SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for vault-0.10.1-lp151.2.5.x86_64.rpm :

* Mon May 21 2018 borisAATTsteki.net- updated to latest released version 0.10.1 too many changes to be added here, please consult CHANGELOG.md- removed patch file too_many_requests.patch
* Tue Mar 22 2016 mrueckertAATTsuse.de- enable the permissions file handling
* Mon Mar 21 2016 mrueckertAATTsuse.de- add systemd service files- add sample config file- add permissions file to set the needed capabilities for mlock
* Sun Mar 20 2016 msabateAATTsuse.com- I forgot to add the too_many_requests.patch file
* Thu Mar 17 2016 msabateAATTsuse.com- Updated to 0.5.2 FEATURES:
*
*
*MSSQL Backend
*
*: Generate dynamic unique MSSQL database credentials based on configured roles [GH-998]
*
*
*Token Accessors
*
*: Vault now provides an accessor with each issued token. This accessor is an identifier that can be used for a limited set of actions, notably for token revocation. This value is by default logged in plaintext to audit logs, and in combination with the plaintext metadata logged to audit logs, provides a searchable and straightforward way to revoke particular users\' or services\' tokens in many cases. At enable time, audit backends can be configured to HMAC the accessor instead.
*
*
*Token Credential Backend Roles
*
*: Roles can now be created in the `token` credential backend that allow modifying token behavior in ways that are not otherwise exposed or easily delegated. This allows creating tokens with a fixed set (or subset) of policies (rather than a subset of the calling token\'s), periodic tokens with a fixed TTL but no expiration, specified prefixes, and orphans.
*
*
*Listener Certificate Reloading
*
*: Vault\'s configured listeners now reload their TLS certificate and private key when the Vault process receives a SIGHUP. IMPROVEMENTS:
* auth/token: Endpoints optionally accept tokens from the HTTP body rather than just from the URLs [GH-1211]
* auth/token,sys/capabilities: Added new endpoints `auth/token/lookup-accessor`, `auth/token/revoke-accessor` and `sys/capabilities-accessor`, which enables performing the respective actions with just the accessor of the tokens, without having access to the actual token [GH-1188]
* core: Ignore leading `/` in policy paths [GH-1170]
* core: Ignore leading `/` in mount paths [GH-1172]
* command/policy-write: Provided HCL is now validated for format violations and provides helpful information around where the violation occurred [GH-1200]
* command/server: The initial root token ID when running in `-dev` mode can now be specified via `-dev-root-token-id` or the environment variable `VAULT_DEV_ROOT_TOKEN_ID` [GH-1162]
* command/server: The listen address when running in `-dev` mode can now be specified via `-dev-listen-address` or the environment variable `VAULT_DEV_LISTEN_ADDRESS` [GH-1169]
* command/server: The configured listeners now reload their TLS certificates/keys when Vault is SIGHUP\'d [GH-1196]
* command/step-down: New `vault step-down` command and API endpoint to force the targeted node to give up active status, but without sealing. The node will wait ten seconds before attempting to grab the lock again. [GH-1146]
* command/token-renew: Allow no token to be passed in; use `renew-self` in this case. Change the behavior for any token being passed in to use `renew`. [GH-1150]
* credential/app-id: Allow `app-id` parameter to be given in the login path; this causes the `app-id` to be part of the token path, making it easier to use with `revoke-prefix` [GH-424]
* credential/cert: Non-CA certificates can be used for authentication. They must be matched exactly (issuer and serial number) for authentication, and the certificate must carry the client authentication or \'any\' extended usage attributes. [GH-1153]
* credential/cert: Subject and Authority key IDs are output in metadata; this allows more flexible searching/revocation in the audit logs [GH-1183]
* credential/cert: Support listing configured certs [GH-1212]
* credential/userpass: Add support for `create`/`update` capability distinction in user path, and add user-specific endpoints to allow changing the password and policies [GH-1216]
* credential/token: Add roles [GH-1155]
* secret/mssql: Add MSSQL backend [GH-998]
* secret/pki: Add revocation time (zero or Unix epoch) to `pki/cert/SERIAL` endpoint [GH-1180]
* secret/pki: Sanitize serial number in `pki/revoke` endpoint to allow some other formats [GH-1187]
* secret/ssh: Added documentation for `ssh/config/zeroaddress` endpoint. [GH-1154]
* sys: Added new endpoints `sys/capabilities` and `sys/capabilities-self` to fetch the capabilities of a token on a given path [GH-1171]
* sys: Added `sys/revoke-force`, which enables a user to ignore backend errors when revoking a lease, necessary in some emergency/failure scenarios [GH-1168]
* sys: The return codes from `sys/health` can now be user-specified via query parameters [GH-1199] BUG FIXES:
* logical/cassandra: Apply hyphen/underscore replacement to the entire generated username, not just the UUID, in order to handle token display name hyphens [GH-1140]
* physical/etcd: Output actual error when cluster sync fails [GH-1141]
* vault/expiration: Not letting the error responses from the backends to skip during renewals [GH-1176]
* Fri Mar 04 2016 msabateAATTsuse.com- Looks like I forgot to add the .changes file...
* Sun Feb 28 2016 msabateAATTsuse.com- Handle the vendor code just like other HC packages
* Sun Feb 28 2016 msabateAATTsuse.com- Updated to 0.5.1: DEPRECATIONS/BREAKING CHANGES:
* RSA keys less than 2048 bits are no longer supported in the PKI backend. 1024-bit keys are considered unsafe and are disallowed in the Internet PKI. The `pki` backend has enforced SHA256 hashes in signatures from the beginning, and software that can handle these hashes should be able to handle larger key sizes. [GH-1095]
* The PKI backend now does not automatically delete expired certificates, including from the CRL. Doing so could lead to a situation where a time mismatch between the Vault server and clients could result in a certificate that would not be considered expired by a client being removed from the CRL. The new `pki/tidy` endpoint can be used to trigger expirations. [GH-1129]
* The `cert` backend now performs a variant of channel binding at renewal time for increased security. In order to not overly burden clients, a notion of identity is used. This functionality can be disabled. See the 0.5.1 upgrade guide for more specific information [GH-1127] FEATURES:
*
*
*Codebase Audit
*
*: Vault\'s 0.5 codebase was audited by iSEC. (The terms of the audit contract do not allow us to make the results public.) [GH-220] IMPROVEMENTS:
* api: The `VAULT_TLS_SERVER_NAME` environment variable can be used to control the SNI header during TLS connections [GH-1131]
* api/health: Add the server\'s time in UTC to health responses [GH-1117]
* command/rekey and command/generate-root: These now return the status at attempt initialization time, rather than requiring a separate fetch for the nonce [GH-1054]
* credential/cert: Don\'t require root/sudo tokens for the `certs/` and `crls/` paths; use normal ACL behavior instead [GH-468]
* credential/github: The validity of the token used for login will be checked at renewal time [GH-1047]
* credential/github: The `config` endpoint no longer requires a root token; normal ACL path matching applies
* deps: Use the standardized Go 1.6 vendoring system
* secret/aws: Inform users of AWS-imposed policy restrictions around STS tokens if they attempt to use an invalid policy [GH-1113]
* secret/mysql: The MySQL backend now allows disabling verification of the `connection_url` [GH-1096]
* secret/pki: Submitted CSRs are now verified to have the correct key type and minimum number of bits according to the role. The exception is intermediate CA signing and the `sign-verbatim` path [GH-1104]
* secret/pki: New `tidy` endpoint to allow expunging expired certificates. [GH-1129]
* secret/postgresql: The PostgreSQL backend now allows disabling verification of the `connection_url` [GH-1096]
* secret/ssh: When verifying an OTP, return 400 if it is not valid instead of 204 [GH-1086]
* credential/app-id: App ID backend will check the validity of app-id and user-id during renewal time [GH-1039]
* credential/cert: TLS Certificates backend, during renewal, will now match the client identity with the client identity used during login [GH-1127] BUG FIXES:
* credential/ldap: Properly escape values being provided to search filters [GH-1100]
* secret/aws: Capping on length of usernames for both IAM and STS types [GH-1102]
* secret/pki: If a cert is not found during lookup of a serial number, respond with a 400 rather than a 500 [GH-1085]
* secret/postgresql: Add extra revocation statements to better handle more permission scenarios [GH-1053]
* secret/postgresql: Make connection_url work properly [GH-1112]
  
ICM