hashicorp/vault v1.7.4 on GitHub

1.7.4

SECURITY:

UI Secret Caching: The Vault UI erroneously cached and exposed user-viewed secrets between authenticated sessions in a single shared browser, if the browser window / tab was not refreshed or closed between logout and a subsequent login. This vulnerability, CVE-2021-38554, was fixed in Vault 1.8.0 and will be addressed in pending 1.7.4 / 1.6.6 releases.

CHANGES:

IMPROVEMENTS:

BUG FIXES:

replication (enterprise): Fix a panic that could occur when checking the last wal and the log shipper buffer is empty.
cli: vault debug now puts newlines after every captured log line. [GH-12175]
database/couchbase: change default template to truncate username at 128 characters [GH-12299]
physical/raft: Fix safeio.Rename error when restoring snapshots on windows [GH-12377]
secrets/database/cassandra: Fixed issue where the PEM parsing logic of pem_bundle and pem_json didn't work for CA-only configurations [GH-11861]
secrets/database: Fixed an issue that prevented external database plugin processes from restarting after a shutdown. [GH-12087]
ui: Automatically refresh the page when user logs out [GH-12035]
ui: Fix database role CG access [GH-12111]
ui: Fixes metrics page when read on counter config not allowed [GH-12348]
ui: fix control group access for database credential [GH-12024]
ui: fix oidc login with Safari [GH-11884]

CHANGES:

IMPROVEMENTS:

db/cassandra: Added tls_server_name to specify server name for TLS validation [GH-11820]
ui: Add specific error message if unseal fails due to license [GH-11705]

BUG FIXES:

auth/jwt: Updates the hashicorp/cap library to v0.1.0 to
bring in a verification key caching fix. [GH-11784]
core (enterprise): serialize access to HSM entropy generation to avoid errors in concurrent key generation.
secret: fix the bug where transit encrypt batch doesn't work with key_version [GH-11628]
secrets/ad: Forward all creds requests to active node [GH-76] [GH-11836]
tokenutil: Perform the num uses check before token type. [GH-11647]