vault: Update to 1.1.1

To: pkgsrc-wip-changes%NetBSD.org@localhost
Subject: vault: Update to 1.1.1
From: Iku Iwasa <iku.iwasa%gmail.com@localhost>
Date: Sat, 13 Apr 2019 05:22:46 +0000
Module Name:	pkgsrc-wip
Committed By:	Iku Iwasa <iku.iwasa%gmail.com@localhost>
Pushed By:	iquiw
Date:		Sat Apr 13 14:22:46 2019 +0900
Changeset:	aea20b7de424f1f39941134995249d1c7b2d7818

Modified Files:
	vault/Makefile
	vault/distinfo

Log Message:
vault: Update to 1.1.1

SECURITY:

 * Given: (a) performance replication is enabled; (b) performance standbys are
   in use on the performance replication secondary cluster; and (c) mount
   filters are in use, if a mount that was previously available to a secondary
   is updated to be filtered out, although the data would be removed from the
   secondary cluster, the in-memory cache of the data would not be purged on
   the performance standby nodes. As a result, the previously-available data
   could still be read from memory if it was ever read from disk, and if this
   included mount configuration data this could result in token or lease
   issuance. The issue is fixed in this release; in prior releases either an
   active node changeover (such as a step-down) or a restart of the standby
   nodes is sufficient to cause the performance standby nodes to clear their
   cache. A CVE is in the process of being issued; the number is
   CVE-2019-11075.
 * Roles in the JWT Auth backend using the OIDC login flow (i.e. role_type of
   “oidc”) were not enforcing bound_cidrs restrictions, if any were configured
   for the role. This issue did not affect roles of type “jwt”.

CHANGES:

 * auth/jwt: Disallow logins of role_type "oidc" via the `/login` path [JWT-38]
 * core/acl:  New ordering defines which policy wins when there are multiple
   inexact matches and at least one path contains `+`. `+*` is now illegal in
   policy paths. The previous behavior simply selected any matching
   segment-wildcard path that matched. [GH-6532]
 * replication: Due to technical limitations, mounting and unmounting was not
   previously possible from a performance secondary. These have been resolved,
   and these operations may now be run from a performance secondary.

IMPROVEMENTS:

 * agent: Allow AppRole auto-auth without a secret-id [GH-6324]
 * auth/gcp: Cache clients to improve performance and reduce open file usage
 * auth/jwt: Bounds claims validiation will now allow matching the received
   claims against a list of expected values [JWT-41]
 * secret/gcp: Cache clients to improve performance and reduce open file usage
 * replication: Mounting/unmounting/remounting/mount-tuning is now supported
   from a performance secondary cluster
 * ui: Suport for authentication via the RADIUS auth method [GH-6488]
 * ui: Navigating away from secret list view will clear any page-specific
   filter that was applied [GH-6511]
 * ui: Improved the display when OIDC auth errors [GH-6553]

BUG FIXES:

 * agent: Allow auto-auth to be used with caching without having to define any
   sinks [GH-6468]
 * agent: Disallow some nonsensical config file combinations [GH-6471]
 * auth/ldap: Fix CN check not working if CN was not all in uppercase [GH-6518]
 * auth/jwt: The CLI helper for OIDC logins will now open the browser to the correct
   URL when running on Windows [JWT-37]
 * auth/jwt: Fix OIDC login issue where configured TLS certs weren't being used [JWT-40]
 * auth/jwt: Fix an issue where the `oidc_scopes` parameter was not being included in
   the response to a role read request [JWT-35]
 * core: Fix seal migration case when migrating to Shamir and a seal block
   wasn't explicitly specified [GH-6455]
 * core: Fix unwrapping when using namespaced wrapping tokens [GH-6536]
 * core: Fix incorrect representation of required properties in OpenAPI output
   [GH-6490]
 * core: Fix deadlock that could happen when using the UI [GH-6560]
 * identity: Fix updating groups removing existing members [GH-6527]
 * identity: Properly invalidate group alias in performance secondary [GH-6564]
 * identity: Use namespace context when loading entities and groups to ensure
   merging of duplicate entries works properly [GH-6563]
 * replication: Fix performance standby election failure [GH-6561]
 * replication: Fix mount filter invalidation on performance standby nodes
 * replication: Fix license reloading on performance standby nodes
 * replication: Fix handling of control groups on performance standby nodes
 * replication: Fix some forwarding scenarios with request bodies using
   performance standby nodes [GH-6538]
 * secret/gcp: Fix roleset binding when using JSON [GCP-27]
 * secret/pki: Use `uri_sans` param in when not using CSR parameters [GH-6505]
 * storage/dynamodb: Fix a race condition possible in HA configurations that could
   leave the cluster without a leader [GH-6512]
 * ui: Fix an issue where in production builds OpenAPI model generation was
   failing, causing any form using it to render labels with missing fields [GH-6474]
 * ui: Fix issue nav-hiding when moving between namespaces [GH-6473]
 * ui: Secrets will always show in the nav regardless of access to cubbyhole [GH-6477]
 * ui: fix SSH OTP generation [GH-6540]
 * ui: add polyfill to load UI in IE11 [GH-6567]
 * ui: Fix issue where some elements would fail to work properly if using ACLs
   with segment-wildcard paths (`/+/` segments) [GH-6525]

To see a diff of this commit:
https://wip.pkgsrc.org/cgi-bin/gitweb.cgi?p=pkgsrc-wip.git;a=commitdiff;h=aea20b7de424f1f39941134995249d1c7b2d7818

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

diffstat:
 vault/Makefile | 2 +-
 vault/distinfo | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diffs:
diff --git a/vault/Makefile b/vault/Makefile
index d8a8528304..10cae29a06 100644
--- a/vault/Makefile
+++ b/vault/Makefile
@@ -1,6 +1,6 @@
 # $NetBSD$
 
-DISTNAME=	vault-1.1.0
+DISTNAME=	vault-1.1.1
 CATEGORIES=	security
 MASTER_SITES=	${MASTER_SITE_GITHUB:=hashicorp/}
 
diff --git a/vault/distinfo b/vault/distinfo
index 47aecab261..86d79c29fe 100644
--- a/vault/distinfo
+++ b/vault/distinfo
@@ -1,6 +1,6 @@
 $NetBSD$
 
-SHA1 (vault-1.1.0.tar.gz) = 0236369887e86faae3c745ec6521b647d01e96a4
-RMD160 (vault-1.1.0.tar.gz) = 2bf0679d74688c3127afef4c59939382cd6815bc
-SHA512 (vault-1.1.0.tar.gz) = b0bc32f438e8432d849aa896f610c9532fa923384d40749efe49985d64a91f4768a3309af449efd8c8ab4604ecdb2474c39999bfe196f0f876894f788618ae61
-Size (vault-1.1.0.tar.gz) = 25943119 bytes
+SHA1 (vault-1.1.1.tar.gz) = 64531e0d24b56a2618ba7cc8859c0c61f724780d
+RMD160 (vault-1.1.1.tar.gz) = 5ebd26e28e1c71b9814cb68da96e793f7bea2db8
+SHA512 (vault-1.1.1.tar.gz) = 8922a32a3572cbaeb2dd5ade183e2b26338b49043031eb9d24cd8ab477183f8942e2856c8d3e67860f6d42e83043bd57af4b274ae5137cd946b2a285c8a16e01
+Size (vault-1.1.1.tar.gz) = 26026738 bytes
Prev by Date: packer: Update to 1.4.0
Next by Date: qemu-nvmm: forgot DR0
Previous by Thread: packer: Update to 1.4.0
Next by Thread: qemu-nvmm: forgot DR0
Indexes:
Home | Main Index | Thread Index | Old Index