pkgsrc-WIP-changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
vault: update to version 1.11.4.
Module Name: pkgsrc-wip
Committed By: Havard Eidnes <he%NetBSD.org@localhost>
Pushed By: he
Date: Sat Oct 1 12:21:39 2022 +0200
Changeset: 21c06d3c86627cfd870c24f292853b8401d01445
Modified Files:
vault/Makefile
vault/distinfo
vault/go-modules.mk
Log Message:
vault: update to version 1.11.4.
Pkgsrc changes:
* Only version number, go-modules.mk and checksums.
Upstream changes:
1.11.4
September 30, 2022
SECURITY:
* Non-Expiring Leases: Vault and Vault Enterprise renewed
nearly-expiring token leases and dynamic secret leases with a
zero-second TTL, causing them to be treated as non-expiring,
and never revoked. This issue affects Vault and Vault Enterprise
versions 0.10.0 through 1.7.1, and is fixed in 1.5.9, 1.6.5,
and 1.7.2 (CVE-2021-32923).
CHANGES:
* licensing (enterprise): Remove support for stored licenses and
associated sys/license and sys/license/signed endpoints in favor
of autoloaded licenses.
* replication (enterprise): The
/sys/replication/performance/primary/mount-filter endpoint has
been removed. Please use Paths Filter instead.
FEATURES:
* transform (enterprise): MySQL databases can now be used as
external stores for tokenization
* transform (enterprise): Support key rotation for tokenization
transformations
* transform (enterprise): Add snapshot and restore functionality
to tokenization
* Autopilot Improvements (Enterprise): Autopilot on Vault Enterprise
now supports automated upgrades and redundancy zones when using
integrated storage.
* Key Management Secrets Engine (Enterprise): Adds support for
distributing and managing keys in GCP Cloud KMS. [GH-2158]
* Namespaces (Enterprise): Adds support for locking Vault API for
particular namespaces. [GH-2213]
* Transform Secrets Engine (Enterprise): New features for advanced
encoding and decoding in format preserving encryption.
* kmip (enterprise): Return SecretData as supported Object Type.
* storage/raft/autopilot (enterprise): Enable Autopilot on DR
secondary clusters
IMPROVEMENTS:
* transform (enterprise): Improve FPE transformation performance
* transform (enterprise): Use transactions with batch tokenization
operations for improved performance
* :core/managed-keys (enterprise): Allow configuring the number
of parallel operations to PKCS#11 managed keys.
* agent/auto-auth: Add exit_on_err which when set to true, will
cause Agent to exit if any errors are encountered during
authentication. [GH-17091]
* agent: Send notifications to systemd on start and stop. [GH-9802]
* command (enterprise): "vault license get" now uses non-deprecated
endpoint /sys/license/status
* core (enterprise): Include termination_time in sys/license/status
response
* core (enterprise): Include termination time in license inspect
command output
* core: Add metrics to report if a node is a perf standby, if a
node is a dr secondary or primary, and if a node is a perf
secondary or primary. Also allow DR secondaries to serve metrics
requests when using unauthenticated_metrics_access. [GH-1844]
* core: Bump Go version in enterprise to 1.17.7.
* http (enterprise): Serve /sys/license/status endpoint within
namespaces
* kmip (enterprise): Implement operations Query, Import, Encrypt
and Decrypt. Improve operations Locate, Add Attribute, Get
Attributes and Get Attribute List to handle most supported
attributes.
* replication (enterprise): Add merkle.flushDirty.num_pages_outstanding
metric which specifies number of outstanding dirty pages that
were not flushed. [GH-2093]
* replication: Delay evaluation of X-Vault-Index headers until
merkle sync completes. [GH-1814]
* sentinel (enterprise): Upgrade sentinel to v0.18.5 to avoid
potential naming collisions in the remote installer
* transform (enterprise): Add a reference field to batch items,
and propogate it to the response
BUG FIXES:
* Fixed panic when adding or modifying a Duo MFA Method in Enterprise
* agent: Fixes bug where vault agent is unaware of the namespace
in the config when wrapping token
* auth/cert: Vault does not initially load the CRLs in cert auth
unless the read/write CRL endpoint is hit. [GH-17138]
* auth/kubernetes: Restore support for JWT signature algorithm
ES384 [GH-160] [GH-17162]
* auth/token: Fix ignored parameter warnings for valid parameters
on token create [GH-16938]
* core (enterprise): Allow deletion of stored licenses on DR
secondary nodes
* core (enterprise): Allow local alias create RPCs to persist
alias metadata
* core (enterprise): Fix a data race in logshipper.
* core (enterprise): Fix data race during perf standby sealing
* core (enterprise): Fix overcounting of lease count quota usage
at startup.
* core (enterprise): Fix some races in merkle index flushing code
found in testing
* core (enterprise): Handle additional edge cases reinitializing
PKCS#11 libraries after login errors.
* core (enterprise): Workaround AWS CloudHSM v5 SDK issue not
allowing read-only sessions
* core (enterprise): serialize access to HSM entropy generation
to avoid errors in concurrent key generation.
* core/license (enterprise): Always remove stored license and
allow unseal to complete when license cleanup fails
* core/managed-keys (enterprise): Allow PKCS#11 managed keys to
use 0 as a slot number
* core/quotas: Fix goroutine leak caused by the seal process not
fully cleaning up Rate Limit Quotas. [GH-17281]
* core/replication (enterprise): Don't flush merkle tree pages to
disk after losing active duty
* core: Prevent two or more DR failovers from invalidating SSCT
tokens generated on the previous primaries. [GH-16956]
* core: initialized unlicensed raft nodes were starting instead
of failing with an error. [GH-1989]
* ha (enterprise): Prevents performance standby nodes from serving
and caching stale data immediately after performance standby
election completes
* http (enterprise): Always forward internal/counters endpoints
from perf standbys to active node
* identity/oidc: Adds claims_supported to discovery document.
[GH-16992]
* kmip (enterprise): Fix handling of custom attributes when
servicing GetAttributes requests
* kmip (enterprise): Fix handling of invalid role parameters within
various vault api calls
* kmip (enterprise): Fix locate by name operations fail to find
key after a rekey operation.
* kmip (enterprise): Forward KMIP register operations to the active
node
* license: ignore stored terminated license while autoloading is
enabled [GH-2104]
* licensing (enterprise): Revert accidental inclusion of the TDE
feature from the prem build.
* raft (enterprise): Fix panic when updating auto-snapshot config
* replication (enterprise): Fix data race in SaveCheckpoint()
* replication (enterprise): Fix issue where merkle.flushDirty.num_pages
metric is not emitted if number of dirty pages is 0. [GH-2093]
* replication (enterprise): Fix merkle.saveCheckpoint.num_dirty
metric to accurately specify the number of dirty pages in the
merkle tree at time of checkpoint creation. [GH-2093]
* replication (enterprise): When using encrypted secondary tokens,
only clear the private key after a successful connection to the
primary cluster
* replication: Fix panic trying to update walState during identity
group invalidation. [GH-1865]
* replication: Fix: mounts created within a namespace that was
part of an Allow filtering rule would not appear on performance
secondary if created after rule was defined. [GH-1807]
* secrets/pki: Fix regression causing performance secondaries to
forward certificate generation to the primary. [GH-2456]
* secrets/transform (enterprise): Fix an issue loading tokenization
transform configuration after a specific sequence of reconfigurations.
* secrets/transform (enterprise): Fix persistence problem with
tokenization store credentials.
* storage/raft (enterprise): Auto-snapshot configuration now
forbids slashes in file prefixes for all types, and "/" in path
prefix for local storage type. Strip leading prefix in path
prefix for AWS. Improve error handling/reporting.
* storage/raft (enterprise): Ensure that raft autosnapshot backoff
retry duration never hits 0s
* storage/raft: Nodes no longer get demoted to nonvoter if we
don't know their version due to missing heartbeats. [GH-17019]
* transform (enterprise): Enforce minimum cache size for Transform
backend and reset cache size without a restart
* transform (enterprise): Fix a bug in the handling of nested or
unmatched capture groups in FPE transformations.
* transform (enterprise): Fix an error where the decode response
of an expired token is an empty result rather than an error.
* ui: Fix lease force revoke action [GH-16930]
* ui: Fixes secret version and status menu links transitioning to
auth screen [GH-16983]
To see a diff of this commit:
https://wip.pkgsrc.org/cgi-bin/gitweb.cgi?p=pkgsrc-wip.git;a=commitdiff;h=21c06d3c86627cfd870c24f292853b8401d01445
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
diffstat:
vault/Makefile | 2 +-
vault/distinfo | 18 +++++++++---------
vault/go-modules.mk | 4 ++--
3 files changed, 12 insertions(+), 12 deletions(-)
diffs:
diff --git a/vault/Makefile b/vault/Makefile
index 6718d70483..6b1f366e9c 100644
--- a/vault/Makefile
+++ b/vault/Makefile
@@ -1,6 +1,6 @@
# $NetBSD$
-DISTNAME= vault-1.11.3
+DISTNAME= vault-1.11.4
CATEGORIES= security
MASTER_SITES= ${MASTER_SITE_GITHUB:=hashicorp/}
diff --git a/vault/distinfo b/vault/distinfo
index 476bda19a4..aa9ffb10d6 100644
--- a/vault/distinfo
+++ b/vault/distinfo
@@ -2796,12 +2796,12 @@ Size (github.com_hashicorp_vault-plugin-auth-kerberos_@v_v0.7.3.mod) = 901 bytes
BLAKE2s (github.com_hashicorp_vault-plugin-auth-kerberos_@v_v0.7.3.zip) = 8a45dec59b876dd2ea2a7e0f4a1c259eced8ff0bbc86352f3e2bb5d869fc7ac7
SHA512 (github.com_hashicorp_vault-plugin-auth-kerberos_@v_v0.7.3.zip) = c9d7e0a2ca50d0c6528b075a83bd813115b092f213791dc1d7123b8bf3e6bddcf281d75d24d1c5bbb3fd76397e6882f90f63d5a1fd91e66b58e46694eed7e800
Size (github.com_hashicorp_vault-plugin-auth-kerberos_@v_v0.7.3.zip) = 66195 bytes
-BLAKE2s (github.com_hashicorp_vault-plugin-auth-kubernetes_@v_v0.13.0.mod) = f0c87909ab2c05a3e8abc30d042511a1eb2042186cb8269234ca53316d5bf641
-SHA512 (github.com_hashicorp_vault-plugin-auth-kubernetes_@v_v0.13.0.mod) = 6be5c84a454feab7200ae543b08831248954bd6d76924d455af4adec5c56667cbfb8dab99a6b67223369b2dccdee855465e78291867b0bf2cc1bcd368c741895
-Size (github.com_hashicorp_vault-plugin-auth-kubernetes_@v_v0.13.0.mod) = 3402 bytes
-BLAKE2s (github.com_hashicorp_vault-plugin-auth-kubernetes_@v_v0.13.0.zip) = fdfc7edc5c51a8cb03f81e4c6e45d99c1bebe09d159683cd45f6dbdb2a5179ed
-SHA512 (github.com_hashicorp_vault-plugin-auth-kubernetes_@v_v0.13.0.zip) = 83c70e8ee99994e5b49ed2e0646c7f267e806238222caea0f6241dc3336ad88e3672abc098b489fbf06e8b5659e2ba8fbcbaff06ff50ee0e8be5f8a76ef87c07
-Size (github.com_hashicorp_vault-plugin-auth-kubernetes_@v_v0.13.0.zip) = 76972 bytes
+BLAKE2s (github.com_hashicorp_vault-plugin-auth-kubernetes_@v_v0.13.2.mod) = f0c87909ab2c05a3e8abc30d042511a1eb2042186cb8269234ca53316d5bf641
+SHA512 (github.com_hashicorp_vault-plugin-auth-kubernetes_@v_v0.13.2.mod) = 6be5c84a454feab7200ae543b08831248954bd6d76924d455af4adec5c56667cbfb8dab99a6b67223369b2dccdee855465e78291867b0bf2cc1bcd368c741895
+Size (github.com_hashicorp_vault-plugin-auth-kubernetes_@v_v0.13.2.mod) = 3402 bytes
+BLAKE2s (github.com_hashicorp_vault-plugin-auth-kubernetes_@v_v0.13.2.zip) = 62cc2b2b8e748e538441508b185460f6cc4fdd6e011068878c3c7784acf1e88b
+SHA512 (github.com_hashicorp_vault-plugin-auth-kubernetes_@v_v0.13.2.zip) = ffbe6aabe7a94d6fb9e6fd98851c29066e3e4034a0e9e64d5a0f9d8f4c86dc47281b645eea5d2f086fa6ccd9c744006b8d4173ea1082dbbefe790caec24db5bf
+Size (github.com_hashicorp_vault-plugin-auth-kubernetes_@v_v0.13.2.zip) = 76975 bytes
BLAKE2s (github.com_hashicorp_vault-plugin-auth-oci_@v_v0.11.0.mod) = 93ebc939061995d8a210edc679c7544120c631cbf2850e007e933dc439b2b9fe
SHA512 (github.com_hashicorp_vault-plugin-auth-oci_@v_v0.11.0.mod) = 532a95bef5f921b247f8db9ec3507852bc9d021d9c1aa68c5c4cdee2a3680c2cad74ed89cd76268d27a77c4d743b0807f663d48ce3c85ed89ac7309144aff77c
Size (github.com_hashicorp_vault-plugin-auth-oci_@v_v0.11.0.mod) = 1073 bytes
@@ -6930,6 +6930,6 @@ Size (sigs.k8s.io_yaml_@v_v1.2.0.mod) = 106 bytes
BLAKE2s (sigs.k8s.io_yaml_@v_v1.2.0.zip) = 196614bfe35a861524f0dd2e2e0b63fbd650b889bab18114f167720f05506b70
SHA512 (sigs.k8s.io_yaml_@v_v1.2.0.zip) = 52a52b3d380ae6e2cbe1b2c849d3089f74aa876fb3fadfbd02eada97446e0f2cf387f10ddb527f2dfefd57dccba8c82b0b349efbecaa0e6e3d00dc2b5d4fc21e
Size (sigs.k8s.io_yaml_@v_v1.2.0.zip) = 20937 bytes
-BLAKE2s (vault-1.11.3.tar.gz) = 3987ce1cdc85fc8a9fa88e7d959115887a86ad8fd0a75ae81e5fea34c2bffbed
-SHA512 (vault-1.11.3.tar.gz) = efff9e7e7695a699fcedfdf68d2daeb38647abbc3bc385a1de8a927875ffdf5e9d8165fe7cb589e44743cb73ef6e2511b91560dbeb551b3e15d04092519087bc
-Size (vault-1.11.3.tar.gz) = 29735393 bytes
+BLAKE2s (vault-1.11.4.tar.gz) = 8a9608632e0d04ad0698b680386ee26c515993f6f86d31a7808bc42ddda9afed
+SHA512 (vault-1.11.4.tar.gz) = 69876932251e7d1e581f32e2bbebdf9a85d30fd07dd62175acc5633d387db3d98213db8ab06a1c9f3d2d0c770f5f43194d2a765727478f00f7c2593c62eeef92
+Size (vault-1.11.4.tar.gz) = 29744617 bytes
diff --git a/vault/go-modules.mk b/vault/go-modules.mk
index 58891d7da8..0041bb4f7b 100644
--- a/vault/go-modules.mk
+++ b/vault/go-modules.mk
@@ -932,8 +932,8 @@ GO_MODULE_FILES+= github.com/hashicorp/vault-plugin-auth-jwt/@v/v0.13.0.mod
GO_MODULE_FILES+= github.com/hashicorp/vault-plugin-auth-jwt/@v/v0.13.0.zip
GO_MODULE_FILES+= github.com/hashicorp/vault-plugin-auth-kerberos/@v/v0.7.3.mod
GO_MODULE_FILES+= github.com/hashicorp/vault-plugin-auth-kerberos/@v/v0.7.3.zip
-GO_MODULE_FILES+= github.com/hashicorp/vault-plugin-auth-kubernetes/@v/v0.13.0.mod
-GO_MODULE_FILES+= github.com/hashicorp/vault-plugin-auth-kubernetes/@v/v0.13.0.zip
+GO_MODULE_FILES+= github.com/hashicorp/vault-plugin-auth-kubernetes/@v/v0.13.2.mod
+GO_MODULE_FILES+= github.com/hashicorp/vault-plugin-auth-kubernetes/@v/v0.13.2.zip
GO_MODULE_FILES+= github.com/hashicorp/vault-plugin-auth-oci/@v/v0.11.0.mod
GO_MODULE_FILES+= github.com/hashicorp/vault-plugin-auth-oci/@v/v0.11.0.zip
GO_MODULE_FILES+= github.com/hashicorp/vault-plugin-database-couchbase/@v/v0.7.0.mod
Home |
Main Index |
Thread Index |
Old Index