Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump github.com/hashicorp/vault from 1.4.2 to 1.8.5 #72

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jul 18, 2022

Bumps github.com/hashicorp/vault from 1.4.2 to 1.8.5.

Release notes

Sourced from github.com/hashicorp/vault's releases.

v1.8.5

1.8.5

November 4, 2021

BUG FIXES:

  • auth/aws: fix config/rotate-root to store new key [GH-12715]
  • core/identity: Cleanup alias in the in-memory entity after an alias deletion by ID [GH-12834]
  • core/identity: Disallow entity alias creation/update if a conflicting alias exists for the target entity and mount combination [GH-12747]
  • http (enterprise): Always forward internal/counters endpoints from perf standbys to active node
  • identity/token: Adds missing call to unlock mutex in key deletion error handling [GH-12916]
  • kmip (enterprise): Fix handling of custom attributes when servicing GetAttributes requests
  • kmip (enterprise): Fix handling of invalid role parameters within various vault api calls
  • kmip (enterprise): Forward KMIP register operations to the active node
  • secrets/keymgmt (enterprise): Fix support for Azure Managed HSM Key Vault instances. [GH-12952]
  • transform (enterprise): Fix an error where the decode response of an expired token is an empty result rather than an error.

v1.8.4

1.8.4

6 October 2021

IMPROVEMENTS:

  • core: Update Oracle Cloud library to enable seal integration with the uk-gov-london-1 region [GH-12724]

BUG FIXES:

  • core: Fix a deadlock on HA leadership transfer [GH-12691]
  • database/postgres: Update postgres library (github.com/lib/pq) to properly remove terminated TLS connections from the connection pool. [GH-12413]
  • pki: Fix regression preventing email addresses being used as a common name within certificates [GH-12716]
  • storage/postgres: Update postgres library (github.com/lib/pq) to properly remove terminated TLS connections from the connection pool. [GH-12413]
  • ui: Fix bug where edit role form on auth method is invalid by default [GH-12646]

v1.8.3

1.8.3

29 September 2021

IMPROVEMENTS:

  • secrets/pki: Allow signing of self-issued certs with a different signature algorithm. [GH-12514]

BUG FIXES:

  • agent: Avoid possible unexpected fault address panic when using persistent cache. [GH-12534]
  • core (enterprise): Allow deletion of stored licenses on DR secondary nodes
  • core (enterprise): Fix bug where password generation through password policies do not work on namespaces if performed outside a request callback or from an external plugin. [GH-12635]
  • core (enterprise): Only delete quotas on primary cluster. [GH-12339]
  • identity: Fail alias rename if the resulting (name,accessor) exists already [GH-12473]
  • raft (enterprise): Fix panic when updating auto-snapshot config
  • secrets/db: Fix bug where Vault can rotate static role passwords early during start up under certain conditions. [GH-12563]

... (truncated)

Changelog

Sourced from github.com/hashicorp/vault's changelog.

1.8.5

November 4, 2021

SECURITY:

  • core/identity: Templated ACL policies would always match the first-created entity alias if multiple entity aliases existed for a specified entity and mount combination, potentially resulting in incorrect policy enforcement. This vulnerability, CVE-2021-43998, was fixed in Vault and Vault Enterprise 1.7.6, 1.8.5, and 1.9.0.

BUG FIXES:

  • auth/aws: fix config/rotate-root to store new key [GH-12715]
  • core/identity: Cleanup alias in the in-memory entity after an alias deletion by ID [GH-12834]
  • core/identity: Disallow entity alias creation/update if a conflicting alias exists for the target entity and mount combination [GH-12747]
  • http (enterprise): Always forward internal/counters endpoints from perf standbys to active node
  • identity/token: Adds missing call to unlock mutex in key deletion error handling [GH-12916]
  • kmip (enterprise): Fix handling of custom attributes when servicing GetAttributes requests
  • kmip (enterprise): Fix handling of invalid role parameters within various vault api calls
  • kmip (enterprise): Forward KMIP register operations to the active node
  • secrets/keymgmt (enterprise): Fix support for Azure Managed HSM Key Vault instances. [GH-12952]
  • transform (enterprise): Fix an error where the decode response of an expired token is an empty result rather than an error.

1.8.4

6 October 2021

SECURITY:

  • core/identity: A Vault user with write permission to an entity alias ID sharing a mount accessor with another user may acquire this other user’s policies by merging their identities. This vulnerability, CVE-2021-41802, was fixed in Vault and Vault Enterprise 1.7.5 and 1.8.4.

IMPROVEMENTS:

  • core: Update Oracle Cloud library to enable seal integration with the uk-gov-london-1 region [GH-12724]

BUG FIXES:

  • core: Fix a deadlock on HA leadership transfer [GH-12691]
  • database/postgres: Update postgres library (github.com/lib/pq) to properly remove terminated TLS connections from the connection pool. [GH-12413]
  • pki: Fix regression preventing email addresses being used as a common name within certificates [GH-12716]
  • storage/postgres: Update postgres library (github.com/lib/pq) to properly remove terminated TLS connections from the connection pool. [GH-12413]
  • ui: Fix bug where edit role form on auth method is invalid by default [GH-12646]

1.8.3

29 September 2021

IMPROVEMENTS:

  • secrets/pki: Allow signing of self-issued certs with a different signature algorithm. [GH-12514]

BUG FIXES:

  • agent: Avoid possible unexpected fault address panic when using persistent cache. [GH-12534]
  • core (enterprise): Allow deletion of stored licenses on DR secondary nodes

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [github.com/hashicorp/vault](https://github.com/hashicorp/vault) from 1.4.2 to 1.8.5.
- [Release notes](https://github.com/hashicorp/vault/releases)
- [Changelog](https://github.com/hashicorp/vault/blob/main/CHANGELOG.md)
- [Commits](hashicorp/vault@v1.4.2...v1.8.5)

---
updated-dependencies:
- dependency-name: github.com/hashicorp/vault
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot requested a review from syndbg as a code owner July 18, 2022 20:38
@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jul 18, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file go Pull requests that update Go code
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants