Security notes for 1.5.7 (#10796)

* Changelog notes for 1.6.2 (#10737) * More version info for 1.5 changes
hashicorp · Jan 27, 2021 · deaa26d · deaa26d
1 parent ee14adb
commit deaa26d
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 0 deletions.
diff --git a/changelog/_2021Jan20.txt b/changelog/_2021Jan20.txt
@@ -0,0 +1,12 @@
+```release-note:security
+Mount Path Disclosure: Vault previously returned different HTTP status codes for
+existent and non-existent mount paths. This behavior would allow unauthenticated
+brute force attacks to reveal which paths had valid mounts. This issue affects
+Vault and Vault Enterprise and is fixed in 1.6.2 and 1.5.7 (CVE-2020-25594).
+```
+```release-note:security
+IP Address Disclosure: We fixed a vulnerability where, under some error
+conditions, Vault would return an error message disclosing internal IP
+addresses. This vulnerability affects Vault and Vault Enterprise and is fixed in
+1.6.2 and 1.5.7 (CVE-2021-3024).
+```
diff --git a/changelog/changelog.tmpl b/changelog/changelog.tmpl
@@ -14,6 +14,14 @@ SECURITY:
 {{ end -}}
 {{- end -}}
 
+{{- if .NotesByType.change }}
+CHANGES:
+
+{{range .NotesByType.change -}}
+* {{ template "note" . }}
+{{ end -}}
+{{- end -}}
+
 {{- if .NotesByType.feature -}}
 FEATURES: