Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rebase: bump github.com/hashicorp/vault from 1.9.9 to 1.11.9 #3806

Merged
merged 1 commit into from
May 11, 2023
Merged

rebase: bump github.com/hashicorp/vault from 1.9.9 to 1.11.9 #3806

merged 1 commit into from
May 11, 2023

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github May 9, 2023
edited
Loading

Bumps github.com/hashicorp/vault from 1.9.9 to 1.11.9.

Release notes

Sourced from github.com/hashicorp/vault's releases.

v1.11.9

1.11.9

March 29, 2023

IMPROVEMENTS:

  • auth/github: Allow for an optional Github auth token environment variable to make authenticated requests when fetching org id website/docs: Add docs for VAULT_AUTH_CONFIG_GITHUB_TOKEN environment variable when writing Github config [GH-19244]
  • core: Allow overriding gRPC connect timeout via VAULT_GRPC_MIN_CONNECT_TIMEOUT. This is an env var rather than a config setting because we don't expect this to ever be needed. It's being added as a last-ditch option in case all else fails for some replication issues we may not have fully reproduced. [GH-19676]
  • core: validate name identifiers in mssql physical storage backend prior use [GH-19591]

BUG FIXES:

  • auth/kubernetes: Ensure a consistent TLS configuration for all k8s API requests [#190] [GH-19720]
  • cli: Fix vault read handling to return raw data as secret.Data when there is no top-level data object from api response. [GH-17913]
  • core (enterprise): Attempt to reconnect to a PKCS#11 HSM if we retrieve a CKR_FUNCTION_FAILED error.
  • core: Fixed issue with remounting mounts that have a non-trailing space in the 'to' or 'from' paths. [GH-19585]
  • openapi: Fix logic for labeling unauthenticated/sudo paths. [GH-19600]
  • secrets/transform (enterprise): Fix persistence problem with rotated tokenization key versions
  • ui: fixes issue navigating back a level using the breadcrumb from secret metadata view [GH-19703]
  • ui: pass encodeBase64 param to HMAC transit-key-actions. [GH-19429]
  • ui: use URLSearchParams interface to capture namespace param from SSOs (ex. ADFS) with decoded state param in callback url [GH-19460]

v1.11.8

1.11.8

March 01, 2023

CHANGES:

  • core: Bump Go version to 1.19.6.

IMPROVEMENTS:

  • secrets/database: Adds error message requiring password on root crednetial rotation. [GH-19103]

BUG FIXES:

  • auth/approle: Add nil check for the secret ID entry when deleting via secret id accessor preventing cross role secret id deletion [GH-19186]
  • core (enterprise): Fix panic when using invalid accessor for control-group request
  • core (enterprise): Fix perf standby WAL streaming silently failures when replication setup happens at a bad time.
  • core: Prevent panics in sys/leases/lookup, sys/leases/revoke, and sys/leases/renew endpoints if provided lease_id is null [GH-18951]
  • license (enterprise): Fix bug where license would update even if the license didn't change.
  • replication (enterprise): Fix bug where reloading external plugin on a secondary would break replication.
  • secrets/ad: Fix bug where config couldn't be updated unless binddn/bindpass were included in the update. [GH-18208]
  • ui (enterprise): Fix cancel button from transform engine role creation page [GH-19135]
  • ui: Fix bug where logging in via OIDC fails if browser is in fullscreen mode [GH-19071]
  • ui: show Get credentials button for static roles detail page when a user has the proper permissions. [GH-19190]

... (truncated)

Changelog

Sourced from github.com/hashicorp/vault's changelog.

1.11.9

March 29, 2023

SECURITY:

  • storage/mssql: When using Vault’s community-supported Microsoft SQL (MSSQL) database storage backend, a privileged attacker with the ability to write arbitrary data to Vault’s configuration may be able to perform arbitrary SQL commands on the underlying database server through Vault. This vulnerability, CVE-2023-0620, is fixed in Vault 1.13.1, 1.12.5, and 1.11.9. [HCSEC-2023-12]
  • secrets/pki: Vault’s PKI mount issuer endpoints did not correctly authorize access to remove an issuer or modify issuer metadata, potentially resulting in denial of service of the PKI mount. This bug did not affect public or private key material, trust chains or certificate issuance. This vulnerability, CVE-2023-0665, is fixed in Vault 1.13.1, 1.12.5, and 1.11.9. [HCSEC-2023-11]
  • core: HashiCorp Vault’s implementation of Shamir’s secret sharing used precomputed table lookups, and was vulnerable to cache-timing attacks. An attacker with access to, and the ability to observe a large number of unseal operations on the host through a side channel may reduce the search space of a brute force effort to recover the Shamir shares. This vulnerability, CVE-2023-25000, is fixed in Vault 1.13.1, 1.12.5, and 1.11.9. [HCSEC-2023-10]

IMPROVEMENTS:

  • auth/github: Allow for an optional Github auth token environment variable to make authenticated requests when fetching org id website/docs: Add docs for VAULT_AUTH_CONFIG_GITHUB_TOKEN environment variable when writing Github config [GH-19244]
  • core: Allow overriding gRPC connect timeout via VAULT_GRPC_MIN_CONNECT_TIMEOUT. This is an env var rather than a config setting because we don't expect this to ever be needed. It's being added as a last-ditch option in case all else fails for some replication issues we may not have fully reproduced. [GH-19676]
  • core: validate name identifiers in mssql physical storage backend prior use [GH-19591]

BUG FIXES:

  • auth/kubernetes: Ensure a consistent TLS configuration for all k8s API requests [#190] [GH-19720]
  • cli: Fix vault read handling to return raw data as secret.Data when there is no top-level data object from api response. [GH-17913]
  • core (enterprise): Attempt to reconnect to a PKCS#11 HSM if we retrieve a CKR_FUNCTION_FAILED error.
  • core: Fixed issue with remounting mounts that have a non-trailing space in the 'to' or 'from' paths. [GH-19585]
  • openapi: Fix logic for labeling unauthenticated/sudo paths. [GH-19600]
  • secrets/transform (enterprise): Fix persistence problem with rotated tokenization key versions
  • ui: fixes issue navigating back a level using the breadcrumb from secret metadata view [GH-19703]
  • ui: pass encodeBase64 param to HMAC transit-key-actions. [GH-19429]
  • ui: use URLSearchParams interface to capture namespace param from SSOs (ex. ADFS) with decoded state param in callback url [GH-19460]

1.11.8

March 01, 2023

SECURITY:

  • auth/approle: When using the Vault and Vault Enterprise (Vault) approle auth method, any authenticated user with access to the /auth/approle/role/:role_name/secret-id-accessor/destroy endpoint can destroy the secret ID of any other role by providing the secret ID accessor. This vulnerability, CVE-2023-24999 has been fixed in Vault 1.13.0, 1.12.4, 1.11.8, 1.10.11 and above. [HSEC-2023-07]

CHANGES:

  • core: Bump Go version to 1.19.6.

IMPROVEMENTS:

  • secrets/database: Adds error message requiring password on root crednetial rotation. [GH-19103]

BUG FIXES:

  • auth/approle: Add nil check for the secret ID entry when deleting via secret id accessor preventing cross role secret id deletion [GH-19186]
  • core (enterprise): Fix panic when using invalid accessor for control-group request
  • core (enterprise): Fix perf standby WAL streaming silently failures when replication setup happens at a bad time.
  • core: Prevent panics in sys/leases/lookup, sys/leases/revoke, and sys/leases/renew endpoints if provided lease_id is null [GH-18951]

... (truncated)

Commits
  • 3eed40f auth/kubernetes: upgrade to v0.13.3 (#19720)
  • 030a41b backport of commit 85c3eab989de0c90d82b0cb39cabb79fb3911943 (#19714)
  • 36709b9 Backport of Add tests for PKI endpoint authentication via OpenAPI into releas...
  • ab7cb07 backport of commit 0c69cf10488c1b36ea112a98a2ea156e7eec8d74 (#19709)
  • 947beba Backport of Allow overriding gRPC's connection timeout with VAULT_GRPC_MIN_CO...
  • 85fcea4 Regression bug fix OIDC namespace (#19460) (#19694)
  • 87b77ff Backport of openapi: Fix logic for labeling unauthenticated/sudo paths into r...
  • e9bc68f backport of commit e9d6dbce23d5cca2afbccf656a5056d226580149 (#19652)
  • 96bcc7c Document the 'convergent' tokenization transform option (#19249) (#19255)
  • 6d2bd44 backport of commit 3e72c764433b4ea15c822377a33ed073098c4568 (#19621)
  • Additional commits viewable in compare view

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot dependabot bot added the rebase update the version of an external component label May 9, 2023
nixpanic
nixpanic previously approved these changes May 9, 2023
View reviewed changes
@nixpanic nixpanic requested a review from a team May 9, 2023 11:14
Madhu-1
Madhu-1 previously approved these changes May 9, 2023
View reviewed changes
@nixpanic
Copy link
Member

@dependabot recreate

Conflict in vendor/modules.txt

@dependabot dependabot bot force-pushed the dependabot/go_modules/github.com/hashicorp/vault-1.11.9 branch from 7bf3b41 to 6203b99 Compare May 10, 2023 07:55
@mergify mergify bot dismissed stale reviews from Madhu-1 and nixpanic May 10, 2023 07:56

Pull request has been modified.

@nixpanic
Copy link
Member

@Mergifyio rebase

@mergify
Copy link
Contributor

mergify bot commented May 10, 2023

rebase

❌ Base branch update has failed

err-code: B3683

@nixpanic nixpanic added the ok-to-test Label to trigger E2E tests label May 10, 2023
@github-actions
Copy link

/test ci/centos/k8s-e2e-external-storage/1.24

@github-actions
Copy link

/test ci/centos/k8s-e2e-external-storage/1.25

@github-actions
Copy link

/test ci/centos/k8s-e2e-external-storage/1.26

@github-actions
Copy link

/test ci/centos/k8s-e2e-external-storage/1.27

@github-actions
Copy link

/test ci/centos/mini-e2e-helm/k8s-1.24

@github-actions
Copy link

/test ci/centos/mini-e2e-helm/k8s-1.25

@github-actions
Copy link

/test ci/centos/mini-e2e-helm/k8s-1.26

@github-actions
Copy link

/test ci/centos/mini-e2e-helm/k8s-1.27

@github-actions
Copy link

/test ci/centos/mini-e2e/k8s-1.24

@github-actions
Copy link

/test ci/centos/mini-e2e/k8s-1.25

@github-actions
Copy link

/test ci/centos/mini-e2e/k8s-1.26

@github-actions
Copy link

/test ci/centos/mini-e2e/k8s-1.27

@github-actions
Copy link

/test ci/centos/upgrade-tests-cephfs

@github-actions
Copy link

/test ci/centos/upgrade-tests-rbd

@github-actions github-actions bot removed the ok-to-test Label to trigger E2E tests label May 10, 2023
mergify bot added a commit that referenced this pull request May 10, 2023
@mergify
Merge of #3806
57c450a
@mergify mergify bot mentioned this pull request May 10, 2023
Closed
29 tasks
@nixpanic
Copy link
Member

@Mergifyio rebase

@dependabot @nixpanic
rebase: bump github.com/hashicorp/vault from 1.9.9 to 1.11.9
3a92e62 
Bumps [github.com/hashicorp/vault](https://github.com/hashicorp/vault) from 1.9.9 to 1.11.9.
- [Release notes](https://github.com/hashicorp/vault/releases)
- [Changelog](https://github.com/hashicorp/vault/blob/main/CHANGELOG.md)
- [Commits](hashicorp/vault@v1.9.9...v1.11.9)

---
updated-dependencies:
- dependency-name: github.com/hashicorp/vault
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@mergify
Copy link
Contributor

mergify bot commented May 11, 2023

rebase

✅ Branch has been successfully rebased

@nixpanic nixpanic force-pushed the dependabot/go_modules/github.com/hashicorp/vault-1.11.9 branch from 6203b99 to 3a92e62 Compare May 11, 2023 08:10
@nixpanic nixpanic added the ok-to-test Label to trigger E2E tests label May 11, 2023
@github-actions
Copy link

/test ci/centos/k8s-e2e-external-storage/1.24

@github-actions
Copy link

/test ci/centos/k8s-e2e-external-storage/1.25

@github-actions
Copy link

/test ci/centos/k8s-e2e-external-storage/1.26

@github-actions
Copy link

/test ci/centos/k8s-e2e-external-storage/1.27

@github-actions
Copy link

/test ci/centos/mini-e2e-helm/k8s-1.24

@github-actions
Copy link

/test ci/centos/mini-e2e-helm/k8s-1.25

@github-actions
Copy link

/test ci/centos/mini-e2e-helm/k8s-1.26

@github-actions
Copy link

/test ci/centos/mini-e2e-helm/k8s-1.27

@github-actions
Copy link

/test ci/centos/mini-e2e/k8s-1.24

@github-actions
Copy link

/test ci/centos/mini-e2e/k8s-1.25

@github-actions
Copy link

/test ci/centos/mini-e2e/k8s-1.26

@github-actions
Copy link

/test ci/centos/mini-e2e/k8s-1.27

@github-actions
Copy link

/test ci/centos/upgrade-tests-cephfs

@github-actions
Copy link

/test ci/centos/upgrade-tests-rbd

@github-actions github-actions bot removed the ok-to-test Label to trigger E2E tests label May 11, 2023
@nixpanic
Copy link
Member

@Mergifyio queue

@mergify
Copy link
Contributor

mergify bot commented May 11, 2023
edited
Loading

queue

✅ The pull request has been merged automatically

The pull request has been merged automatically at 9b6795c

@mergify mergify bot merged commit 9b6795c into devel May 11, 2023
@mergify mergify bot deleted the dependabot/go_modules/github.com/hashicorp/vault-1.11.9 branch May 11, 2023 10:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@riya-singhal31 riya-singhal31 riya-singhal31 approved these changes

@nixpanic nixpanic nixpanic approved these changes

@Madhu-1 Madhu-1 Madhu-1 left review comments

Assignees
No one assigned
Labels
rebase update the version of an external component
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@nixpanic @Madhu-1 @riya-singhal31