scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-30 18:17:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update changelog with recent advisories (#28680)

Browse Source 
* add link to HCSEC-2024-20

* add HCSEC-2024-21
This commit is contained in:
mickael-hc
2024-10-10 17:58:41 -04:00
committed by GitHub
parent 948332ed3e
commit e81b6bdbb2
1 changed files with 25 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
CHANGELOG.md
View File

@@ -5,6 +5,10 @@
## 1.18.0 ## 1.18.0
## October 9, 2024 ## October 9, 2024
SECURITY:
* secrets/identity: A privileged Vault operator with write permissions to the root namespace's identity endpoint could escalate their privileges to Vault's root policy (CVE-2024-9180) [HCSEC-2024-21](https://discuss.hashicorp.com/t/hcsec-2024-21-vault-operators-in-root-namespace-may-elevate-their-privileges/70565)
CHANGES: CHANGES:
* activity (enterprise): filter all fields in client count responses by the request namespace [[GH-27790](https://github.com/hashicorp/vault/pull/27790)] * activity (enterprise): filter all fields in client count responses by the request namespace [[GH-27790](https://github.com/hashicorp/vault/pull/27790)]
@@ -212,6 +216,10 @@ use versioned plugins. [[GH-27881](https://github.com/hashicorp/vault/pull/27881
## 1.17.7 Enterprise ## 1.17.7 Enterprise
### October 09, 2024 ### October 09, 2024
SECURITY:
* secrets/identity: A privileged Vault operator with write permissions to the root namespace's identity endpoint could escalate their privileges to Vault's root policy (CVE-2024-9180) [HCSEC-2024-21](https://discuss.hashicorp.com/t/hcsec-2024-21-vault-operators-in-root-namespace-may-elevate-their-privileges/70565)
IMPROVEMENTS: IMPROVEMENTS:
* core: log at level ERROR rather than INFO when all seals are unhealthy. [[GH-28564](https://github.com/hashicorp/vault/pull/28564)] * core: log at level ERROR rather than INFO when all seals are unhealthy. [[GH-28564](https://github.com/hashicorp/vault/pull/28564)]
@@ -228,6 +236,9 @@ BUG FIXES:
## 1.17.6 ## 1.17.6
### September 25, 2024 ### September 25, 2024
SECURITY:
* secrets/ssh: require `valid_principals` to contain a value or `default_user` be set by default to guard against potentially insecure configurations. `allow_empty_principals` can be used for backwards compatibility [HCSEC-2024-20](https://discuss.hashicorp.com/t/hcsec-2024-20-vault-ssh-secrets-engine-configuration-did-not-restrict-valid-principals-by-default/70251)
CHANGES: CHANGES:
* core: Bump Go version to 1.22.7 * core: Bump Go version to 1.22.7
@@ -586,6 +597,10 @@ autopilot to fail to discover new server versions and so not trigger an upgrade.
**Enterprise LTS:** Vault Enterprise 1.16 is a [Long-Term Support (LTS)](https://developer.hashicorp.com/vault/docs/enterprise/lts) release. **Enterprise LTS:** Vault Enterprise 1.16 is a [Long-Term Support (LTS)](https://developer.hashicorp.com/vault/docs/enterprise/lts) release.
SECURITY:
* secrets/identity: A privileged Vault operator with write permissions to the root namespace's identity endpoint could escalate their privileges to Vault's root policy (CVE-2024-9180) [HCSEC-2024-21](https://discuss.hashicorp.com/t/hcsec-2024-21-vault-operators-in-root-namespace-may-elevate-their-privileges/70565)
IMPROVEMENTS: IMPROVEMENTS:
* core: log at level ERROR rather than INFO when all seals are unhealthy. [[GH-28564](https://github.com/hashicorp/vault/pull/28564)] * core: log at level ERROR rather than INFO when all seals are unhealthy. [[GH-28564](https://github.com/hashicorp/vault/pull/28564)]
@@ -603,6 +618,9 @@ BUG FIXES:
**Enterprise LTS:** Vault Enterprise 1.16 is a [Long-Term Support (LTS)](https://developer.hashicorp.com/vault/docs/enterprise/lts) release. **Enterprise LTS:** Vault Enterprise 1.16 is a [Long-Term Support (LTS)](https://developer.hashicorp.com/vault/docs/enterprise/lts) release.
SECURITY:
* secrets/ssh: require `valid_principals` to contain a value or `default_user` be set by default to guard against potentially insecure configurations. `allow_empty_principals` can be used for backwards compatibility [HCSEC-2024-20](https://discuss.hashicorp.com/t/hcsec-2024-20-vault-ssh-secrets-engine-configuration-did-not-restrict-valid-principals-by-default/7025
CHANGES: CHANGES:
* core: Bump Go version to 1.22.7. * core: Bump Go version to 1.22.7.
@@ -1229,6 +1247,10 @@ leading to failure to complete merkle sync without a full re-index. [[GH-23013](
## 1.15.16 Enterprise ## 1.15.16 Enterprise
### October 09, 2024 ### October 09, 2024
SECURITY:
* secrets/identity: A privileged Vault operator with write permissions to the root namespace's identity endpoint could escalate their privileges to Vault's root policy (CVE-2024-9180) [HCSEC-2024-21](https://discuss.hashicorp.com/t/hcsec-2024-21-vault-operators-in-root-namespace-may-elevate-their-privileges/70565)
IMPROVEMENTS: IMPROVEMENTS:
* core: log at level ERROR rather than INFO when all seals are unhealthy. [[GH-28564](https://github.com/hashicorp/vault/pull/28564)] * core: log at level ERROR rather than INFO when all seals are unhealthy. [[GH-28564](https://github.com/hashicorp/vault/pull/28564)]
@@ -1241,6 +1263,9 @@ BUG FIXES:
## 1.15.15 Enterprise ## 1.15.15 Enterprise
### September 25, 2024 ### September 25, 2024
SECURITY:
* secrets/ssh: require `valid_principals` to contain a value or `default_user` be set by default to guard against potentially insecure configurations. `allow_empty_principals` can be used for backwards compatibility [HCSEC-2024-20](https://discuss.hashicorp.com/t/hcsec-2024-20-vault-ssh-secrets-engine-configuration-did-not-restrict-valid-principals-by-default/7025
CHANGES: CHANGES:
* core: Bump Go version to 1.22.7. * core: Bump Go version to 1.22.7.