The NetBSD Project

CVS log for pkgsrc/security/vault/Makefile

[BACK] Up to [cvs.NetBSD.org] / pkgsrc / security / vault

Request diff between arbitrary revisions


Default branch: MAIN
Current tag: pkgsrc-2017Q3


Revision 1.17 / (download) - annotate - [select for diffs], Wed Sep 6 11:44:07 2017 UTC (2 years, 1 month ago) by fhajny
Branch: MAIN
CVS Tags: pkgsrc-2017Q3-base, pkgsrc-2017Q3, pkgsrc-
Changes since 1.16: +2 -2 lines
Diff to previous 1.16 (colored)

## 0.8.2 (September 5th, 2017)

SECURITY:

- In prior versions of Vault, if authenticating via AWS IAM and
  requesting a periodic token, the period was not properly respected.
  This could lead to tokens expiring unexpectedly, or a token lifetime
  being longer than expected. Upon token renewal with Vault 0.8.2 the
  period will be properly enforced.

DEPRECATIONS/CHANGES:

- `vault ssh` users should supply `-mode` and `-role` to reduce the
  number of API calls. A future version of Vault will mark these
  optional values are required. Failure to supply `-mode` or `-role`
  will result in a warning.
- Vault plugins will first briefly run a restricted version of the
  plugin to fetch metadata, and then lazy-load the plugin on first
  request to prevent crash/deadlock of Vault during the unseal process.
  Plugins will need to be built with the latest changes in order for them
  to run properly.

FEATURES:

- Lazy Lease Loading: On startup, Vault will now load leases from
  storage in a lazy fashion (token checks and revocation/renewal
  requests still force an immediate load). For larger installations this
  can significantly reduce downtime when switching active nodes or
  bringing Vault up from cold start.
- SSH CA Login with `vault ssh`: `vault ssh` now supports the SSH CA
  backend for authenticating to machines. It also supports remote host
  key verification through the SSH CA backend, if enabled.
- Signing of Self-Issued Certs in PKI: The `pki` backend now supports
  signing self-issued CA certs. This is useful when switching root CAs.

IMPROVEMENTS:

- audit/file: Allow specifying `stdout` as the `file_path` to log to
  standard output
- auth/aws: Allow wildcards in `bound_iam_principal_id`
- auth/okta: Compare groups case-insensitively since Okta is only
  case-preserving
- auth/okta: Standarize Okta configuration APIs across backends
- cli: Add subcommand autocompletion that can be enabled with `vault
  -autocomplete-install`
- cli: Add ability to handle wrapped responses when using `vault auth`.
  What is output depends on the other given flags; see the help output
  for that command for more information.
- core: TLS cipher suites used for cluster behavior can now be set via
  `cluster_cipher_suites` in configuration
- core: The `plugin_name` can now either be specified directly as part
  of the parameter or within the `config` object when mounting a secret
  or auth backend via `sys/mounts/:path` or `sys/auth/:path` respectively
- core: It is now possible to update the `description` of a mount when
  mount-tuning, although this must be done through the HTTP layer
- secret/databases/mongo: If an EOF is encountered, attempt reconnecting
  and retrying the operation
- secret/pki: TTLs can now be specified as a string or an integer number
  of seconds
- secret/pki: Self-issued certs can now be signed via
  `pki/root/sign-self-issued`
- storage/gcp: Use application default credentials if they exist

BUG FIXES:

- auth/aws: Properly use role-set period values for IAM-derived token
  renewals
- auth/okta: Fix updating organization/ttl/max_ttl after initial setting
- core: Fix PROXY when underlying connection is TLS
- core: Policy-related commands would sometimes fail to act
  case-insensitively
- storage/consul: Fix parsing TLS configuration when using a bare IPv6
  address
- plugins: Lazy-load plugins to prevent crash/deadlock during unseal
  process.
- plugins: Skip mounting plugin-based secret and credential mounts when
  setting up mounts if the plugin is no longer present in the catalog.

This form allows you to request diff's between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.




CVSweb <webmaster@jp.NetBSD.org>