1.5.9
May 20th, 2021
SECURITY:
- Non-Expiring Leases: Vault and Vault Enterprise renewed nearly-expiring token
leases and dynamic secret leases with a zero-second TTL, causing them to be
treated as non-expiring, and never revoked. This issue affects Vault and Vault
Enterprise versions 0.10.0 through 1.7.1, and is fixed in 1.5.9, 1.6.5, and
1.7.2 (CVE-2021-32923).
CHANGES:
- agent: Update to use IAM Service Account Credentials endpoint for signing JWTs
when using GCP Auto-Auth method [GH-11473] - auth/gcp: Update to v0.7.2 to use IAM Service Account Credentials API for
signing JWTs [GH-11499]
BUG FIXES:
- core: correct logic for renewal of leases nearing their expiration time. [GH-11650]