1.13.10
November 09, 2023
SECURITY:
- core: inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. This vulnerability, CVE-2023-5954, was introduced in Vault 1.15.0, 1.14.3, and 1.13.7, and is fixed in Vault 1.15.2, 1.14.6, and 1.13.10. [HSEC-2023-33]
CHANGES:
- auth/approle: Normalized error response messages when invalid credentials are provided [GH-23786]
- secrets/mongodbatlas: Update plugin to v0.9.2 [GH-23849]
FEATURES:
- cli/snapshot: Add CLI tool to inspect Vault snapshots [GH-23457]
IMPROVEMENTS:
- storage/etcd: etcd should only return keys when calling List() [GH-23872]
BUG FIXES:
- api/seal-status: Fix deadlock on calls to sys/seal-status with a namespace configured
on the request. [GH-23861] - core (enterprise): Do not return an internal error when token policy type lookup fails, log it instead and continue.
- core/activity: Fixes segments fragment loss due to exceeding entry record size limit [GH-23781]
- core/mounts: Fix reading an "auth" mount using "sys/internal/ui/mounts/" when filter paths are enforced returns 500 error code from the secondary [GH-23802]
- core: Revert PR causing memory consumption bug [GH-23986]
- core: Skip unnecessary deriving of policies during Login MFA Check. [GH-23894]
- core: fix bug where deadlock detection was always on for expiration and quotas.
These can now be configured individually withdetect_deadlocks. [GH-23902] - core: fix policies with wildcards not matching list operations due to the policy path not having a trailing slash [GH-23874]
- expiration: Fix fatal error "concurrent map iteration and map write" when collecting metrics from leases. [GH-24027]