1.6.5
May 20th, 2021
SECURITY:
- Non-Expiring Leases: Vault and Vault Enterprise renewed nearly-expiring token
leases and dynamic secret leases with a zero-second TTL, causing them to be
treated as non-expiring, and never revoked. This issue affects Vault and Vault
Enterprise versions 0.10.0 through 1.7.1, and is fixed in 1.5.9, 1.6.5, and
1.7.2 (CVE-2021-32923).
CHANGES:
- agent: Update to use IAM Service Account Credentials endpoint for signing JWTs
when using GCP Auto-Auth method [GH-11473] - auth/gcp: Update to v0.8.1 to use IAM Service Account Credentials API for
signing JWTs [GH-11498]
BUG FIXES:
- core (enterprise): Fix plugins mounted in namespaces being unable to use password policies [GH-11596]
- core: correct logic for renewal of leases nearing their expiration time. [GH-11650]
- secrets/database: Fix marshalling to allow providing numeric arguments to external database plugins. [GH-11451]
- secrets/database: Fixes issue for V4 database interface where
SetCredentialswasn't falling back to usingRotateRootCredentialsifSetCredentialsisUnimplemented[GH-11585] - ui: Fix namespace-bug on login [GH-11182]