Bump github.com/hashicorp/vault/api from 1.1.0 to 1.1.1 #3

dependabot · 2021-09-01T20:54:00Z

Bumps github.com/hashicorp/vault/api from 1.1.0 to 1.1.1.

Changelog

Sourced from github.com/hashicorp/vault/api's changelog.

1.1.1 (April 11th, 2019)

SECURITY:

Given: (a) performance replication is enabled; (b) performance standbys are in use on the performance replication secondary cluster; and (c) mount filters are in use, if a mount that was previously available to a secondary is updated to be filtered out, although the data would be removed from the secondary cluster, the in-memory cache of the data would not be purged on the performance standby nodes. As a result, the previously-available data could still be read from memory if it was ever read from disk, and if this included mount configuration data this could result in token or lease issuance. The issue is fixed in this release; in prior releases either an active node changeover (such as a step-down) or a restart of the standby nodes is sufficient to cause the performance standby nodes to clear their cache. A CVE is in the process of being issued; the number is CVE-2019-11075.

Roles in the JWT Auth backend using the OIDC login flow (i.e. role_type of “oidc”) were not enforcing bound_cidrs restrictions, if any were configured for the role. This issue did not affect roles of type “jwt”.

CHANGES:

auth/jwt: Disallow logins of role_type "oidc" via the /login path [GH-38]

core/acl: New ordering defines which policy wins when there are multiple inexact matches and at least one path contains +. +* is now illegal in policy paths. The previous behavior simply selected any matching segment-wildcard path that matched. [GH-6532]

replication: Due to technical limitations, mounting and unmounting was not previously possible from a performance secondary. These have been resolved, and these operations may now be run from a performance secondary.

IMPROVEMENTS:

agent: Allow AppRole auto-auth without a secret-id [GH-6324]

auth/gcp: Cache clients to improve performance and reduce open file usage

auth/jwt: Bounds claims validiation will now allow matching the received claims against a list of expected values [GH-41]

secret/gcp: Cache clients to improve performance and reduce open file usage

replication: Mounting/unmounting/remounting/mount-tuning is now supported from a performance secondary cluster

ui: Suport for authentication via the RADIUS auth method [GH-6488]

ui: Navigating away from secret list view will clear any page-specific filter that was applied [GH-6511]

ui: Improved the display when OIDC auth errors [GH-6553]

BUG FIXES:

agent: Allow auto-auth to be used with caching without having to define any sinks [GH-6468]

... (truncated)

Commits

a3dcd63 Cut version 1.1.1
ec9427c Save metrics to barrier without going through c.systemBarrierView (#884)
6c49db3 changelog++
2a76e2c changelog++
ecfa508 Fix test break
e426c5f Prep for 1.1
c9a3d17 Sync over
87ff258 changelog++
4c8667e changelog++
9278f65 changelog++
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [github.com/hashicorp/vault/api](https://github.com/hashicorp/vault) from 1.1.0 to 1.1.1. - [Release notes](https://github.com/hashicorp/vault/releases) - [Changelog](https://github.com/hashicorp/vault/blob/main/CHANGELOG.md) - [Commits](hashicorp/vault@v1.1.0...v1.1.1) --- updated-dependencies: - dependency-name: github.com/hashicorp/vault/api dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>

dependabot bot added the dependencies Pull requests that update a dependency file label Sep 1, 2021

dependabot bot force-pushed the dependabot/go_modules/github.com/hashicorp/vault/api-1.1.1 branch from 8241114 to c3977ff Compare September 13, 2021 13:25

M0roSan merged commit a8e85fe into main Sep 13, 2021

M0roSan deleted the dependabot/go_modules/github.com/hashicorp/vault/api-1.1.1 branch September 13, 2021 16:43

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump github.com/hashicorp/vault/api from 1.1.0 to 1.1.1 #3

Bump github.com/hashicorp/vault/api from 1.1.0 to 1.1.1 #3

dependabot bot commented on behalf of github Sep 1, 2021 •

edited

Loading

Bump github.com/hashicorp/vault/api from 1.1.0 to 1.1.1 #3

Bump github.com/hashicorp/vault/api from 1.1.0 to 1.1.1 #3

Conversation

dependabot bot commented on behalf of github Sep 1, 2021 • edited Loading

1.1.1 (April 11th, 2019)

dependabot bot commented on behalf of github Sep 1, 2021 •

edited

Loading