December 16, 2020
SECURITY:
* LDAP Auth Method: We addressed an issue where error messages returned by
the LDAP auth methold allowed user enumeration [GH-10537]. This
vulnerability affects Vault OSS and Vault Enterprise and is fixed in 1.5.6
and 1.6.1 (CVE-2020-35177).
* Sentinel EGP: We've fixed incorrect handling of namespace paths to
prevent users within namespaces from applying Sentinel EGP policies to
paths above their namespace. This vulnerability affects Vault Enterprise
and is fixed in 1.5.6 and 1.6.1 (CVE-2020-35453).
IMPROVEMENTS:
* auth/ldap: Improve consistency in error messages [GH-10537]
* core/metrics: Added "vault operator usage" command. [GH-10365]
* secrets/gcp: Truncate ServiceAccount display names longer than 100
characters. [GH-10558]
BUG FIXES:
* agent: Only set the namespace if the VAULT_NAMESPACE env var isn't
present [GH-10556]
* auth/jwt: Fixes bound_claims validation for provider-specific group and
user info fetching. [GH-10546]
* core (enterprise): Vault EGP policies attached to path * were not
correctly scoped to the namespace.
* core: Avoid deadlocks by ensuring that if grabLockOrStop returns
stopped=true, the lock will not be held. [GH-10456]
* core: Fix client.Clone() to include the address [GH-10077]
* core: Fix rate limit resource quota migration from 1.5.x to 1.6.x by
ensuring purgeInterval and staleAge are set appropriately. [GH-10536]
* core: Make all APIs that report init status consistent, and make them
report initialized=true when a Raft join is in progress. [GH-10498]
* secrets/database/influxdb: Fix issue where not all errors from InfluxDB
were being handled [GH-10384]
* secrets/database/mysql: Fixes issue where the DisplayName within
generated usernames was the incorrect length [GH-10433]
* secrets/database: Sanitize private_key field when reading database plugin
config [GH-10416]
* secrets/transit: allow for null string to be used for optional parameters
in encrypt and decrypt [GH-10386]
* storage/raft (enterprise): The parameter aws_s3_server_kms_key was
misnamed and didn't work. Renamed to aws_s3_kms_key, and make it work so
that when provided the given key will be used to encrypt the snapshot using
AWS KMS.
* transform (enterprise): Fix bug tokenization handling metadata on
exportable stores
* transform (enterprise): Fix transform configuration not handling stores
parameter on the legacy path
* transform (enterprise): Make expiration timestamps human readable
* transform (enterprise): Return false for invalid tokens on the validate
endpoint rather than returning an HTTP error
* transform (enterprise): Fix bug where tokenization store changes are
persisted but don't take effect
* ui: Fix bug in Transform secret engine when a new role is added and then
removed from a transformation [GH-10417]
* ui: Fix footer URL linking to the correct version changelog. [GH-10491]
* ui: Fox radio click on secrets and auth list pages. [GH-10586]