v1.14.8

1.14.8

SECURITY:

• core: Fixes an issue present in both Vault and Vault Enterprise since Vault 1.12.0, where Vault is vulnerable to a denial of service through memory exhaustion of the host when handling large HTTP requests from a client. Upgrading is strongly recommended.(see CVE-2023-6337 & HCSEC-2023-34)

CHANGES:

• identity (enterprise): POST requests to the /identity/entity/merge endpoint are now always forwarded from standbys to the active node. [GH-24325]

BUG FIXES:

• agent/logging: Agent should now honor correct -log-format and -log-file settings in logs generated by the consul-template library. [GH-24252]
• api: Fix deadlock on calls to sys/leader with a namespace configured on the request. [GH-24256]
• core: Fix a timeout initializing Vault by only using a short timeout persisting barrier keyring encryption counts. [GH-24336]
• ui: Fix payload sent when disabling replication [GH-24292]

v1.13.12

1.13.12

SECURITY:

• core: Fixes an issue present in both Vault and Vault Enterprise since Vault 1.12.0, where Vault is vulnerable to a denial of service through memory exhaustion of the host when handling large HTTP requests from a client. Upgrading is strongly recommended.(see CVE-2023-6337 & HCSEC-2023-34)

CHANGES:

• identity (enterprise): POST requests to the /identity/entity/merge endpoint are now always forwarded from standbys to the active node. [GH-24325]

BUG FIXES:

• api: Fix deadlock on calls to sys/leader with a namespace configured on the request. [GH-24256]
• core: Fix a timeout initializing Vault by only using a short timeout persisting barrier keyring encryption counts. [GH-24336]
• ui: Fix payload sent when disabling replication [GH-24292]

v1.15.3

1.15.3

November 30, 2023

CHANGES:

• core: Bump Go version to 1.21.4.

IMPROVEMENTS:

• core (enterprise): Speed up unseal when using namespaces
• core: update sys/seal-status (and CLI vault status) to report the type of
  the seal when unsealed, as well as the type of the recovery seal if an
  auto-seal. [GH-23022]
• secrets/pki: do not check TLS validity on ACME requests redirected to https [GH-22521]
• ui: Sort list view of entities and aliases alphabetically using the item name [GH-24103]
• ui: capabilities-self is always called in the user's root namespace [GH-24168]

BUG FIXES:

• activity log (enterprise): De-duplicate client count estimates for license utilization reporting.
• auth/cert: Handle errors related to expired OCSP server responses [GH-24193]
• core (Enterprise): Treat multiple disabled HA seals as a migration to Shamir.
• core/audit: Audit logging a Vault response will now use a 5 second context timeout, separate from the original request. [GH-24238]
• core/config: Use correct HCL config value when configuring log_requests_level. [GH-24059]
• core/quotas: Close rate-limit blocked client purge goroutines when sealing [GH-24108]
• core: Fix an error that resulted in the wrong seal type being returned by sys/seal-status while
  Vault is in seal migration mode. [GH-24165]
• replication (enterprise): disallow configuring paths filter for a mount path that does not exist
• secrets-sync (enterprise): Fix panic when setting usage_gauge_period to none
• secrets/pki: Do not set nextUpdate field in OCSP responses when ocsp_expiry is 0 [GH-24192]
• secrets/transit: Fix a panic when attempting to export a public RSA key [GH-24054]
• ui: Fix JSON editor in KV V2 unable to handle pasted values [GH-24224]
• ui: Fix error when tuning token auth configuration within namespace [GH-24147]
• ui: show error from API when seal fails [GH-23921]

v1.14.7

1.14.7

November 30, 2023

CHANGES:

• core: Bump Go version to 1.20.11.

IMPROVEMENTS:

• core (enterprise): Speed up unseal when using namespaces
• secrets/pki: do not check TLS validity on ACME requests redirected to https [GH-22521]
• ui: Sort list view of entities and aliases alphabetically using the item name [GH-24103]
• ui: Update flat, shell-quote and swagger-ui-dist packages. Remove swagger-ui styling overrides. [GH-23700]

BUG FIXES:

• activity log (enterprise): De-duplicate client count estimates for license utilization reporting.
• auth/cert: Handle errors related to expired OCSP server responses [GH-24193]
• core/config: Use correct HCL config value when configuring log_requests_level. [GH-24058]
• core/quotas: Close rate-limit blocked client purge goroutines when sealing [GH-24108]
• replication (enterprise): disallow configuring paths filter for a mount path that does not exist
• secrets/pki: Do not set nextUpdate field in OCSP responses when ocsp_expiry is 0 [GH-24192]
• secrets/transit: Fix a panic when attempting to export a public RSA key [GH-24054]
• ui: Fix error when tuning token auth configuration within namespace [GH-24147]

v1.13.11

1.13.11

November 30, 2023

CHANGES:

• core: Bump Go version to 1.20.11.

IMPROVEMENTS:

• core (enterprise): Speed up unseal when using namespaces
• ui: Sort list view of entities and aliases alphabetically using the item name [GH-24103]

BUG FIXES:

• activity log (enterprise): De-duplicate client count estimates for license utilization reporting.
• auth/cert: Handle errors related to expired OCSP server responses [GH-24193]
• core/config: Use correct HCL config value when configuring log_requests_level. [GH-24057]
• core/quotas: Close rate-limit blocked client purge goroutines when sealing [GH-24108]
• replication (enterprise): disallow configuring paths filter for a mount path that does not exist
• secrets/pki: Do not set nextUpdate field in OCSP responses when ocsp_expiry is 0 [GH-24192]
• ui: Fix error when tuning token auth configuration within namespace [GH-24147]

v1.15.2

1.15.2

November 09, 2023

SECURITY:

• core: inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. This vulnerability, CVE-2023-5954, was introduced in Vault 1.15.0, 1.14.3, and 1.13.7, and is fixed in Vault 1.15.2, 1.14.6, and 1.13.10. [HSEC-2023-33]

CHANGES:

• auth/approle: Normalized error response messages when invalid credentials are provided [GH-23786]
• secrets/mongodbatlas: Update plugin to v0.10.2 [GH-23849]

FEATURES:

• cli/snapshot: Add CLI tool to inspect Vault snapshots [GH-23457]

IMPROVEMENTS:

• api (enterprise): Enable the sys/license/features from any namespace
• storage/etcd: etcd should only return keys when calling List() [GH-23872]
• ui: Update flat, shell-quote and swagger-ui-dist packages. Remove swagger-ui styling overrides. [GH-23700]
• ui: Update sidebar Secrets engine to title case. [GH-23964]

BUG FIXES:

• api/seal-status: Fix deadlock on calls to sys/seal-status with a namespace configured
  on the request. [GH-23861]
• core (enterprise): Do not return an internal error when token policy type lookup fails, log it instead and continue.
• core/activity: Fixes segments fragment loss due to exceeding entry record size limit [GH-23781]
• core/mounts: Fix reading an "auth" mount using "sys/internal/ui/mounts/" when filter paths are enforced returns 500 error code from the secondary [GH-23802]
• core: Revert PR causing memory consumption bug [GH-23986]
• core: Skip unnecessary deriving of policies during Login MFA Check. [GH-23894]
• core: fix bug where deadlock detection was always on for expiration and quotas.
  These can now be configured individually with detect_deadlocks. [GH-23902]
• core: fix policies with wildcards not matching list operations due to the policy path not having a trailing slash [GH-23874]
• expiration: Fix fatal error "concurrent map iteration and map write" when collecting metrics from leases. [GH-24027]
• ui: fix broken GUI when accessing from listener with chroot_namespace defined [GH-23942]

v1.14.6

1.14.6

November 09, 2023

SECURITY:

• core: inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. This vulnerability, CVE-2023-5954, was introduced in Vault 1.15.0, 1.14.3, and 1.13.7, and is fixed in Vault 1.15.2, 1.14.6, and 1.13.10. [HSEC-2023-33]

CHANGES:

• auth/approle: Normalized error response messages when invalid credentials are provided [GH-23786]
• secrets/mongodbatlas: Update plugin to v0.10.2 [GH-23849]

FEATURES:

• cli/snapshot: Add CLI tool to inspect Vault snapshots [GH-23457]

IMPROVEMENTS:

• storage/etcd: etcd should only return keys when calling List() [GH-23872]

BUG FIXES:

• api/seal-status: Fix deadlock on calls to sys/seal-status with a namespace configured
  on the request. [GH-23861]
• core (enterprise): Do not return an internal error when token policy type lookup fails, log it instead and continue.
• core/activity: Fixes segments fragment loss due to exceeding entry record size limit [GH-23781]
• core/mounts: Fix reading an "auth" mount using "sys/internal/ui/mounts/" when filter paths are enforced returns 500 error code from the secondary [GH-23802]
• core: Revert PR causing memory consumption bug [GH-23986]
• core: Skip unnecessary deriving of policies during Login MFA Check. [GH-23894]
• core: fix bug where deadlock detection was always on for expiration and quotas.
  These can now be configured individually with detect_deadlocks. [GH-23902]
• core: fix policies with wildcards not matching list operations due to the policy path not having a trailing slash [GH-23874]
• expiration: Fix fatal error "concurrent map iteration and map write" when collecting metrics from leases. [GH-24027]

v1.13.10

1.13.10

November 09, 2023

SECURITY:

• core: inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. This vulnerability, CVE-2023-5954, was introduced in Vault 1.15.0, 1.14.3, and 1.13.7, and is fixed in Vault 1.15.2, 1.14.6, and 1.13.10. [HSEC-2023-33]

CHANGES:

• auth/approle: Normalized error response messages when invalid credentials are provided [GH-23786]
• secrets/mongodbatlas: Update plugin to v0.9.2 [GH-23849]

FEATURES:

• cli/snapshot: Add CLI tool to inspect Vault snapshots [GH-23457]

IMPROVEMENTS:

• storage/etcd: etcd should only return keys when calling List() [GH-23872]

BUG FIXES:

• api/seal-status: Fix deadlock on calls to sys/seal-status with a namespace configured
  on the request. [GH-23861]
• core (enterprise): Do not return an internal error when token policy type lookup fails, log it instead and continue.
• core/activity: Fixes segments fragment loss due to exceeding entry record size limit [GH-23781]
• core/mounts: Fix reading an "auth" mount using "sys/internal/ui/mounts/" when filter paths are enforced returns 500 error code from the secondary [GH-23802]
• core: Revert PR causing memory consumption bug [GH-23986]
• core: Skip unnecessary deriving of policies during Login MFA Check. [GH-23894]
• core: fix bug where deadlock detection was always on for expiration and quotas.
  These can now be configured individually with detect_deadlocks. [GH-23902]
• core: fix policies with wildcards not matching list operations due to the policy path not having a trailing slash [GH-23874]
• expiration: Fix fatal error "concurrent map iteration and map write" when collecting metrics from leases. [GH-24027]

v1.15.1

1.15.1

October 25, 2023

CHANGES:

• core: Bump Go version to 1.21.3.

IMPROVEMENTS:

• api/plugins: add tls-server-name arg for plugin registration [GH-23549]
• auto-auth/azure: Support setting the authenticate_from_environment variable to "true" and "false" string literals, too. [GH-22996]
• secrets-sync (enterprise): Added telemetry on number of destinations and associations per type.
• ui: Adds a warning when whitespace is detected in a key of a KV secret [GH-23702]
• ui: Adds toggle to KV secrets engine value download modal to optionally stringify value in downloaded file [GH-23747]
• ui: Surface warning banner if UI has stopped auto-refreshing token [GH-23143]
• ui: show banner when resultant-acl check fails due to permissions or wrong namespace. [GH-23503]
• website/docs: fix inaccuracies with unauthenticated_in_flight_requests_access parameter [GH-23287]

BUG FIXES:

• Seal HA (enterprise/beta): Fix rejection of a seal configuration change
  from two to one auto seal due to persistence of the previous seal type being
  "multiseal". [GH-23573]
• audit: Fix bug reopening 'file' audit devices on SIGHUP. [GH-23598]
• auth/aws: Fixes a panic that can occur in IAM-based login when a client config does not exist. [GH-23555]
• command/server: Fix bug with sigusr2 where pprof files were not closed correctly [GH-23636]
• events: Ignore sending context to give more time for events to send [GH-23500]
• expiration: Prevent large lease loads from delaying state changes, e.g. becoming active or standby. [GH-23282]
• kmip (enterprise): Improve handling of failures due to storage replication issues.
• kmip (enterprise): Return a structure in the response for query function Query Server Information.
• mongo-db: allow non-admin database for root credential rotation [GH-23240]
• replication (enterprise): Fix a bug where undo logs would only get enabled on the initial node in a cluster.
• replication (enterprise): Fix a missing unlock when changing replication state
• secrets-sync (enterprise): Fixed issue where we could sync a deleted secret
• secrets/aws: update credential rotation deadline when static role rotation period is updated [GH-23528]
• secrets/consul: Fix revocations when Vault has an access token using specific namespace and admin partition policies [GH-23010]
• secrets/pki: Stop processing in-flight ACME verifications when an active node steps down [GH-23278]
• secrets/transit (enterprise): Address an issue using sign/verify operations with managed keys returning an error about it not containing a private key
• secrets/transit (enterprise): Address panic when using GCP,AWS,Azure managed keys for encryption operations. At this time all encryption operations for the cloud providers have been disabled, only signing operations are supported.
• secrets/transit (enterprise): Apply hashing arguments and defaults to managed key sign/verify operations
• secrets/transit: Do not allow auto rotation on managed_key key types [GH-23723]
• storage/consul: fix a bug where an active node in a specific sort of network
  partition could continue to write data to Consul after a new leader is elected
  potentially causing data loss or corruption for keys with many concurrent
  writers. For Enterprise clusters this could cause corruption of the merkle trees
  leading to failure to complete merkle sync without a full re-index. [GH-23013]
• ui: Assumes version 1 for kv engines when options are null because no version is specified [GH-23585]
• ui: Decode the connection url for display on the connection details page [GH-23695]
• ui: Fix AWS secret engine to allow empty policy_document field. [GH-23470]
• ui: Fix bug where auth items were not listed when within a namespace. [GH-23446]
• ui: Fix regression that broke the oktaNumberChallenge on the ui. [GH-23565]
• ui: Fix the copy token button in the sidebar navigation window when in a collapsed state. [GH-23331]
• ui: Fixes issue where you could not share the list view URL from the KV v2 secrets engine. [GH-23620]
• ui: Fixes issue with sidebar navigation links disappearing when navigating to policies when a user is not authorized [GH-23516]
• ui: Fixes issues displaying accurate TLS state in dashboard configuration details [GH-23726]

v1.14.5

1.14.5

October 25, 2023

CHANGES:

• core: Bump Go version to 1.20.10.
• replication (enterprise): Switch to non-deprecated gRPC field for resolver target host

IMPROVEMENTS:

• api/plugins: add tls-server-name arg for plugin registration [GH-23549]
• core: Use a worker pool for the rollback manager. Add new metrics for the rollback manager to track the queued tasks. [GH-22567]
• ui: Adds toggle to KV secrets engine value download modal to optionally stringify value in downloaded file [GH-23747]
• website/docs: fix inaccuracies with unauthenticated_in_flight_requests_access parameter [GH-23287]

BUG FIXES:

• command/server: Fix bug with sigusr2 where pprof files were not closed correctly [GH-23636]
• events: Ignore sending context to give more time for events to send [GH-23500]
• expiration: Prevent large lease loads from delaying state changes, e.g. becoming active or standby. [GH-23282]
• kmip (enterprise): Improve handling of failures due to storage replication issues.
• kmip (enterprise): Return a structure in the response for query function Query Server Information.
• mongo-db: allow non-admin database for root credential rotation [GH-23240]
• replication (enterprise): Fix a bug where undo logs would only get enabled on the initial node in a cluster.
• replication (enterprise): Fix a missing unlock when changing replication state
• secrets/consul: Fix revocations when Vault has an access token using specific namespace and admin partition policies [GH-23010]
• secrets/pki: Stop processing in-flight ACME verifications when an active node steps down [GH-23278]
• secrets/transit (enterprise): Address an issue using sign/verify operations with managed keys returning an error about it not containing a private key
• secrets/transit (enterprise): Address panic when using GCP,AWS,Azure managed keys for encryption operations. At this time all encryption operations for the cloud providers have been disabled, only signing operations are supported.
• secrets/transit (enterprise): Apply hashing arguments and defaults to managed key sign/verify operations
• secrets/transit: Do not allow auto rotation on managed_key key types [GH-23723]
• storage/consul: fix a bug where an active node in a specific sort of network
  partition could continue to write data to Consul after a new leader is elected
  potentially causing data loss or corruption for keys with many concurrent
  writers. For Enterprise clusters this could cause corruption of the merkle trees
  leading to failure to complete merkle sync without a full re-index. [GH-23013]
• ui: Decode the connection url for display on the connection details page [GH-23695]
• ui: Fix AWS secret engine to allow empty policy_document field. [GH-23470]
• ui: Fix the copy token button in the sidebar navigation window when in a collapsed state. [GH-23331]
• ui: Fixes issue with sidebar navigation links disappearing when navigating to policies when a user is not authorized [GH-23516]