fix(deps): update module github.com/hashicorp/vault to v1.14.1 [security]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
github.com/hashicorp/vault	require	patch	v1.14.0 -> v1.14.3

GitHub Vulnerability Alerts

CVE-2023-3462

HashiCorp's Vault and Vault Enterprise are vulnerable to user enumeration when using the LDAP auth method. An attacker may submit requests of existent and non-existent LDAP users and observe the response from Vault to check if the account is valid on the LDAP server. This vulnerability is fixed in Vault 1.14.1 and 1.13.5.

CVE-2023-4680

HashiCorp Vault and Vault Enterprise transit secrets engine allowed authorized users to specify arbitrary nonces, even with convergent encryption disabled. The encrypt endpoint, in combination with an offline attack, could be used to decrypt arbitrary ciphertext and potentially derive the authentication subkey when using transit secrets engine without convergent encryption. Introduced in 1.6.0 and fixed in 1.14.3, 1.13.7, and 1.12.11.

---

Release Notes

hashicorp/vault (github.com/hashicorp/vault)

v1.14.3

Compare Source

1.14.3

September 13, 2023

SECURITY:

• secrets/transit: fix a regression that was honoring nonces provided in non-convergent modes during encryption. [GH-22852]

CHANGES:

• core: Bump Go version to 1.20.8.

FEATURES:

• Merkle Tree Corruption Detection (enterprise): Add a new endpoint to check merkle tree corruption.

IMPROVEMENTS:

• auth/ldap: improved login speed by adding concurrency to LDAP token group searches [GH-22659]
• core/quotas: Add configuration to allow skipping of expensive role calculations [GH-22651]
• kmip (enterprise): reduce latency of KMIP operation handling

BUG FIXES:

• cli: Fix the CLI failing to return wrapping information for KV PUT and PATCH operations when format is set to table. [GH-22818]
• core/quotas: Only perform ResolveRoleOperation for role-based quotas and lease creation. [GH-22597]
• core/quotas: Reduce overhead for role calculation when using cloud auth methods. [GH-22583]
• core/seal: add a workaround for potential connection [hangs] in Azure autoseals. [GH-22760]
• core: All subloggers now reflect configured log level on reload. [GH-22038]
• kmip (enterprise): fix date handling error with some re-key operations
• raft/autopilot: Add dr-token flag for raft autopilot cli commands [GH-21165]
• replication (enterprise): Fix discovery of bad primary cluster addresses to be more reliable
• secrets/transit: fix panic when providing non-PEM formatted public key for import [GH-22753]
• ui: fixes long namespace names overflow in the sidebar

v1.14.2

Compare Source

August 30, 2023

CHANGES:

• auth/azure: Update plugin to v0.16.0 [GH-22277]
• core: Bump Go version to 1.20.7.
• database/snowflake: Update plugin to v0.9.0 [GH-22516]

IMPROVEMENTS:

• auto-auth/azure: Added Azure Workload Identity Federation support to auto-auth (for Vault Agent and Vault Proxy). [GH-22264]
• core: Log rollback manager failures during unmount, remount to prevent replication failures on secondary clusters. [GH-22235]
• kmip (enterprise): Add namespace lock and unlock support [GH-21925]
• replication (enterprise): Make reindex less disruptive by allowing writes during the flush phase.
• secrets/database: Improves error logging for static role rotations by including the database and role names. [GH-22253]
• storage/raft: Cap the minimum dead_server_last_contact_threshold to 1m. [GH-22040]
• ui: KV View Secret card will link to list view if input ends in "/" [GH-22502]
• ui: adds allowed_user_ids field to create role form and user_ids to generate certificates form in pki [GH-22191]
• ui: enables create and update KV secret workflow when control group present [GH-22471]
• website/docs: Fix link formatting in Vault lambda extension docs [GH-22396]

BUG FIXES:

• activity (enterprise): Fix misattribution of entities to no or child namespace auth methods [GH-18809]
• agent: Environment variable VAULT_CACERT_BYTES now works for Vault Agent templates. [GH-22322]
• api: Fix breakage with UNIX domain socket addresses introduced by newest Go versions as a security fix. [GH-22523]
• core (enterprise): Remove MFA Configuration for namespace when deleting namespace
• core/metrics: vault.raft_storage.bolt.write.time should be a counter not a summary [GH-22468]
• core/quotas (enterprise): Fix a case where we were applying login roles to lease count quotas in a non-login context.
  Also fix a related potential deadlock. [GH-21110]
• core: Remove "expiration manager is nil on tokenstore" error log for unauth requests on DR secondary as they do not have expiration manager. [GH-22137]
• core: Fix bug where background thread to update locked user entries runs on DR secondaries. [GH-22355]
• core: Fix readonly errors that could occur while loading mounts/auths during unseal [GH-22362]
• core: Fixed an instance where incorrect route entries would get tainted. We now pre-calculate namespace specific paths to avoid this. [GH-21470]
• expiration: Fix a deadlock that could occur when a revocation failure happens while restoring leases on startup. [GH-22374]
• license: Add autoloaded license path to the cache exempt list. This is to ensure the license changes on the active node is observed on the perfStandby node. [GH-22363]
• replication (enterprise): Fix bug sync invalidate CoreReplicatedClusterInfoPath
• replication (enterprise): Fix panic when update-primary was called on demoted clusters using update_primary_addrs
• replication (enterprise): Fixing a bug by which the atomicity of a merkle diff result could be affected. This means it could be a source of a merkle-diff & sync process failing to switch into stream-wal mode afterwards.
• sdk/ldaputil: Properly escape user filters when using UPN domains
  sdk/ldaputil: use EscapeLDAPValue implementation from cap/ldap [GH-22249]
• secrets/ldap: Fix bug causing schema and password_policy to be overwritten in config. [GH-22330]
• secrets/transform (enterprise): Batch items with repeated tokens in the tokenization decode api will now contain the decoded_value element
• secrets/transform (enterprise): Fix nil panic when encoding a tokenization transformation on a non-active node
• secrets/transform (enterprise): Tidy operations will be re-scheduled at a minimum of every minute, not a maximum of every minute
• storage/raft: Fix race where new follower joining can get pruned by dead server cleanup. [GH-20986]
• ui: Fix blank page or ghost secret when canceling KV secret create [GH-22541]
• ui: fixes max_versions default for secret metadata unintentionally overriding kv engine defaults [GH-22394]
• ui: fixes model defaults overwriting input value when user tries to clear form input [GH-22458]
• ui: fixes text readability issue in revoke token confirmation dialog [GH-22390]

v1.14.1

Compare Source

July 25, 2023

CHANGES:

• auth/ldap: Normalize HTTP response codes when invalid credentials are provided [GH-21282]
• core/namespace (enterprise): Introduce the concept of high-privilege namespace (administrative namespace),
  which will have access to some system backend paths that were previously only accessible in the root namespace. [GH-21215]
• secrets/transform (enterprise): Enforce a transformation role's max_ttl setting on encode requests, a warning will be returned if max_ttl was applied.
• storage/aerospike: Aerospike storage shouldn't be used on 32-bit architectures and is now unsupported on them. [GH-20825]

IMPROVEMENTS:

• core/fips: Add RPM, DEB packages of FIPS 140-2 and HSM+FIPS 140-2 Vault Enterprise.
• eventbus: updated go-eventlogger library to allow removal of nodes referenced by pipelines (used for subscriptions) [GH-21623]
• openapi: Better mount points for kv-v1 and kv-v2 in openapi.json [GH-21563]
• replication (enterprise): Avoid logging warning if request is forwarded from a performance standby and not a performance secondary
• secrets/pki: Add a parameter to allow ExtKeyUsage field usage from a role within ACME. [GH-21702]
• secrets/transform (enterprise): Switch to pgx PostgreSQL driver for better timeout handling
• sys/metrics (enterprise): Adds a gauge metric that tracks whether enterprise builtin secret plugins are enabled. [GH-21681]

BUG FIXES:

• agent: Fix "generate-config" command documentation URL [GH-21466]
• auth/azure: Fix intermittent 401s by preventing performance secondary clusters from rotating root credentials. [GH-21800]
• auth/token, sys: Fix path-help being unavailable for some list-only endpoints [GH-18571]
• auth/token: Fix parsing of auth/token/create fields to avoid incorrect warnings about ignored parameters [GH-18556]
• awsutil: Update awsutil to v0.2.3 to fix a regression where Vault no longer
  respects AWS_ROLE_ARN, AWS_WEB_IDENTITY_TOKEN_FILE, and AWS_ROLE_SESSION_NAME. [GH-21951]
• core/managed-keys (enterprise): Allow certain symmetric PKCS#11 managed key mechanisms (AES CBC with and without padding) to operate without an HMAC.
• core: Fixed an instance where incorrect route entries would get tainted. We now pre-calculate namespace specific paths to avoid this. [GH-24170]
• core: Fixed issue with some durations not being properly parsed to include days. [GH-21357]
• identity: Remove caseSensitivityKey to prevent errors while loading groups which could result in missing groups in memDB when duplicates are found. [GH-20965]
• openapi: Fix response schema for PKI Issue requests [GH-21449]
• openapi: Fix schema definitions for PKI EAB APIs [GH-21458]
• replication (enterprise): update primary cluster address after DR failover
• secrets/azure: Fix intermittent 401s by preventing performance secondary clusters from rotating root credentials. [GH-21631]
• secrets/pki: Fix bug with ACME tidy, 'unable to determine acme base folder path'. [GH-21870]
• secrets/pki: Fix preserving acme_account_safety_buffer on config/auto-tidy. [GH-21870]
• secrets/pki: Prevent deleted issuers from reappearing when migrating from a version 1 bundle to a version 2 bundle (versions including 1.13.0, 1.12.2, and 1.11.6); when managed keys were removed but referenced in the Vault 1.10 legacy CA bundle, this the error: no managed key found with uuid. [GH-21316]
• secrets/transform (enterprise): Fix nil panic when deleting a template with tokenization transformations present
• secrets/transform (enterprise): Grab shared locks for various read operations, only escalating to write locks if work is required
• serviceregistration: Fix bug where multiple nodes in a secondary cluster could be labelled active after updating the cluster's primary [GH-21642]
• ui: Adds missing values to details view after generating PKI certificate [GH-21635]
• ui: Fixed an issue where editing an SSH role would clear default_critical_options and default_extension if left unchanged. [GH-21739]
• ui: Fixed secrets, leases, and policies filter dropping focus after a single character [GH-21767]
• ui: Fixes issue with certain navigational links incorrectly displaying in child namespaces [GH-21562]
• ui: Fixes login screen display issue with Safari browser [GH-21582]
• ui: Fixes problem displaying certificates issued with unsupported signature algorithms (i.e. ed25519) [GH-21926]
• ui: Fixes styling of private key input when configuring an SSH key [GH-21531]
• ui: Surface DOMException error when browser settings prevent localStorage. [GH-21503]

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠ Warning: custom changes will be lost.

[jliempt]

/it-go

[sonarqubecloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
No Duplication information