fix(deps): update module github.com/hashicorp/vault to v1.16.3 [security] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/hashicorp/vault	v1.16.1 -> v1.16.3

GitHub Vulnerability Alerts

CVE-2024-5798

Vault and Vault Enterprise did not properly validate the JSON Web Token (JWT) role-bound audience claim when using the Vault JWT auth method. This may have resulted in Vault validating a JWT the audience and role-bound claims do not match, allowing an invalid login to succeed when it should have been rejected.

This vulnerability, CVE-2024-5798, was fixed in Vault and Vault Enterprise 1.17.0, 1.16.3, and 1.15.9

CVE-2024-6468

Vault and Vault Enterprise did not properly handle requests originating from unauthorized IP addresses when the TCP listener option, proxy_protocol_behavior, was set to deny_unauthorized. When receiving a request from a source IP address that was not listed in proxy_protocol_authorized_addrs, the Vault API server would shut down and no longer respond to any HTTP requests, potentially resulting in denial of service.

While this bug also affected versions of Vault up to 1.17.1 and 1.16.5, a separate regression in those release series did not allow Vault operators to configure the deny_unauthorized option, thus not allowing the conditions for the denial of service to occur.

Fixed in Vault and Vault Enterprise 1.17.2, 1.16.6, and 1.15.12.

---

Release Notes

hashicorp/vault (github.com/hashicorp/vault)

v1.16.3

Compare Source

1.16.3

May 30, 2024

CHANGES:

• auth/jwt: Update plugin to v0.20.3 [GH-26890]
• core/identity: improve performance for secondary nodes receiving identity related updates through replication [GH-27184]
• core: Bump Go version to 1.22.2.

IMPROVEMENTS:

• secrets/pki (enterprise): Disable warnings about unknown parameters to the various CIEPS endpoints
• ui: Update PGP display and show error for Generate Operation Token flow with PGP [GH-26993]

BUG FIXES:

• activity (enterprise): fix read-only storage error on upgrades
• auto-auth: Addressed issue where having no permissions to renew a renewable token caused auto-auth to attempt to renew constantly with no backoff [GH-26844]
• core (enterprise): Fix an issue that prevented the seal re-wrap status from reporting that a re-wrap is in progress for up to a second.
• core/audit: Audit logging a Vault request/response will now use a minimum 5 second context timeout.
  If the existing context deadline occurs later than 5s in the future, it will be used, otherwise a
  new context, separate from the original will be used. [GH-26616]
• core: Add missing field delegated_auth_accessors to GET /sys/mounts/:path API response [GH-26876]
• core: Address a data race updating a seal's last seen healthy time attribute [GH-27014]
• core: Fix redact_version listener parameter being ignored for some OpenAPI related endpoints. [GH-26607]
• events (enterprise): Fix bug preventing subscribing and receiving events within a namepace.
• pki: Fix error in cross-signing using ed25519 keys [GH-27093]
• replication (enterprise): fix "given mount path is not in the same namespace as the request" error that can occur when enabling replication for the first time on a secondary cluster
• secrets-sync (enterprise): Secondary nodes in a cluster now properly check activation-flags values.
• secrets/azure: Update vault-plugin-secrets-azure to 0.17.2 to include a bug fix for azure role creation [GH-26896]
• secrets/pki (enterprise): cert_role parameter within authenticators.cert EST configuration handler could not be set
• secrets/transit: Use 'hash_algorithm' parameter if present in HMAC verify requests. Otherwise fall back to deprecated 'algorithm' parameter. [GH-27211]
• ui: Fix KVv2 cursor jumping inside json editor after initial input. [GH-27120]
• ui: Fix KVv2 json editor to allow null values. [GH-27094]
• ui: Fix broken help link in console for the web command. [GH-26858]
• ui: Fix link to v2 generic secrets engine from secrets list page. [GH-27019]
• ui: Prevent perpetual loading screen when Vault needs initialization [GH-26985]
• ui: Refresh model within a namespace on the Secrets Sync overview page. [GH-26790]

v1.16.2

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 10 additional dependencies were updated

Details:

Package	Change
github.com/distribution/reference	v0.5.0 -> v0.6.0
github.com/jackc/pgservicefile	v0.0.0-20221227161230-091c0ba34f0a -> v0.0.0-20231201235250-de7065d80cb9
github.com/jackc/pgtype	v1.14.0 -> v1.14.3
go.opentelemetry.io/otel	v1.23.1 -> v1.24.0
go.opentelemetry.io/otel/metric	v1.23.1 -> v1.24.0
go.opentelemetry.io/otel/trace	v1.23.1 -> v1.24.0
github.com/hashicorp/go-kms-wrapping/wrappers/gcpckms/v2	v2.0.11 -> v2.0.12
golang.org/x/sync	v0.6.0 -> v0.7.0
google.golang.org/grpc	v1.61.0 -> v1.61.1
google.golang.org/protobuf	v1.33.0 -> v1.34.1

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 44.07%. Comparing base (11e7d3a) to head (82ad120).
Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #456   +/-   ##
=======================================
  Coverage   44.07%   44.07%           
=======================================
  Files           7        7           
  Lines         211      211           
=======================================
  Hits           93       93           
  Misses        103      103           
  Partials       15       15           

[timhuynh94]

@dependabot rebase