Skip to content

v1.14.1

Compare
Choose a tag to compare
@hc-github-team-es-release-engineering hc-github-team-es-release-engineering released this 25 Jul 18:08
bf23fe8

July 25, 2023

CHANGES:

  • auth/ldap: Normalize HTTP response codes when invalid credentials are provided [GH-21282]
  • core/namespace (enterprise): Introduce the concept of high-privilege namespace (administrative namespace),
    which will have access to some system backend paths that were previously only accessible in the root namespace. [GH-21215]
  • secrets/transform (enterprise): Enforce a transformation role's max_ttl setting on encode requests, a warning will be returned if max_ttl was applied.
  • storage/aerospike: Aerospike storage shouldn't be used on 32-bit architectures and is now unsupported on them. [GH-20825]

IMPROVEMENTS:

  • core/fips: Add RPM, DEB packages of FIPS 140-2 and HSM+FIPS 140-2 Vault Enterprise.
  • eventbus: updated go-eventlogger library to allow removal of nodes referenced by pipelines (used for subscriptions) [GH-21623]
  • openapi: Better mount points for kv-v1 and kv-v2 in openapi.json [GH-21563]
  • replication (enterprise): Avoid logging warning if request is forwarded from a performance standby and not a performance secondary
  • secrets/pki: Add a parameter to allow ExtKeyUsage field usage from a role within ACME. [GH-21702]
  • secrets/transform (enterprise): Switch to pgx PostgreSQL driver for better timeout handling
  • sys/metrics (enterprise): Adds a gauge metric that tracks whether enterprise builtin secret plugins are enabled. [GH-21681]

BUG FIXES:

  • agent: Fix "generate-config" command documentation URL [GH-21466]
  • auth/azure: Fix intermittent 401s by preventing performance secondary clusters from rotating root credentials. [GH-21800]
  • auth/token, sys: Fix path-help being unavailable for some list-only endpoints [GH-18571]
  • auth/token: Fix parsing of auth/token/create fields to avoid incorrect warnings about ignored parameters [GH-18556]
  • awsutil: Update awsutil to v0.2.3 to fix a regression where Vault no longer
    respects AWS_ROLE_ARN, AWS_WEB_IDENTITY_TOKEN_FILE, and AWS_ROLE_SESSION_NAME. [GH-21951]
  • core/managed-keys (enterprise): Allow certain symmetric PKCS#11 managed key mechanisms (AES CBC with and without padding) to operate without an HMAC.
  • core: Fixed an instance where incorrect route entries would get tainted. We now pre-calculate namespace specific paths to avoid this. [GH-24170]
  • core: Fixed issue with some durations not being properly parsed to include days. [GH-21357]
  • identity: Remove caseSensitivityKey to prevent errors while loading groups which could result in missing groups in memDB when duplicates are found. [GH-20965]
  • openapi: Fix response schema for PKI Issue requests [GH-21449]
  • openapi: Fix schema definitions for PKI EAB APIs [GH-21458]
  • replication (enterprise): update primary cluster address after DR failover
  • secrets/azure: Fix intermittent 401s by preventing performance secondary clusters from rotating root credentials. [GH-21631]
  • secrets/pki: Fix bug with ACME tidy, 'unable to determine acme base folder path'. [GH-21870]
  • secrets/pki: Fix preserving acme_account_safety_buffer on config/auto-tidy. [GH-21870]
  • secrets/pki: Prevent deleted issuers from reappearing when migrating from a version 1 bundle to a version 2 bundle (versions including 1.13.0, 1.12.2, and 1.11.6); when managed keys were removed but referenced in the Vault 1.10 legacy CA bundle, this the error: no managed key found with uuid. [GH-21316]
  • secrets/transform (enterprise): Fix nil panic when deleting a template with tokenization transformations present
  • secrets/transform (enterprise): Grab shared locks for various read operations, only escalating to write locks if work is required
  • serviceregistration: Fix bug where multiple nodes in a secondary cluster could be labelled active after updating the cluster's primary [GH-21642]
  • ui: Adds missing values to details view after generating PKI certificate [GH-21635]
  • ui: Fixed an issue where editing an SSH role would clear default_critical_options and default_extension if left unchanged. [GH-21739]
  • ui: Fixed secrets, leases, and policies filter dropping focus after a single character [GH-21767]
  • ui: Fixes issue with certain navigational links incorrectly displaying in child namespaces [GH-21562]
  • ui: Fixes login screen display issue with Safari browser [GH-21582]
  • ui: Fixes problem displaying certificates issued with unsupported signature algorithms (i.e. ed25519) [GH-21926]
  • ui: Fixes styling of private key input when configuring an SSH key [GH-21531]
  • ui: Surface DOMException error when browser settings prevent localStorage. [GH-21503]