1.15.7 Enterprise
March 28, 2024
SECURITY:
- auth/cert: validate OCSP response was signed by the expected issuer and serial number matched request [GH-26091]
IMPROVEMENTS:
- auth/cert: Allow validation with OCSP responses with no NextUpdate time [GH-25912]
- core (enterprise): Avoid seal rewrapping in some specific unnecessary cases.
- core (enterprise): persist seal rewrap status, so rewrap status API is consistent on secondary nodes.
- ui: remove leading slash from KV version 2 secret paths [GH-25874]
BUG FIXES:
- audit: Operator changes to configured audit headers (via
/sys/config/auditing)
will now force invalidation and be reloaded from storage when data is replicated
to other nodes. - auth/cert: Address an issue in which OCSP query responses were not cached [GH-25986]
- auth/cert: Allow cert auth login attempts if ocsp_fail_open is true and OCSP servers are unreachable [GH-25982]
- cli: fixes plugin register CLI failure to error when plugin image doesn't exist [GH-24990]
- core (enterprise): fix issue where the Seal HA rewrap system may remain running when an active node steps down.
- core/login: Fixed a potential deadlock when a login fails and user lockout is enabled. [GH-25697]
- replication (enterprise): fixed data integrity issue with the processing of identity aliases causing duplicates to occur in rare cases
- ui: Fix kubernetes auth method roles tab [GH-25999]
- ui: call resultant-acl without namespace header when user mounted at root namespace [GH-25766]