SECURITY:
* core: Proxy environment variables are now redacted before being logged,
in case the URLs include a username:password. This vulnerability,
CVE-2020-13223, is fixed in 1.3.6 and 1.4.2, but affects 1.4.0 and 1.4.1,
as well as older versions of Vault [GH-9022]
* secrets/gcp: Fix a regression in 1.4.0 where the system TTLs were being
used instead of the configured backend TTLs for dynamic service
accounts. This vulnerability is CVE-2020-12757. [GH-85]
IMPROVEMENTS:
* storage/raft: The storage stanza now accepts leader_ca_cert_file,
leader_client_cert_file, and leader_client_key_file parameters to read and
parse TLS certificate information from paths on disk. Existing non-path
based parameters will continue to work, but their values will need to be
provided as a single-line string with newlines delimited by \n. [GH-8894]
* storage/raft: The vault status CLI command and the sys/leader API now
contain the committed and applied raft indexes. [GH-9011]
BUG FIXES:
* auth/aws: Fix token renewal issues caused by the metadata changes in
1.4.1 [GH-8991]
* auth/ldap: Fix 1.4.0 regression that could result in auth failures when
LDAP auth config includes upndomain. [GH-9041]
* secrets/ad: Forward rotation requests from standbys to active clusters
[GH-66]
* secrets/database: Prevent generation of usernames that are not allowed by
the MongoDB Atlas API [GH-9]
* secrets/database: Return an error if a manual rotation of static account
credentials fails [GH-9035]
* secrets/openldap: Forward all rotation requests from standbys to active
clusters [GH-9028]
* secrets/transform (enterprise): Fix panic that could occur when accessing
cached template entries, such as a requests that accessed templates
directly or indirectly from a performance standby node.
* serviceregistration: Fix a regression for Consul service registration
that ignored using the listener address as the redirect address unless
api_addr was provided. It now properly uses the same redirect address as
the one used by Vault's Core object. [GH-8976]
* storage/raft: Advertise the configured cluster address to the rest of the
nodes in the raft cluster. This fixes an issue where a node advertising
0.0.0.0 is not using a unique hostname. [GH-9008]
* storage/raft: Fix panic when multiple nodes attempt to join the cluster
at once. [GH-9008]
* sys: The path provided in sys/internal/ui/mounts/:path is now
namespace-aware. This fixes an issue with vault kv subcommands that had
namespaces provided in the path returning permission denied all the
time. [GH-8962]
* ui: Fix snowman that appears when namespaces have more than one period
[GH-8910]