Changelog for
vault-0.9.1-12.6.x86_64.rpm :
Fri Dec 29 13:00:00 2017 mika.hahtokariAATTfi.fujitsu.com
- Update to 0.9.1
Fri Sep 1 14:00:00 2017 damienradtkeAATTgmail.com
- Fix build version
Tue Mar 22 13:00:00 2016 mrueckertAATTsuse.de
- enable the permissions file handling
Mon Mar 21 13:00:00 2016 mrueckertAATTsuse.de
- add systemd service files
- add sample config file
- add permissions file to set the needed capabilities for mlock
Sun Mar 20 13:00:00 2016 msabateAATTsuse.com
- I forgot to add the too_many_requests.patch file
Thu Mar 17 13:00:00 2016 msabateAATTsuse.com
- Updated to 0.5.2
FEATURES:
*
*
*MSSQL Backend
*
*: Generate dynamic unique MSSQL database credentials based
on configured roles [GH-998]
*
*
*Token Accessors
*
*: Vault now provides an accessor with each issued token.
This accessor is an identifier that can be used for a limited set of
actions, notably for token revocation. This value is by default logged in
plaintext to audit logs, and in combination with the plaintext metadata
logged to audit logs, provides a searchable and straightforward way to
revoke particular users\' or services\' tokens in many cases. At enable time,
audit backends can be configured to HMAC the accessor instead.
*
*
*Token Credential Backend Roles
*
*: Roles can now be created in the `token`
credential backend that allow modifying token behavior in ways that are not
otherwise exposed or easily delegated. This allows creating tokens with a
fixed set (or subset) of policies (rather than a subset of the calling
token\'s), periodic tokens with a fixed TTL but no expiration, specified
prefixes, and orphans.
*
*
*Listener Certificate Reloading
*
*: Vault\'s configured listeners now reload
their TLS certificate and private key when the Vault process receives a
SIGHUP.
IMPROVEMENTS:
* auth/token: Endpoints optionally accept tokens from the HTTP body rather
than just from the URLs [GH-1211]
* auth/token,sys/capabilities: Added new endpoints
`auth/token/lookup-accessor`, `auth/token/revoke-accessor` and
`sys/capabilities-accessor`, which enables performing the respective actions
with just the accessor of the tokens, without having access to the actual
token [GH-1188]
* core: Ignore leading `/` in policy paths [GH-1170]
* core: Ignore leading `/` in mount paths [GH-1172]
* command/policy-write: Provided HCL is now validated for format violations
and provides helpful information around where the violation occurred
[GH-1200]
* command/server: The initial root token ID when running in `-dev` mode can
now be specified via `-dev-root-token-id` or the environment variable
`VAULT_DEV_ROOT_TOKEN_ID` [GH-1162]
* command/server: The listen address when running in `-dev` mode can now be
specified via `-dev-listen-address` or the environment variable
`VAULT_DEV_LISTEN_ADDRESS` [GH-1169]
* command/server: The configured listeners now reload their TLS
certificates/keys when Vault is SIGHUP\'d [GH-1196]
* command/step-down: New `vault step-down` command and API endpoint to force
the targeted node to give up active status, but without sealing. The node
will wait ten seconds before attempting to grab the lock again. [GH-1146]
* command/token-renew: Allow no token to be passed in; use `renew-self` in
this case. Change the behavior for any token being passed in to use `renew`.
[GH-1150]
* credential/app-id: Allow `app-id` parameter to be given in the login path;
this causes the `app-id` to be part of the token path, making it easier to
use with `revoke-prefix` [GH-424]
* credential/cert: Non-CA certificates can be used for authentication. They
must be matched exactly (issuer and serial number) for authentication, and
the certificate must carry the client authentication or \'any\' extended usage
attributes. [GH-1153]
* credential/cert: Subject and Authority key IDs are output in metadata; this
allows more flexible searching/revocation in the audit logs [GH-1183]
* credential/cert: Support listing configured certs [GH-1212]
* credential/userpass: Add support for `create`/`update` capability
distinction in user path, and add user-specific endpoints to allow changing
the password and policies [GH-1216]
* credential/token: Add roles [GH-1155]
* secret/mssql: Add MSSQL backend [GH-998]
* secret/pki: Add revocation time (zero or Unix epoch) to `pki/cert/SERIAL`
endpoint [GH-1180]
* secret/pki: Sanitize serial number in `pki/revoke` endpoint to allow some
other formats [GH-1187]
* secret/ssh: Added documentation for `ssh/config/zeroaddress` endpoint.
[GH-1154]
* sys: Added new endpoints `sys/capabilities` and `sys/capabilities-self` to
fetch the capabilities of a token on a given path [GH-1171]
* sys: Added `sys/revoke-force`, which enables a user to ignore backend errors
when revoking a lease, necessary in some emergency/failure scenarios
[GH-1168]
* sys: The return codes from `sys/health` can now be user-specified via query
parameters [GH-1199]
BUG FIXES:
* logical/cassandra: Apply hyphen/underscore replacement to the entire
generated username, not just the UUID, in order to handle token display name
hyphens [GH-1140]
* physical/etcd: Output actual error when cluster sync fails [GH-1141]
* vault/expiration: Not letting the error responses from the backends to skip
during renewals [GH-1176]
Fri Mar 4 13:00:00 2016 msabateAATTsuse.com
- Looks like I forgot to add the .changes file...
Sun Feb 28 13:00:00 2016 msabateAATTsuse.com
- Handle the vendor code just like other HC packages
Sun Feb 28 13:00:00 2016 msabateAATTsuse.com
- Updated to 0.5.1:
DEPRECATIONS/BREAKING CHANGES:
* RSA keys less than 2048 bits are no longer supported in the PKI backend.
1024-bit keys are considered unsafe and are disallowed in the Internet PKI.
The `pki` backend has enforced SHA256 hashes in signatures from the
beginning, and software that can handle these hashes should be able to
handle larger key sizes. [GH-1095]
* The PKI backend now does not automatically delete expired certificates,
including from the CRL. Doing so could lead to a situation where a time
mismatch between the Vault server and clients could result in a certificate
that would not be considered expired by a client being removed from the CRL.
The new `pki/tidy` endpoint can be used to trigger expirations. [GH-1129]
* The `cert` backend now performs a variant of channel binding at renewal time
for increased security. In order to not overly burden clients, a notion of
identity is used. This functionality can be disabled. See the 0.5.1 upgrade
guide for more specific information [GH-1127]
FEATURES:
*
*
*Codebase Audit
*
*: Vault\'s 0.5 codebase was audited by iSEC. (The terms of
the audit contract do not allow us to make the results public.) [GH-220]
IMPROVEMENTS:
* api: The `VAULT_TLS_SERVER_NAME` environment variable can be used to control
the SNI header during TLS connections [GH-1131]
* api/health: Add the server\'s time in UTC to health responses [GH-1117]
* command/rekey and command/generate-root: These now return the status at
attempt initialization time, rather than requiring a separate fetch for the
nonce [GH-1054]
* credential/cert: Don\'t require root/sudo tokens for the `certs/` and `crls/`
paths; use normal ACL behavior instead [GH-468]
* credential/github: The validity of the token used for login will be checked
at renewal time [GH-1047]
* credential/github: The `config` endpoint no longer requires a root token;
normal ACL path matching applies
* deps: Use the standardized Go 1.6 vendoring system
* secret/aws: Inform users of AWS-imposed policy restrictions around STS
tokens if they attempt to use an invalid policy [GH-1113]
* secret/mysql: The MySQL backend now allows disabling verification of the
`connection_url` [GH-1096]
* secret/pki: Submitted CSRs are now verified to have the correct key type and
minimum number of bits according to the role. The exception is intermediate
CA signing and the `sign-verbatim` path [GH-1104]
* secret/pki: New `tidy` endpoint to allow expunging expired certificates.
[GH-1129]
* secret/postgresql: The PostgreSQL backend now allows disabling verification
of the `connection_url` [GH-1096]
* secret/ssh: When verifying an OTP, return 400 if it is not valid instead of
204 [GH-1086]
* credential/app-id: App ID backend will check the validity of app-id and user-id
during renewal time [GH-1039]
* credential/cert: TLS Certificates backend, during renewal, will now match the
client identity with the client identity used during login [GH-1127]
BUG FIXES:
* credential/ldap: Properly escape values being provided to search filters
[GH-1100]
* secret/aws: Capping on length of usernames for both IAM and STS types
[GH-1102]
* secret/pki: If a cert is not found during lookup of a serial number,
respond with a 400 rather than a 500 [GH-1085]
* secret/postgresql: Add extra revocation statements to better handle more
permission scenarios [GH-1053]
* secret/postgresql: Make connection_url work properly [GH-1112]