CHANGES:
* cli: The raft configuration command has been renamed to list-peers to
avoid confusion.
FEATURES:
* Kerberos Authentication: Vault now supports Kerberos authentication using
a SPNEGO token. Login can be performed using the Vault CLI, API, or agent.
* Kubernetes Service Discovery: A new Kubernetes service discovery feature
where, if configured, Vault will tag Vault pods with their current health
status. For more, see #8249.
* MongoDB Atlas Secrets: Vault can now generate dynamic credentials for
both MongoDB Atlas databases as well as the Atlas programmatic interface.
* OpenLDAP Secrets Engine: We now support password management of existing
OpenLDAP user entries. For more, see #8360.
* Redshift Database Secrets Engine: The database secrets engine now
supports static and dynamic secrets for the Amazon Web Services (AWS)
Redshift service.
* Service Registration Config: A newly introduced service_registration
configuration stanza, that allows for service registration to be configured
separately from the storage backend. For more, see #7887.
* Transform Secrets Engine (Enterprise): A new secrets engine that handles
secure data transformation and tokenization against provided input value.
* Integrated Storage: Promoted out of beta and into general availability
for both open-source and enterprise workloads.
IMPROVEMENTS:
* agent: add option to force the use of the auth-auth token, and ignore the
Vault token in the request [GH-8101]
* api: Restore and fix DNS SRV Lookup [GH-8520]
* audit: HMAC http_raw_body in audit log; this ensures that large
authenticated Prometheus metrics responses get replaced with short HMAC
values [GH-8130]
* audit: Generate-root, generate-recovery-token, and
generate-dr-operation-token requests and responses are now
audited. [GH-8301]
* auth/aws: Reduce the number of simultaneous STS client credentials needed
[GH-8161]
* auth/azure: subscription ID, resource group, vm and vmss names are now
stored in alias metadata [GH-30]
* auth/jwt: Additional OIDC callback parameters available for CLI logins
[GH-80 & GH-86]
* auth/jwt: Bound claims may be optionally configured using globs [GH-89]
* auth/jwt: Timeout during OIDC CLI login if process doesn't complete
within 2 minutes [GH-97]
* auth/jwt: Add support for the form_post response mode [GH-98]
* auth/jwt: add optional client_nonce to authorization flow [GH-104]
* auth/okta: Upgrade okta sdk lib, which should improve handling of groups
[GH-8143]
* aws: Add support for v2 of the instance metadata service (see issue 7924
for all linked PRs)
* core: Separate out service discovery interface from storage interface to
allow new types of service discovery not coupled to storage [GH-7887]
* core: Add support for telemetry option metrics_prefix [GH-8340]
* core: Entropy Augmentation can now be used with AWS KMS and Vault Transit
seals
* core: Allow tls_min_version to be set to TLS 1.3 [GH-8305]
* cli: Incorrect TLS configuration will now correctly fail [GH-8025]
* identity: Allow specifying a custom client_id for identity tokens
[GH-8165]
* metrics/prometheus: improve performance with high volume of metrics
updates [GH-8507]
* replication (enterprise): Fix race condition causing clusters with high
throughput writes to sometimes fail to enter streaming-wal mode
* replication (enterprise): Secondary clusters can now perform an extra
gRPC call to all nodes in a primary cluster in an attempt to resolve the
active node's address
* replication (enterprise): The replication status API now outputs
last_performance_wal, last_dr_wal, and connection_state values
* replication (enterprise): DR secondary clusters can now be recovered by
the replication/dr/secondary/recover API
* replication (enterprise): We now allow for an alternate means to create a
Disaster Recovery token, by using a batch token that is created with an ACL
that allows for access to one or more of the DR endpoints.
* secrets/database/mongodb: Switched internal MongoDB driver to
mongo-driver [GH-8140]
* secrets/database/mongodb: Add support for x509 client authorization to
MongoDB [GH-8329]
* secrets/database/oracle: Add support for static credential rotation
[GH-26]
* secrets/consul: Add support to specify TLS options per Consul backend
[GH-4800]
* secrets/gcp: Allow specifying the TTL for a service key [GH-54]
* secrets/gcp: Add support for rotating root keys [GH-53]
* secrets/gcp: Handle version 3 policies for Resource Manager IAM requests
[GH-77]
* secrets/nomad: Add support to specify TLS options per Nomad backend
[GH-8083]
* secrets/ssh: Allowed users can now be templated with identity information
[GH-7548]
* secrets/transit: Adding RSA3072 key support [GH-8151]
* storage/consul: Vault returns now a more descriptive error message when
only a client cert or a client key has been provided [GH-4930]
* storage/raft: Nodes in the raft cluster can all be given possible leader
addresses for them to continuously try and join one of them, thus
automating the process of join to a greater extent [GH-7856]
* storage/raft: Fix a potential deadlock that could occur on leadership
transition [GH-8547]
* storage/raft: Refresh TLS keyring on snapshot restore [GH-8546]
* storage/etcd: Bumped etcd client API SDK [GH-7931 & GH-4961 & GH-4349 &
GH-7582]
* ui: Make Transit Key actions more prominent [GH-8304]
* ui: Add Core Usage Metrics [GH-8347]
* ui: Add refresh Namespace list on the Namespace dropdown, and redesign of
Namespace dropdown menu [GH-8442]
* ui: Update transit actions to codeblocks & automatically encode plaintext
unless indicated [GH-8462]
* ui: Display the results of transit key actions in a modal window
[GH-8462]
* ui: Transit key version styling updates & ability to copy key from
dropdown [GH-8480]
BUG FIXES:
* agent: Fix issue where TLS options are ignored for agent template feature
[GH-7889]
* auth/jwt: Use lower case role names for default_role to match the role
case convention [GH-100]
* auth/ldap: Fix a bug where the UPNDOMAIN parameter was wrongly used to
lookup the group membership of the given user [GH-6325]
* cli: Support autocompletion for nested mounts [GH-8303]
* cli: Fix CLI namespace autocompletion [GH-8315]
* identity: Fix incorrect caching of identity token JWKS responses
[GH-8412]
* metrics/stackdriver: Fix issue that prevents the stackdriver metrics
library to create unnecessary stackdriver descriptors [GH-8073]
* replication: Fix issue causing cubbyholes in namespaces on performance
secondaries to not work.
* seal (enterprise): Fix seal migration when transactional seal wrap
backend is in use.
* secrets/database/influxdb: Fix potential panic if connection to the
InfluxDB database cannot be established [GH-8282]
* secrets/database/mysql: Ensures default static credential rotation
statements are used [GH-8240]
* secrets/database/mysql: Fix inconsistent query parameter names: {{name}}
or {{username}} for different queries. Now it allows for either for
backwards compatibility [GH-8240]
* secrets/database/postgres: Fix inconsistent query parameter names:
{{name}} or {{username}} for different queries. Now it allows for either
for backwards compatibility [GH-8240]
* secrets/pki: Support FQDNs in DNS Name [GH-8288]
* storage/raft: Allow seal migration to be performed on Vault clusters
using raft storage [GH-8103]
* telemetry: Prometheus requests on standby nodes will now return an error
instead of forwarding the request to the active node [GH-8280]
* ui: Fix broken popup menu on the transit secrets list page [GH-8348]
* ui: Update headless Chrome flag to fix yarn run test:oss [GH-8035]
* ui: Update CLI to accept empty strings as param value to reset
previously-set values
* ui: Fix bug where error states don't clear when moving between action
tabs on Transit [GH-8354]
The gopls command is an LSP server for Go. The Language Server Protocol
allows any text editor to be extended with IDE-like features; see
https://langserver.org/ for details.
Snuffleupagus is a PHP 7+ module designed to drastically raise the cost of
attacks against websites, by killing entire bug classes. It also provides a
powerful virtual-patching system, allowing administrator to fix specific
vulnerabilities and audit suspicious behaviours without having to touch the
PHP code.
afl++ is an upgrade to the American Fuzzy Lop (afl) fuzzer, created initially
to incorporate all the best features developed in the years for the fuzzers in
the AFL family but was not merged in AFL as it is not updated since November
2017.
Module distfiles are now renamed so that their filenames contain
the subpath. Thus, they do not need to be in a DIST_SUBDIR and can
be shared among more than one Go package.
Also update the lf port with the new distfile names and add
CHECK_RELRO_SKIP.
Newt is a programming library for color text mode, widget based user
interfaces. Newt can be used to add stacked windows, entry widgets,
checkboxes, radio buttons, labels, plain text fields, scrollbars,
etc., to text mode user interfaces. Newt is based on the slang library.
Changelog:
Fri Dec 20 09:22:03 2019 +0900
Released gnunet 0.12.0 -schanzen
Fri Dec 20 09:22:03 2019 +0900
Fixed BOX record label parsing -schanzen
Mon Dec 16 09:33:36 2019 +0100
Fixed mysql build -schanzen
Sat 07 Dec 2019 02:38:53 PM CET
Protocol-breaking change, using more standards-compliant
EdDSA and RSA operations. Also changing POW function to
make it less ASIC-compatible. This marks the switch to
the 0.12.0 protocol family.
Sun Dec 01 19:31:00 UTC 2019
configure: Add --with-gnunet-logread.
-ng0
Sun Dec 1 12:26:11 2019 +0100
GNS NSS plugin: Reject non-IDNA conforming names and
trigger continue with next NSS plugin. -schanzen
Sat Nov 30 23:32:03 2019 +0100
GNS NSS plugin: Disabled if called as root. -CG
Sat Nov 30 23:08:49 2019 +0100
Fixed#3795: Switched to new PoW for NSE and GNS revocation.
Functionality is ifdef guarded for 0.12. -CG
Sat Nov 30 21:05:25 2019 +0100
Fixed#5978:
Added support for .<zkey> CNAMEs in the GNS resolver. -schanzen
Sat Nov 30 20:27:51 2019 +0100
Fixed#5979:
Added support for .<zkey> DNS server names in GNS2DNS records.
-schanzen
Tue Nov 26 18:26:54 2019 +0100
Crypto change: Use Curve25519 for ECDH and tweetnacl where we can.
Functionality is ifdef guarded for 0.12. -fdold
Nov 30 15:20:45 2019 +0100
Fixed#5922:
GNS names are now UTF-8. For DNS, names are converted to IDNA.
Functionality is ifdef guarded for 0.12. -schanzen
U-Boot is a bootloader for embedded boards based on PowerPC, ARM, MIPS and
several other processors, which can be installed in a boot ROM and used to
initialize and test the hardware or to download and run application code.
This package provides U-Boot for the Xunlong Orange Pi PC.