scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-11-02 03:27:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

update changelog with recent security entries (#13868)

Browse Source 
This includes:
* HSEC-2021-33 / CVE-2021-45042
* HSEC-2021-30 / CVE-2021-43998
* HSEC-2021-27 / CVE-2021-41802
This commit is contained in:
mickael-hc
2022-02-02 11:12:54 -05:00
committed by GitHub
parent 057c67f969
commit 6fc4eca879
1 changed files with 33 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
CHANGELOG.md
View File

@@ -159,6 +159,10 @@ BUG FIXES:
## 1.9.1
### December 9, 2021
SECURITY:
* storage/raft: Integrated Storage backend could be caused to crash by an authenticated user with write permissions to the KV secrets engine. This vulnerability, CVE-2021-45042, was fixed in Vault 1.7.7, 1.8.6, and 1.9.1.
IMPROVEMENTS:
* storage/aerospike: Upgrade `aerospike-client-go` to v5.6.0. [[GH-12165](https://github.com/hashicorp/vault/pull/12165)]
@@ -219,6 +223,11 @@ those who have implemented local auth mounts for complying with GDPR guidelines.
* **Oracle Database UI**: The UI now supports adding and editing Oracle connections in the database secret engine. [[GH-12752](https://github.com/hashicorp/vault/pull/12752)]
* **Postgres Database UI**: The UI now supports adding and editing Postgres connections in the database secret engine. [[GH-12945](https://github.com/hashicorp/vault/pull/12945)]
SECURITY:
* core/identity: A Vault user with write permission to an entity alias ID sharing a mount accessor with another user may acquire this other users policies by merging their identities. This vulnerability, CVE-2021-41802, was fixed in Vault and Vault Enterprise 1.7.5, 1.8.4, and 1.9.0.
* core/identity: Templated ACL policies would always match the first-created entity alias if multiple entity aliases existed for a specified entity and mount combination, potentially resulting in incorrect policy enforcement. This vulnerability, CVE-2021-43998, was fixed in Vault and Vault Enterprise 1.7.6, 1.8.5, and 1.9.0.
IMPROVEMENTS:
* agent/cache: Process persistent cache leases in dependency order during restore to ensure child leases are always correctly restored [[GH-12843](https://github.com/hashicorp/vault/pull/12843)]
@@ -417,6 +426,10 @@ CHANGES:
* go: Update go version to 1.16.9 [[GH-13029](https://github.com/hashicorp/vault/pull/13029)]
SECURITY:
* storage/raft: Integrated Storage backend could be caused to crash by an authenticated user with write permissions to the KV secrets engine. This vulnerability, CVE-2021-45042, was fixed in Vault 1.7.7, 1.8.6, and 1.9.1.
BUG FIXES:
* ha (enterprise): Prevents performance standby nodes from serving and caching stale data immediately after performance standby election completes
@@ -431,6 +444,10 @@ BUG FIXES:
## 1.8.5
### November 4, 2021
SECURITY:
* core/identity: Templated ACL policies would always match the first-created entity alias if multiple entity aliases existed for a specified entity and mount combination, potentially resulting in incorrect policy enforcement. This vulnerability, CVE-2021-43998, was fixed in Vault and Vault Enterprise 1.7.6, 1.8.5, and 1.9.0.
BUG FIXES:
* auth/aws: fix config/rotate-root to store new key [[GH-12715](https://github.com/hashicorp/vault/pull/12715)]
@@ -447,6 +464,10 @@ BUG FIXES:
## 1.8.4
### 6 October 2021
SECURITY:
* core/identity: A Vault user with write permission to an entity alias ID sharing a mount accessor with another user may acquire this other users policies by merging their identities. This vulnerability, CVE-2021-41802, was fixed in Vault and Vault Enterprise 1.7.5 and 1.8.4.
IMPROVEMENTS:
* core: Update Oracle Cloud library to enable seal integration with the uk-gov-london-1 region [[GH-12724](https://github.com/hashicorp/vault/pull/12724)]
@@ -718,6 +739,10 @@ BUG FIXES:
## 1.7.7
### December 9, 2021
SECURITY:
* storage/raft: Integrated Storage backend could be caused to crash by an authenticated user with write permissions to the KV secrets engine. This vulnerability, CVE-2021-45042, was fixed in Vault 1.7.7, 1.8.6, and 1.9.1.
BUG FIXES:
* ha (enterprise): Prevents performance standby nodes from serving and caching stale data immediately after performance standby election completes
@@ -730,6 +755,10 @@ BUG FIXES:
## 1.7.6
### November 4, 2021
SECURITY:
* core/identity: Templated ACL policies would always match the first-created entity alias if multiple entity aliases existed for a specified entity and mount combination, potentially resulting in incorrect policy enforcement. This vulnerability, CVE-2021-43998, was fixed in Vault and Vault Enterprise 1.7.6, 1.8.5, and 1.9.0.
BUG FIXES:
* auth/aws: fix config/rotate-root to store new key [[GH-12715](https://github.com/hashicorp/vault/pull/12715)]
@@ -748,6 +777,10 @@ BUG FIXES:
## 1.7.5
### 29 September 2021
SECURITY:
* core/identity: A Vault user with write permission to an entity alias ID sharing a mount accessor with another user may acquire this other users policies by merging their identities. This vulnerability, CVE-2021-41802, was fixed in Vault and Vault Enterprise 1.7.5 and 1.8.4.
IMPROVEMENTS:
* secrets/pki: Allow signing of self-issued certs with a different signature algorithm. [[GH-12514](https://github.com/hashicorp/vault/pull/12514)]