pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/security/vault Update security/vault to 0.8.0.
details: https://anonhg.NetBSD.org/pkgsrc/rev/568a145e8844
branches: trunk
changeset: 366597:568a145e8844
user: fhajny <fhajny%pkgsrc.org@localhost>
date: Wed Aug 16 12:18:32 2017 +0000
description:
Update security/vault to 0.8.0.
SECURITY:
- We've added a note to the docs about the way the GitHub auth backend works
as it may not be readily apparent that GitHub personal access tokens, which
are used by the backend, can be used for unauthorized access if they are
stolen from third party services and access to Vault is public.
DEPRECATIONS/CHANGES:
- Database Plugin Backends: Passwords generated for these backends now
enforce stricter password requirements, as opposed to the previous behavior
of returning a randomized UUID.
- Lease Endpoints: The endpoints 'sys/renew', 'sys/revoke', 'sys/revoke-prefix',
'sys/revoke-force' have been deprecated and relocated under 'sys/leases'.
- Response Wrapping Lookup Unauthenticated: The 'sys/wrapping/lookup' endpoint
is now unauthenticated.
FEATURES:
- Cassandra Storage: Cassandra can now be used for Vault storage
- CockroachDB Storage: CockroachDB can now be used for Vault storage
- CouchDB Storage: CouchDB can now be used for Vault storage
- SAP HANA Database Plugin: The 'databases' backend can now manage users
for SAP HANA databases
- Plugin Backends: Vault now supports running secret and auth backends as
plugins.
- PROXY Protocol Support Vault listeners can now be configured to honor
PROXY protocol v1 information to allow passing real client IPs into Vault.
- Lease Lookup and Browsing in the Vault Enterprise UI: Vault Enterprise UI
now supports lookup and listing of leases and the associated actions from the
'sys/leases' endpoints in the API.
- Filtered Mounts for Performance Mode Replication: Whitelists or
blacklists of mounts can be defined per-secondary to control which mounts
are actually replicated to that secondary.
- Disaster Recovery Mode Replication (Enterprise Only): There is a new
replication mode, Disaster Recovery (DR), that performs full real-time
replication (including tokens and leases) to DR secondaries.
- Manage New Replication Features in the Vault Enterprise UI: Support for
Replication features in Vault Enterprise UI has expanded to include new DR
Replication mode and management of Filtered Mounts in Performance Replication
mode.
- Vault Identity (Enterprise Only): Vault's new Identity system allows
correlation of users across tokens.
- Duo Push, Okta Push, and TOTP MFA For All Authenticated Paths (Enterprise
Only): A brand new MFA system built on top of Identity allows MFA
(currently Duo Push, Okta Push, and TOTP) for any authenticated path within
Vault.
IMPROVEMENTS:
- api: Add client method for a secret renewer background process
- api: Add 'RenewTokenAsSelf'
- api: Client timeout can now be adjusted with the 'VAULT_CLIENT_TIMEOUT' env
var or with a new API function
- api/cli: Client will now attempt to look up SRV records for the given Vault
hostname
- audit/socket: Enhance reconnection logic and don't require the connection to
be established at unseal time
- audit/file: Opportunistically try re-opening the file on error
- auth/approle: Add role name to token metadata
- auth/okta: Allow specifying 'ttl'/'max_ttl' inside the mount
- cli: Client timeout can now be adjusted with the 'VAULT_CLIENT_TIMEOUT' env
var
- command/auth: Add '-token-only' flag to 'vault auth' that returns only the
token on stdout and does not store it via the token helper
- core: CORS allowed origins can now be configured
- core: Add metrics counters for audit log failures
- cors: Allow setting allowed headers via the API instead of always using
wildcard
- secret/ssh: Allow specifying the key ID format using template values for CA
type
- server: Add 'tls_client_ca_file' option for specifying a CA file to use for
client certificate verification when 'tls_require_and_verify_client_cert' is
enabled
- storage/cockroachdb: Add CockroachDB storage backend
- storage/couchdb: Add CouchhDB storage backend
- storage/mssql: Add 'max_parallel'
- storage/postgresql: Add 'max_parallel'
- storage/postgresql: Improve listing speed
- storage/s3: More efficient paging when an object has a lot of subobjects
- sys/wrapping: Make 'sys/wrapping/lookup' unauthenticated
- sys/wrapping: Wrapped tokens now store the original request path of the data
- telemetry: Add support for DogStatsD
BUG FIXES:
- api/health: Don't treat standby '429' codes as an error
- api/leases: Fix lease lookup returning lease properties at the top level
- audit: Fix panic when audit logging a read operation on an asymmetric
'transit' key
- auth/approle: Fix panic when secret and cidr list not provided in role
- auth/aws: Look up proper account ID on token renew
- auth/aws: Store IAM header in all cases when it changes
- auth/ldap: Verify given certificate is PEM encoded instead of failing
silently
- auth/token: Don't allow using the same token ID twice when manually
specifying
- cli: Fix issue with parsing keys that start with special characters
- core: Relocated 'sys/leases/renew' returns same payload as original
'sys/leases' endpoint
- secret/ssh: Fix panic when signing with incorrect key type
- secret/totp: Ensure codes can only be used once. This makes some automated
workflows harder but complies with the RFC.
- secret/transit: Fix locking when creating a key with unsupported options
diffstat:
security/vault/Makefile | 4 ++--
security/vault/distinfo | 10 +++++-----
2 files changed, 7 insertions(+), 7 deletions(-)
diffs (27 lines):
diff -r ef43e5d72b2c -r 568a145e8844 security/vault/Makefile
--- a/security/vault/Makefile Wed Aug 16 11:52:32 2017 +0000
+++ b/security/vault/Makefile Wed Aug 16 12:18:32 2017 +0000
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.13 2017/06/13 06:28:38 fhajny Exp $
+# $NetBSD: Makefile,v 1.14 2017/08/16 12:18:32 fhajny Exp $
-DISTNAME= vault-0.7.3
+DISTNAME= vault-0.8.0
CATEGORIES= security
MASTER_SITES= ${MASTER_SITE_GITHUB:=hashicorp/}
diff -r ef43e5d72b2c -r 568a145e8844 security/vault/distinfo
--- a/security/vault/distinfo Wed Aug 16 11:52:32 2017 +0000
+++ b/security/vault/distinfo Wed Aug 16 12:18:32 2017 +0000
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.8 2017/06/13 06:28:38 fhajny Exp $
+$NetBSD: distinfo,v 1.9 2017/08/16 12:18:32 fhajny Exp $
-SHA1 (vault-0.7.3.tar.gz) = 6cec196e3d4483aee896e6ca69993bebf856d142
-RMD160 (vault-0.7.3.tar.gz) = 2091b5f947579a7a715090164d8ccb2c805cb2b6
-SHA512 (vault-0.7.3.tar.gz) = 8632b4b721372cb0f5f684564ebe0749b7c1a9b5d0322b083773b3a2fd1734fb2eedee1aeb4b4c9431ce7f44c711ac0a95960c581165e1bac1a3754f8658e783
-Size (vault-0.7.3.tar.gz) = 6694636 bytes
+SHA1 (vault-0.8.0.tar.gz) = 13dca1df577d156c584c47530a4f25929a64ab0c
+RMD160 (vault-0.8.0.tar.gz) = 6bedd05b97333e8101ba238fdfe37eda8c337823
+SHA512 (vault-0.8.0.tar.gz) = 2b30927290bb5db089297c857839e2ee3dfa88efb14037245be4965a9053dfaeb889d7c9d8b2c337b4d649842274c97eb10e4cf4e13f1e60bb3efadda50f26ee
+Size (vault-0.8.0.tar.gz) = 6958162 bytes
Home |
Main Index |
Thread Index |
Old Index