properly enforced. DEPRECATIONS/CHANGES: - `vault ssh` users should supply `-mode` and `-role` to reduce the number of API calls. A future version of Vault will mark these optional values are required. Failure to supply `-mode` or `-role` will result in a warning. - Vault plugins will first briefly run a restricted version of the plugin to fetch metadata, and then lazy-load the plugin on first request to prevent crash/deadlock of Vault during the unseal process. Plugins will need to be built with the latest changes in order for them to run properly. FEATURES: - Lazy Lease Loading: On startup, Vault will now load leases from storage in a lazy fashion (token checks and revocation/renewal requests still force an immediate load). For larger installations this can significantly reduce downtime when switching active nodes or bringing Vault up from cold start. - SSH CA Login with `vault ssh`: `vault ssh` now supports the SSH CA backend for authenticating to machines. It also supports remote host key verification through the SSH CA backend, if enabled. - Signing of Self-Issued Certs in PKI: The `pki` backend now supports signing self-issued CA certs. This is useful when switching root CAs. IMPROVEMENTS: - audit/file: Allow specifying `stdout` as the `file_path` to log to standard output - auth/aws: Allow wildcards in `bound_iam_principal_id` - auth/okta: Compare groups case-insensitively since Okta is only case-preserving - auth/okta: Standarize Okta configuration APIs across backends - cli: Add subcommand autocompletion that can be enabled with `vault -autocomplete-install` - cli: Add ability to handle wrapped responses when using `vault auth`. What is output depends on the other given flags; see the help output for that command for more information. - core: TLS cipher suites used for cluster behavior can now be set via `cluster_cipher_suites` in configuration - core: The `plugin_name` can now either be specified directly as part of the parameter or within the `config` object when mounting a secret or auth backend via `sys/mounts/:path` or `sys/auth/:path` respectively - core: It is now possible to update the `description` of a mount when mount-tuning, although this must be done through the HTTP layer - secret/databases/mongo: If an EOF is encountered, attempt reconnecting and retrying the operation - secret/pki: TTLs can now be specified as a string or an integer number of seconds - secret/pki: Self-issued certs can now be signed via `pki/root/sign-self-issued` - storage/gcp: Use application default credentials if they exist BUG FIXES: - auth/aws: Properly use role-set period values for IAM-derived token renewals - auth/okta: Fix updating organization/ttl/max_ttl after initial setting - core: Fix PROXY when underlying connection is TLS - core: Policy-related commands would sometimes fail to act case-insensitively - storage/consul: Fix parsing TLS configuration when using a bare IPv6 address - plugins: Lazy-load plugins to prevent crash/deadlock during unseal process. - plugins: Skip mounting plugin-based secret and credential mounts when setting up mounts if the plugin is no longer present in the catalog.
This form allows you to request diff's between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.