Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump github.com/hashicorp/vault/api/auth/approle from 0.5.0 to 0.6.0 #1713

Merged
merged 1 commit into from Feb 13, 2024
Merged

Bump github.com/hashicorp/vault/api/auth/approle from 0.5.0 to 0.6.0 #1713

merged 1 commit into from Feb 13, 2024

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Feb 12, 2024
edited

Bumps github.com/hashicorp/vault/api/auth/approle from 0.5.0 to 0.6.0.

Changelog

Sourced from github.com/hashicorp/vault/api/auth/approle's changelog.

0.6.0 (June 14th, 2016)

SECURITY:

  • Although sys/revoke-prefix was intended to revoke prefixes of secrets (via lease IDs, which incorporate path information) and auth/token/revoke-prefix was intended to revoke prefixes of tokens (using the tokens' paths and, since 0.5.2, role information), in implementation they both behaved exactly the same way since a single component in Vault is responsible for managing lifetimes of both, and the type of the tracked lifetime was not being checked. The end result was that either endpoint could revoke both secret leases and tokens. We consider this a very minor security issue as there are a number of mitigating factors: both endpoints require sudo capability in addition to write capability, preventing blanket ACL path globs from providing access; both work by using the prefix to revoke as a part of the endpoint path, allowing them to be properly ACL'd; and both are intended for emergency scenarios and users should already not generally have access to either one. In order to prevent confusion, we have simply removed auth/token/revoke-prefix in 0.6, and sys/revoke-prefix will be meant for both leases and tokens instead.

DEPRECATIONS/CHANGES:

  • auth/token/revoke-prefix has been removed. See the security notice for details. GH-1280
  • Vault will now automatically register itself as the vault service when using the consul backend and will perform its own health checks. See the Consul backend documentation for information on how to disable auto-registration and service checks.
  • List operations that do not find any keys now return a 404 status code rather than an empty response object GH-1365
  • CA certificates issued from the pki backend no longer have associated leases, and any CA certs already issued will ignore revocation requests from the lease manager. This is to prevent CA certificates from being revoked when the token used to issue the certificate expires; it was not be obvious to users that they need to ensure that the token lifetime needed to be at least as long as a potentially very long-lived CA cert.

FEATURES:

  • AWS EC2 Auth Backend: Provides a secure introduction mechanism for AWS EC2 instances allowing automated retrieval of Vault tokens. Unlike most Vault authentication backends, this backend does not require first deploying or provisioning security-sensitive credentials (tokens, username/password, client certificates, etc). Instead, it treats AWS as a Trusted Third Party and uses the cryptographically signed dynamic metadata information that uniquely represents each EC2 instance. Vault Enterprise customers have access to a turnkey client that speaks the backend API and makes access to a Vault token easy.

... (truncated)

Commits
  • f627c01 Cut version 0.6.0
  • 5b7e680 Add updated wrapping information
  • 926e56e Merge pull request #1520 from hashicorp/wrapinfo-accessor
  • 65cdcd6 Add some commenting
  • 47dc1cc Add token accessor to wrap information if one exists
  • 4f039d0 Merge pull request #1518 from hashicorp/fix-bound-ami-id
  • e521894 Added bound_ami_id check
  • 117200c Fix mah broken tests
  • c6ded38 cubbyhole-response-wrapping -> response-wrapping
  • 1e67cd8 Merge pull request #1513 from hashicorp/field-data-get-default
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Feb 12, 2024
@github-actions github-actions bot added the needs triage Waiting for discussion / prioritization by team label Feb 12, 2024
hslatman
hslatman previously approved these changes Feb 12, 2024
View reviewed changes
@dependabot
Bump github.com/hashicorp/vault/api/auth/approle from 0.5.0 to 0.6.0
a3bed40 
Bumps [github.com/hashicorp/vault/api/auth/approle](https://github.com/hashicorp/vault) from 0.5.0 to 0.6.0.
- [Release notes](https://github.com/hashicorp/vault/releases)
- [Changelog](https://github.com/hashicorp/vault/blob/main/CHANGELOG-v0.md)
- [Commits](hashicorp/vault@v0.5.0...v0.6.0)

---
updated-dependencies:
- dependency-name: github.com/hashicorp/vault/api/auth/approle
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/go_modules/github.com/hashicorp/vault/api/auth/approle-0.6.0 branch from 5907f3a to a3bed40 Compare February 12, 2024 18:26
@github-actions github-actions bot merged commit 490d065 into master Feb 13, 2024
13 checks passed
@github-actions github-actions bot deleted the dependabot/go_modules/github.com/hashicorp/vault/api/auth/approle-0.6.0 branch February 13, 2024 00:08
@hslatman hslatman added this to the v0.25.3 milestone Feb 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hslatman hslatman hslatman approved these changes

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file go Pull requests that update Go code needs triage Waiting for discussion / prioritization by team
Projects
None yet
Milestone
v0.26.0
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@hslatman