Bump github.com/hashicorp/vault from 0.5.0 to 1.7.6

[dependabot]

Bumps github.com/hashicorp/vault from 0.5.0 to 1.7.6.

Release notes

Sourced from github.com/hashicorp/vault's releases.

v1.7.6

1.7.6

November 4, 2021

BUG FIXES:

• auth/aws: fix config/rotate-root to store new key [GH-12715]
• core/identity: Cleanup alias in the in-memory entity after an alias deletion by ID [GH-12834]
• core/identity: Disallow entity alias creation/update if a conflicting alias exists for the target entity and mount combination [GH-12747]
• core: Fix a deadlock on HA leadership transfer [GH-12691]
• http (enterprise): Always forward internal/counters endpoints from perf standbys to active node
• kmip (enterprise): Fix handling of custom attributes when servicing GetAttributes requests
• kmip (enterprise): Fix handling of invalid role parameters within various vault api calls
• kmip (enterprise): Forward KMIP register operations to the active node
• secrets/keymgmt (enterprise): Fix support for Azure Managed HSM Key Vault instances. [GH-12957]
• storage/postgres: Update postgres library (github.com/lib/pq) to properly remove terminated TLS connections from the connection pool. [GH-12413]
• database/postgres: Update postgres library (github.com/lib/pq) to properly remove terminated TLS connections from the connection pool. [GH-12413]
• transform (enterprise): Fix an error where the decode response of an expired token is an empty result rather than an error.

v1.7.5

1.7.5

29 September 2021

IMPROVEMENTS:

• secrets/pki: Allow signing of self-issued certs with a different signature algorithm. [GH-12514]

BUG FIXES:

• agent: Avoid possible unexpected fault address panic when using persistent cache. [GH-12534]
• core (enterprise): Fix bug where password generation through password policies do not work on namespaces if performed outside a request callback or from an external plugin. [GH-12635]
• core (enterprise): Only delete quotas on primary cluster. [GH-12339]
• identity: Fail alias rename if the resulting (name,accessor) exists already [GH-12473]
• raft (enterprise): Fix panic when updating auto-snapshot config
• secrets/db: Fix bug where Vault can rotate static role passwords early during start up under certain conditions. [GH-12563]
• secrets/openldap: Fix bug where Vault can rotate static role passwords early during start up under certain conditions. #28 [GH-12598]
• storage/raft: Detect incomplete raft snapshots in api.RaftSnapshot(), and thereby in vault operator raft snapshot save. [GH-12388]
• ui: Fixed api explorer routing bug [GH-12354]

v1.7.4

1.7.4

26 August 2021

SECURITY:

• UI Secret Caching: The Vault UI erroneously cached and exposed user-viewed secrets between authenticated sessions in a single shared browser, if the browser window / tab was not refreshed or closed between logout and a subsequent login. This vulnerability, CVE-2021-38554, was fixed in Vault 1.8.0 and will be addressed in pending 1.7.4 / 1.6.6 releases.

CHANGES:

• go: Update go version to 1.15.15 [GH-12411]

... (truncated)

Changelog

Sourced from github.com/hashicorp/vault's changelog.

1.7.6

November 4, 2021

SECURITY:

• core/identity: Templated ACL policies would always match the first-created entity alias if multiple entity aliases existed for a specified entity and mount combination, potentially resulting in incorrect policy enforcement. This vulnerability, CVE-2021-43998, was fixed in Vault and Vault Enterprise 1.7.6, 1.8.5, and 1.9.0.

BUG FIXES:

• auth/aws: fix config/rotate-root to store new key [GH-12715]
• core/identity: Cleanup alias in the in-memory entity after an alias deletion by ID [GH-12834]
• core/identity: Disallow entity alias creation/update if a conflicting alias exists for the target entity and mount combination [GH-12747]
• core: Fix a deadlock on HA leadership transfer [GH-12691]
• http (enterprise): Always forward internal/counters endpoints from perf standbys to active node
• kmip (enterprise): Fix handling of custom attributes when servicing GetAttributes requests
• kmip (enterprise): Fix handling of invalid role parameters within various vault api calls
• kmip (enterprise): Forward KMIP register operations to the active node
• secrets/keymgmt (enterprise): Fix support for Azure Managed HSM Key Vault instances. [GH-12957]
• storage/postgres: Update postgres library (github.com/lib/pq) to properly remove terminated TLS connections from the connection pool. [GH-12413]
• database/postgres: Update postgres library (github.com/lib/pq) to properly remove terminated TLS connections from the connection pool. [GH-12413]
• transform (enterprise): Fix an error where the decode response of an expired token is an empty result rather than an error.

1.7.5

29 September 2021

SECURITY:

• core/identity: A Vault user with write permission to an entity alias ID sharing a mount accessor with another user may acquire this other user’s policies by merging their identities. This vulnerability, CVE-2021-41802, was fixed in Vault and Vault Enterprise 1.7.5 and 1.8.4.

IMPROVEMENTS:

• secrets/pki: Allow signing of self-issued certs with a different signature algorithm. [GH-12514]

BUG FIXES:

• agent: Avoid possible unexpected fault address panic when using persistent cache. [GH-12534]
• core (enterprise): Fix bug where password generation through password policies do not work on namespaces if performed outside a request callback or from an external plugin. [GH-12635]
• core (enterprise): Only delete quotas on primary cluster. [GH-12339]
• identity: Fail alias rename if the resulting (name,accessor) exists already [GH-12473]
• raft (enterprise): Fix panic when updating auto-snapshot config
• secrets/db: Fix bug where Vault can rotate static role passwords early during start up under certain conditions. [GH-12563]
• secrets/openldap: Fix bug where Vault can rotate static role passwords early during start up under certain conditions. #28 [GH-12598]
• storage/raft: Detect incomplete raft snapshots in api.RaftSnapshot(), and thereby in vault operator raft snapshot save. [GH-12388]
• ui: Fixed api explorer routing bug [GH-12354]

1.7.4

26 August 2021

SECURITY:

... (truncated)

Commits

• 2c49e3f updating go.mod for 1.7.6 (#13005)
• 6bcf308 updating version (#12997)
• fe735a9 go-kms-wrapping update for Azure Key Vault's Managed HSM offering [backport 1...
• 1c7a0da Backport 1.7.x: Fix auth/aws so that config/rotate-root saves new key pair (#...
• 4bc866b Backport 12834 17x (#12870)
• 6d76709 Update dependency go-mssqldb to v0.11.0 in release/1.7.x (#12874)
• 6a575c6 [VAULT-3252] Disallow alias creation if entity/accessor combination exists (#...
• a1488e2 UI update changelog link (#12766) (#12776)
• 6a45bae build: update base image: debian:bullseye-20210927 (#12737)
• 4a28f6c Upgrade pq to fix connection failure cleanup bug (v1.8.0 => v1.10.3) (#12413)...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.