v1.15.7+ent

1.15.7 Enterprise

March 28, 2024

This release is created to share the Vault Enterprise changelog and notify consumers of availability. The attached source and assets do not include Vault Enterprise code and should not be used in place of official Docker images or binaries.

SECURITY:

• auth/cert: validate OCSP response was signed by the expected issuer and serial number matched request [GH-26091]

IMPROVEMENTS:

• auth/cert: Allow validation with OCSP responses with no NextUpdate time [GH-25912]
• core (enterprise): Avoid seal rewrapping in some specific unnecessary cases.
• core (enterprise): persist seal rewrap status, so rewrap status API is consistent on secondary nodes.
• ui: remove leading slash from KV version 2 secret paths [GH-25874]

BUG FIXES:

• audit: Operator changes to configured audit headers (via /sys/config/auditing)
  will now force invalidation and be reloaded from storage when data is replicated
  to other nodes.
• auth/cert: Address an issue in which OCSP query responses were not cached [GH-25986]
• auth/cert: Allow cert auth login attempts if ocsp_fail_open is true and OCSP servers are unreachable [GH-25982]
• cli: fixes plugin register CLI failure to error when plugin image doesn't exist [GH-24990]
• core (enterprise): fix issue where the Seal HA rewrap system may remain running when an active node steps down.
• core/login: Fixed a potential deadlock when a login fails and user lockout is enabled. [GH-25697]
• replication (enterprise): fixed data integrity issue with the processing of identity aliases causing duplicates to occur in rare cases
• ui: Fix kubernetes auth method roles tab [GH-25999]
• ui: call resultant-acl without namespace header when user mounted at root namespace [GH-25766]