pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/security/vault Update security/vault to 0.8.0.



details:   https://anonhg.NetBSD.org/pkgsrc/rev/568a145e8844
branches:  trunk
changeset: 366597:568a145e8844
user:      fhajny <fhajny%pkgsrc.org@localhost>
date:      Wed Aug 16 12:18:32 2017 +0000

description:
Update security/vault to 0.8.0.

SECURITY:

- We've added a note to the docs about the way the GitHub auth backend works
  as it may not be readily apparent that GitHub personal access tokens, which
  are used by the backend, can be used for unauthorized access if they are
  stolen from third party services and access to Vault is public.

DEPRECATIONS/CHANGES:

- Database Plugin Backends: Passwords generated for these backends now
  enforce stricter password requirements, as opposed to the previous behavior
  of returning a randomized UUID.
- Lease Endpoints: The endpoints 'sys/renew', 'sys/revoke', 'sys/revoke-prefix',
  'sys/revoke-force' have been deprecated and relocated under 'sys/leases'.
- Response Wrapping Lookup Unauthenticated: The 'sys/wrapping/lookup' endpoint
  is now unauthenticated.

FEATURES:

- Cassandra Storage: Cassandra can now be used for Vault storage
- CockroachDB Storage: CockroachDB can now be used for Vault storage
- CouchDB Storage: CouchDB can now be used for Vault storage
- SAP HANA Database Plugin: The 'databases' backend can now manage users
  for SAP HANA databases
- Plugin Backends: Vault now supports running secret and auth backends as
  plugins.
- PROXY Protocol Support Vault listeners can now be configured to honor
  PROXY protocol v1 information to allow passing real client IPs into Vault.
- Lease Lookup and Browsing in the Vault Enterprise UI: Vault Enterprise UI
  now supports lookup and listing of leases and the associated actions from the
  'sys/leases' endpoints in the API.
- Filtered Mounts for Performance Mode Replication: Whitelists or
  blacklists of mounts can be defined per-secondary to control which mounts
  are actually replicated to that secondary.
- Disaster Recovery Mode Replication (Enterprise Only): There is a new
  replication mode, Disaster Recovery (DR), that performs full real-time
  replication (including tokens and leases) to DR secondaries.
- Manage New Replication Features in the Vault Enterprise UI: Support for
  Replication features in Vault Enterprise UI has expanded to include new DR
  Replication mode and management of Filtered Mounts in Performance Replication
  mode.
- Vault Identity (Enterprise Only): Vault's new Identity system allows
  correlation of users across tokens.
- Duo Push, Okta Push, and TOTP MFA For All Authenticated Paths (Enterprise
  Only): A brand new MFA system built on top of Identity allows MFA
  (currently Duo Push, Okta Push, and TOTP) for any authenticated path within
  Vault.

IMPROVEMENTS:

- api: Add client method for a secret renewer background process
- api: Add 'RenewTokenAsSelf'
- api: Client timeout can now be adjusted with the 'VAULT_CLIENT_TIMEOUT' env
  var or with a new API function
- api/cli: Client will now attempt to look up SRV records for the given Vault
  hostname
- audit/socket: Enhance reconnection logic and don't require the connection to
  be established at unseal time
- audit/file: Opportunistically try re-opening the file on error
- auth/approle: Add role name to token metadata
- auth/okta: Allow specifying 'ttl'/'max_ttl' inside the mount
- cli: Client timeout can now be adjusted with the 'VAULT_CLIENT_TIMEOUT' env
  var
- command/auth: Add '-token-only' flag to 'vault auth' that returns only the
  token on stdout and does not store it via the token helper
- core: CORS allowed origins can now be configured
- core: Add metrics counters for audit log failures
- cors: Allow setting allowed headers via the API instead of always using
  wildcard
- secret/ssh: Allow specifying the key ID format using template values for CA
  type
- server: Add 'tls_client_ca_file' option for specifying a CA file to use for
  client certificate verification when 'tls_require_and_verify_client_cert' is
  enabled
- storage/cockroachdb: Add CockroachDB storage backend
- storage/couchdb: Add CouchhDB storage backend
- storage/mssql: Add 'max_parallel'
- storage/postgresql: Add 'max_parallel'
- storage/postgresql: Improve listing speed
- storage/s3: More efficient paging when an object has a lot of subobjects
- sys/wrapping: Make 'sys/wrapping/lookup' unauthenticated
- sys/wrapping: Wrapped tokens now store the original request path of the data
- telemetry: Add support for DogStatsD

BUG FIXES:

- api/health: Don't treat standby '429' codes as an error
- api/leases: Fix lease lookup returning lease properties at the top level
- audit: Fix panic when audit logging a read operation on an asymmetric
  'transit' key
- auth/approle: Fix panic when secret and cidr list not provided in role
- auth/aws: Look up proper account ID on token renew
- auth/aws: Store IAM header in all cases when it changes
- auth/ldap: Verify given certificate is PEM encoded instead of failing
  silently
- auth/token: Don't allow using the same token ID twice when manually
  specifying
- cli: Fix issue with parsing keys that start with special characters
- core: Relocated 'sys/leases/renew' returns same payload as original
  'sys/leases' endpoint
- secret/ssh: Fix panic when signing with incorrect key type
- secret/totp: Ensure codes can only be used once. This makes some automated
  workflows harder but complies with the RFC.
- secret/transit: Fix locking when creating a key with unsupported options

diffstat:

 security/vault/Makefile |   4 ++--
 security/vault/distinfo |  10 +++++-----
 2 files changed, 7 insertions(+), 7 deletions(-)

diffs (27 lines):

diff -r ef43e5d72b2c -r 568a145e8844 security/vault/Makefile
--- a/security/vault/Makefile   Wed Aug 16 11:52:32 2017 +0000
+++ b/security/vault/Makefile   Wed Aug 16 12:18:32 2017 +0000
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.13 2017/06/13 06:28:38 fhajny Exp $
+# $NetBSD: Makefile,v 1.14 2017/08/16 12:18:32 fhajny Exp $
 
-DISTNAME=      vault-0.7.3
+DISTNAME=      vault-0.8.0
 CATEGORIES=    security
 MASTER_SITES=  ${MASTER_SITE_GITHUB:=hashicorp/}
 
diff -r ef43e5d72b2c -r 568a145e8844 security/vault/distinfo
--- a/security/vault/distinfo   Wed Aug 16 11:52:32 2017 +0000
+++ b/security/vault/distinfo   Wed Aug 16 12:18:32 2017 +0000
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.8 2017/06/13 06:28:38 fhajny Exp $
+$NetBSD: distinfo,v 1.9 2017/08/16 12:18:32 fhajny Exp $
 
-SHA1 (vault-0.7.3.tar.gz) = 6cec196e3d4483aee896e6ca69993bebf856d142
-RMD160 (vault-0.7.3.tar.gz) = 2091b5f947579a7a715090164d8ccb2c805cb2b6
-SHA512 (vault-0.7.3.tar.gz) = 8632b4b721372cb0f5f684564ebe0749b7c1a9b5d0322b083773b3a2fd1734fb2eedee1aeb4b4c9431ce7f44c711ac0a95960c581165e1bac1a3754f8658e783
-Size (vault-0.7.3.tar.gz) = 6694636 bytes
+SHA1 (vault-0.8.0.tar.gz) = 13dca1df577d156c584c47530a4f25929a64ab0c
+RMD160 (vault-0.8.0.tar.gz) = 6bedd05b97333e8101ba238fdfe37eda8c337823
+SHA512 (vault-0.8.0.tar.gz) = 2b30927290bb5db089297c857839e2ee3dfa88efb14037245be4965a9053dfaeb889d7c9d8b2c337b4d649842274c97eb10e4cf4e13f1e60bb3efadda50f26ee
+Size (vault-0.8.0.tar.gz) = 6958162 bytes



Home | Main Index | Thread Index | Old Index