pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/security/vault Update security/vault to 0.9.1.
details: https://anonhg.NetBSD.org/pkgsrc/rev/38fb0e7cdffb
branches: trunk
changeset: 373451:38fb0e7cdffb
user: fhajny <fhajny%pkgsrc.org@localhost>
date: Tue Jan 02 09:35:44 2018 +0000
description:
Update security/vault to 0.9.1.
DEPRECATIONS/CHANGES:
- AppRole Case Sensitivity: In prior versions of Vault, `list` operations
against AppRole roles would require preserving case in the role name, even
though most other operations within AppRole are case-insensitive with
respect to the role name. This has been fixed; existing roles will behave as
they have in the past, but new roles will act case-insensitively in these
cases.
- Token Auth Backend Roles parameter types: For `allowed_policies` and
`disallowed_policies` in role definitions in the token auth backend, input
can now be a comma-separated string or an array of strings. Reading a role
will now return arrays for these parameters.
- Transit key exporting: You can now mark a key in the `transit` backend as
`exportable` at any time, rather than just at creation time; however, once
this value is set, it still cannot be unset.
- PKI Secret Backend Roles parameter types: For `allowed_domains` and
`key_usage` in role definitions in the PKI secret backend, input
can now be a comma-separated string or an array of strings. Reading a role
will now return arrays for these parameters.
- SSH Dynamic Keys Method Defaults to 2048-bit Keys: When using the dynamic
key method in the SSH backend, the default is now to use 2048-bit keys if no
specific key bit size is specified.
- Consul Secret Backend lease handling: The `consul` secret backend can now
accept both strings and integer numbers of seconds for its lease value. The
value returned on a role read will be an integer number of seconds instead
of a human-friendly string.
- Unprintable characters not allowed in API paths: Unprintable characters are
no longer allowed in names in the API (paths and path parameters), with an
extra restriction on whitespace characters. Allowed characters are those
that are considered printable by Unicode plus spaces.
FEATURES:
- Transit Backup/Restore: The `transit` backend now supports a backup
operation that can export a given key, including all key versions and
configuration, as well as a restore operation allowing import into another
Vault.
- gRPC Database Plugins: Database plugins now use gRPC for transport,
allowing them to be written in other languages.
- Nomad Secret Backend: Nomad ACL tokens can now be generated and revoked
using Vault.
- TLS Cert Auth Backend Improvements: The `cert` auth backend can now
match against custom certificate extensions via exact or glob matching, and
additionally supports max_ttl and periodic token toggles.
IMPROVEMENTS:
- auth/cert: Support custom certificate constraints
- auth/cert: Support setting `max_ttl` and `period`
- audit/file: Setting a file mode of `0000` will now disable Vault from
automatically `chmod`ing the log file
- auth/github: The legacy MFA system can now be used with the GitHub auth
backend
- auth/okta: The legacy MFA system can now be used with the Okta auth backend
- auth/token: `allowed_policies` and `disallowed_policies` can now be specified
as a comma-separated string or an array of strings
- command/server: The log level can now be specified with `VAULT_LOG_LEVEL`
- core: Period values from auth backends will now be checked and applied to the
TTL value directly by core on login and renewal requests
- database/mongodb: Add optional `write_concern` parameter, which can be set
during database configuration. This establishes a session-wide write
concern for the lifecycle of the mount
- http: Request path containing non-printable characters will return 400 - Bad
Request
- mfa/okta: Filter a given email address as a login filter, allowing operation
when login email and account email are different
- plugins: Make Vault more resilient when unsealing when plugins are
unavailable
- secret/pki: `allowed_domains` and `key_usage` can now be specified
as a comma-separated string or an array of strings
- secret/ssh: Allow 4096-bit keys to be used in dynamic key method
- secret/consul: The Consul secret backend now uses the value of `lease` set
on the role, if set, when renewing a secret.
- storage/mysql: Don't attempt database creation if it exists, which can help
under certain permissions constraints
BUG FIXES:
- api/status (enterprise): Fix status reporting when using an auto seal
- auth/approle: Fix case-sensitive/insensitive comparison issue
- auth/cert: Return `allowed_names` on role read
- auth/ldap: Fix incorrect control information being sent
- core: Fix seal status reporting when using an autoseal
- core: Add creation path to wrap info for a control group token
- core: Fix potential panic that could occur using plugins when a node
transitioned from active to standby
- core: Fix memory ballooning when a connection would connect to the cluster
port and then go away -- redux!
- core: Replace recursive token revocation logic with depth-first logic, which
can avoid hitting stack depth limits in extreme cases
- core: When doing a read on configured audited-headers, properly handle case
insensitivity
- core/pkcs11 (enterprise): Fix panic when PKCS#11 library is not readable
- database/mysql: Allow the creation statement to use commands that are not yet
supported by the prepare statement protocol
- plugin/auth-gcp: Fix IAM roles when using `allow_gce_inference`
diffstat:
security/vault/Makefile | 4 ++--
security/vault/distinfo | 10 +++++-----
2 files changed, 7 insertions(+), 7 deletions(-)
diffs (27 lines):
diff -r bdc3301087c0 -r 38fb0e7cdffb security/vault/Makefile
--- a/security/vault/Makefile Tue Jan 02 09:24:19 2018 +0000
+++ b/security/vault/Makefile Tue Jan 02 09:35:44 2018 +0000
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.19 2017/11/16 11:31:12 fhajny Exp $
+# $NetBSD: Makefile,v 1.20 2018/01/02 09:35:44 fhajny Exp $
-DISTNAME= vault-0.9.0
+DISTNAME= vault-0.9.1
CATEGORIES= security
MASTER_SITES= ${MASTER_SITE_GITHUB:=hashicorp/}
diff -r bdc3301087c0 -r 38fb0e7cdffb security/vault/distinfo
--- a/security/vault/distinfo Tue Jan 02 09:24:19 2018 +0000
+++ b/security/vault/distinfo Tue Jan 02 09:35:44 2018 +0000
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.13 2017/11/16 11:31:12 fhajny Exp $
+$NetBSD: distinfo,v 1.14 2018/01/02 09:35:44 fhajny Exp $
-SHA1 (vault-0.9.0.tar.gz) = e0a7cc5fb0584cbb657c7042ba7cb9e4295d385e
-RMD160 (vault-0.9.0.tar.gz) = e14063aebb3d3ad08cccbd1b603c19513d1cf8d3
-SHA512 (vault-0.9.0.tar.gz) = c5755bd8a696764af2375ac51b955759ece36796e6c138e6fc3e8abd487c10ac41c8927501234e0cdfcd448021254b2f09097d8e00a6278b44f971d8b8442da6
-Size (vault-0.9.0.tar.gz) = 8457263 bytes
+SHA1 (vault-0.9.1.tar.gz) = 2fc868643287444ea802f953db1e0ae86afd3250
+RMD160 (vault-0.9.1.tar.gz) = 1599a8f01bb1abc1d4f55c78d0adf2997ba2ee0e
+SHA512 (vault-0.9.1.tar.gz) = f8362b3b3e09d5e4b63e58a31eb8791d5518b8a7f50758ee4b92d6a4ecdcb51cef15a45eeb2aa75c427dcc45686c81c332e563e9d6f4fb71b5233f4509a3d528
+Size (vault-0.9.1.tar.gz) = 8556076 bytes
Home |
Main Index |
Thread Index |
Old Index