pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/security/vault Update security/vault to 0.6.4
details: https://anonhg.NetBSD.org/pkgsrc/rev/7e19106cdd1f
branches: trunk
changeset: 356656:7e19106cdd1f
user: fhajny <fhajny%pkgsrc.org@localhost>
date: Tue Jan 03 07:44:01 2017 +0000
description:
Update security/vault to 0.6.4
SECURITY:
- default Policy Privilege Escalation: If a parent token did not have
the default policy attached to its token, it could still create
children with the default policy. This is no longer allowed (unless
the parent has sudo capability for the creation path). In most cases
this is low severity since the access grants in the default policy are
meant to be access grants that are acceptable for all tokens to have.
- Leases Not Expired When Limited Use Token Runs Out of Uses: When
using limited-use tokens to create leased secrets, if the
limited-use token was revoked due to running out of uses (rather than
due to TTL expiration or explicit revocation) it would fail to revoke
the leased secrets. These secrets would still be revoked when their
TTL expired, limiting the severity of this issue. An endpoint has been
added (auth/token/tidy) that can perform housekeeping tasks on the
token store; one of its tasks can detect this situation and revoke the
associated leases.
FEATURES:
- Policy UI (Enterprise): Vault Enterprise UI now supports viewing,
creating, and editing policies.
IMPROVEMENTS:
- http: Vault now sets a no-store cache control header to make it more
secure in setups that are not end-to-end encrypted
BUG FIXES:
- auth/ldap: Don't panic if dialing returns an error and starttls is
enabled; instead, return the error
- ui (Enterprise): Submitting an unseal key now properly resets the
form so a browser refresh isn't required to continue.
0.6.3 (December 6, 2016)
DEPRECATIONS/CHANGES:
- Request size limitation: A maximum request size of 32MB is imposed
to prevent a denial of service attack with arbitrarily large
requests
- LDAP denies passwordless binds by default: In new LDAP mounts, or
when existing LDAP mounts are rewritten, passwordless binds will be
denied by default. The new deny_null_bind parameter can be set to
false to allow these.
- Any audit backend activated satisfies conditions: Previously, when a
new Vault node was taking over service in an HA cluster, all audit
backends were required to be loaded successfully to take over active
duty. This behavior now matches the behavior of the audit logging
system itself: at least one audit backend must successfully be loaded.
The server log contains an error when this occurs. This helps keep a
Vault HA cluster working when there is a misconfiguration on a standby
node.
FEATURES:
- Web UI (Enterprise): Vault Enterprise now contains a built-in web UI
that offers access to a number of features, including
init/unsealing/sealing, authentication via userpass or LDAP, and K/V
reading/writing. The capability set of the UI will be expanding
rapidly in further releases. To enable it, set ui = true in the top
level of Vault's configuration file and point a web browser at your
Vault address.
- Google Cloud Storage Physical Backend: You can now use GCS for
storing Vault data
IMPROVEMENTS:
- auth/github: Policies can now be assigned to users as well as to
teams
- cli: Set the number of retries on 500 down to 0 by default (no
retrying). It can be very confusing to users when there is a pause
while the retries happen if they haven't explicitly set it. With
request forwarding the need for this is lessened anyways.
- core: Response wrapping is now allowed to be specified by backend
responses (requires backends gaining support)
- physical/consul: When announcing service, use the scheme of the
Vault server rather than the Consul client
- secret/consul: Added listing functionality to roles
- secret/postgresql: Added revocation_sql parameter on the role
endpoint to enable customization of user revocation SQL statements
- secret/transit: Add listing of keys
BUG FIXES:
- api/unwrap, command/unwrap: Increase compatibility of unwrap command
with Vault 0.6.1 and older
- api/unwrap, command/unwrap: Fix error when no client token exists
- auth/approle: Creating the index for the role_id properly
- auth/aws-ec2: Handle the case of multiple upgrade attempts when
setting the instance-profile ARN
- auth/ldap: Avoid leaking connections on login
- command/path-help: Use the actual error generated by Vault rather
than always using 500 when there is a path help error
- command/ssh: Use temporary file for identity and ensure its deletion
before the command returns
- cli: Fix error printing values with -field if the values contained
formatting directives
- command/server: Don't say mlock is supported on OSX when it isn't.
- core: Fix bug where a failure to come up as active node (e.g. if an
audit backend failed) could lead to deadlock
- physical/mysql: Fix potential crash during setup due to a query
failure
- secret/consul: Fix panic on user error
diffstat:
security/vault/Makefile | 5 ++---
security/vault/distinfo | 10 +++++-----
2 files changed, 7 insertions(+), 8 deletions(-)
diffs (28 lines):
diff -r 40e3c1e72952 -r 7e19106cdd1f security/vault/Makefile
--- a/security/vault/Makefile Tue Jan 03 07:39:15 2017 +0000
+++ b/security/vault/Makefile Tue Jan 03 07:44:01 2017 +0000
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.7 2016/12/04 16:30:00 bsiegert Exp $
+# $NetBSD: Makefile,v 1.8 2017/01/03 07:44:01 fhajny Exp $
-DISTNAME= vault-0.6.2
-PKGREVISION= 2
+DISTNAME= vault-0.6.4
CATEGORIES= security
MASTER_SITES= ${MASTER_SITE_GITHUB:=hashicorp/}
diff -r 40e3c1e72952 -r 7e19106cdd1f security/vault/distinfo
--- a/security/vault/distinfo Tue Jan 03 07:39:15 2017 +0000
+++ b/security/vault/distinfo Tue Jan 03 07:44:01 2017 +0000
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.3 2016/10/26 11:49:11 fhajny Exp $
+$NetBSD: distinfo,v 1.4 2017/01/03 07:44:01 fhajny Exp $
-SHA1 (vault-0.6.2.tar.gz) = 09e54a09b4ed1469cc67a886c438ba89810c3077
-RMD160 (vault-0.6.2.tar.gz) = 84725d159f53319db6071b403a8c4599559e35dc
-SHA512 (vault-0.6.2.tar.gz) = 5d444c32ee1dc464f9210331ed26ab56b9aaeb5fbdcb5c2fcc4d9363c6d1e60780d7c2f5020ebc3345fb8c3f32b3b8f8acc58533d5a036202685252b2affbe3e
-Size (vault-0.6.2.tar.gz) = 4862801 bytes
+SHA1 (vault-0.6.4.tar.gz) = 788539891a2ad0d358b35aba9fddbac90a60b6f9
+RMD160 (vault-0.6.4.tar.gz) = d4b0dee5d372ece57ae21c307e460137cc575404
+SHA512 (vault-0.6.4.tar.gz) = 413d3072ce99cd3a7bb39523ee2791b7839fb3887511ab620390c18aa498c8cb0d4376846a6d57dca616e968f72b720b63745153c470b539d6ce6c4dcd218c5e
+Size (vault-0.6.4.tar.gz) = 5167905 bytes
Home |
Main Index |
Thread Index |
Old Index