Vault - Package Updates

Package Updates

[1.16.0]

• Update Vault to 1.18.0
• Full changelog

Package Updates

[1.16.1]

• Update Vault to 1.18.1
• Full changelog

Package Updates

[1.16.2]

• Update vault to 1.18.2
• Full Changelog
• raft/snapshotagent (enterprise): upgrade raft-snapshotagent to v0.0.0-20241115202008-166203013d8e
• auth/azure: Update plugin to v0.19.2 [GH-28848]
• core/ha (enterprise): Failed attempts to become a performance standby node are now using an exponential backoff instead of a
• login (enterprise): Return a 500 error during logins when performance standby nodes make failed gRPC requests to the active node. [GH-28807]
• Product Usage Reporting: Added product usage reporting, which collects anonymous, numerical, non-sensitive data about Vault secrets usage, and adds it to the existing utilization reports. See the [docs] for more info [GH-28858]
• secret/pki: Introduce a new value always_enforce_err within leaf_not_after_behavior to force the error in all circumstances such as CA issuance and ACME requests if requested TTL values are beyond the issuer's NotAfter. [GH-28907]
• secrets-sync (enterprise): No longer attempt to unsync a random UUID secret name in GCP upon destination creation.
• ui: Adds navigation for LDAP hierarchical roles [GH-28824]
• website/docs: changed outdated reference to consul-helm repository to consul-k8s repository. [GH-28825]
• auth/ldap: Fixed an issue where debug level logging was not emitted. [GH-28881]
• core: Improved an internal helper function that sanitizes paths by adding a check for leading backslashes
• secret/pki: Fix a bug that prevents PKI issuer field enable_aia_url_templating
• secrets-sync (enterprise): Fixed issue where secret-key granularity destinations could sometimes cause a panic when loading a sync status.
• secrets/aws: Fix issue with static credentials not rotating after restart or leadership change. [GH-28775]
• secrets/ssh: Return the flag allow_empty_principals in the read role api when key_type is "ca" [GH-28901]
• secrets/transform (enterprise): Fix nil panic when accessing a partially setup database store.
• secrets/transit: Fix a race in which responses from the key update api could contain results from another subsequent update [GH-28839]
• ui: Fixes rendering issues of LDAP dynamic and static roles with the same name [GH-28824]

Package Updates

[1.16.3]

• Update vault to 1.18.3
• Full Changelog

Package Updates

[1.16.4]

• Update vault to 1.18.4
• Full Changelog

Package Updates

[1.16.5]

• Update vault to 1.18.5
• Full Changelog

Package Updates

[1.17.0]

• Update vault to 1.19.0
• Full Changelog
• raft/snapshotagent (enterprise): upgrade raft-snapshotagent to v0.0.0-20241115202008-166203013d8e
• raft/snapshotagent (enterprise): upgrade raft-snapshotagent to v0.2.0
• api: Add to sys/health whether the node has been removed from the HA cluster. If the node has been removed, return code 530 by default or the value of the removedcode query parameter. [GH-28991]
• api: Add to sys/health whether the standby node has been able to successfully send heartbeats to the active node and the time in milliseconds since the last heartbeat. If the standby has been unable to send a heartbeat, return code 474 by default or the value of the haunhealthycode query parameter. [GH-28991]
• auth/alicloud: Update plugin to v0.20.0 [GH-29613]

Package Updates

[1.80.0]

• Update base image to 5.0.0

Package Updates

[1.80.1]

• Update vault to 1.19.1
• Full Changelog

Package Updates

[1.80.2]

• Update vault to 1.19.2
• Full Changelog
• core: Bump Go version to 1.23.8
• secrets/openldap: Update plugin to v0.15.4 [GH-30279]
• secrets/openldap: Prevent static role rotation on upgrade when NextVaultRotation is nil. Fixes an issue where static roles were unexpectedly rotated after upgrade due to a missing NextVaultRotation value. Now sets it to either LastVaultRotation + RotationPeriod or now + RotationPeriod. [GH-30265]
• secrets/pki (enterprise): Address a parsing bug that rejected CMPv2 requests containing a validity field.
• secrets/pki: fix a bug where key_usage was ignored when generating root certificates, and signing certain intermediate certificates. [GH-30034]
• secrets/transit: fix a panic when rotating on a managed key returns an error [GH-30214]

Package Updates

[1.80.3]

• Update vault to 1.19.3
• Full Changelog

Package Updates

[1.80.4]

• Update vault to 1.19.4
• Full Changelog
• Update vault-plugin-auth-cf to v0.20.1 GH-30586]
• auth/azure: Update plugin to v0.20.4 GH-30543]
• core: Bump Go version to 1.24.3.
• Namespaces (enterprise): allow a root token to relock a namespace
• core (enterprise): update to FIPS 140-3 cryptographic module in the FIPS builds.
• core: Updated code and documentation to support FIPS 140-3 compliant algorithms. GH-30576]
• core: support for X25519MLKEM768 (post quantum key agreement) in the Go TLS stack. GH-30603]
• ui: Replaces all instances of the deprecated event.keyCode with event.key GH-30493]
• core (enterprise): fix a bug where plugin automated root rotations would stop after seal/unseal operations
• plugins (enterprise): Fix an issue where Enterprise plugins can't run on a standby node when it becomes active because standby nodes don't extract the artifact when the plugin is registered. Remove extracting from Vault and require the operator to place the extracted artifact in the plugin directory before registration.

Package Updates

[1.80.5]

• Update vault to 1.19.5
• Full Changelog

Package Updates

[1.81.0]

• Update vault to 1.20.0
• Full Changelog
• core: require a nonce when cancelling a rekey operation that was initiated within the last 10 minutes. [GH-30794],[HCSEC-2025-11]
• UI: remove outdated and unneeded js string extensions [GH-29834]
• activity (enterprise): The sys/internal/counters/activity endpoint will return actual values for new clients in the current month.
• activity (enterprise): provided values for start_time and end_time in sys/internal/counters/activity are aligned to the corresponding billing period.
• activity: provided value for end_time in sys/internal/counters/activity is now capped at the end of the last completed month. [GH-30164]
• api: Update the default API client to check for the Retry-After header and, if it exists, wait for the specified duration before retrying the request. [GH-30887]
• auth/alicloud: Update plugin to v0.21.0 [GH-30810]
• auth/azure: Update plugin to v0.20.2. Login requires resource_group_name, vm_name, and vmss_name to match token claims [GH-30052]
• auth/azure: Update plugin to v0.20.3 [GH-30082]
• auth/azure: Update plugin to v0.20.4 [GH-30543]

Package Updates

[1.81.1]

• Update vault to 1.20.1
• Full Changelog

Package Updates

[1.81.2]

• Update vault to 1.20.2
• Full Changelog
• auth/ldap: fix MFA/TOTP enforcement bypass when username_as_alias is enabled [GH-31427,HCSEC-2025-20].
• agent/template: Fixed issue where templates would not render correctly if namespaces was provided by config, and the namespace and mount path of the secret were the same. [GH-31392]
• identity/mfa: revert cache entry change from #​31217 and document cache entry values [GH-31421]

Package Updates

[1.81.3]

• Update vault to 1.20.3
• Full Changelog
• core: Bump Go version to 1.24.6. (ce56e14e)
• http: Add JSON configurable limits to HTTP handling for JSON payloads: max_json_depth, max_json_string_value_length, max_json_object_entry_count, max_json_array_element_count. [GH-31069]
• sdk: Upgrade to go-secure-stdlib/plugincontainer@v0.4.2, which also bumps github.com/docker/docker to v28.3.3+incompatible (8f172169)
• secrets/openldap (enterprise): update plugin to v0.16.1
• auth/ldap: add explicit logging to rotations in ldap [GH-31401]
• core (enterprise): improve rotation manager logging to include specific lines for rotation success and failure
• secrets/database: log password rotation success (info) and failure (error). Some relevant log lines have been updated to include "path" fields. [GH-31402]
• secrets/transit: add logging on both success and failure of key rotation [GH-31420]
• ui: Use the Helios Design System Code Block component for all readonly code editors and use its Code Editor component for all other code editors [GH-30188]
• core (enterprise): fix a bug where issuing a token in a namespace used root auth configuration instead of namespace auth configuration

Package Updates

[1.81.4]

• Update vault to 1.20.4
• Full Changelog
• core: Update github.com/ulikunitz/xz to fix security vulnerability GHSA-25xm-hr59-7c27. (ce4b4264)
• database/snowflake: Update plugin to v0.14.2 (9f06df77)
• Raft: Auto-join will now allow you to enforce IPv4 on networks that allow IPv6 and dual-stack enablement, which is on by default in certain regions. (1fd38796)
• auth/cert: Support RFC 9440 colon-wrapped Base64 certificates in x_forwarded_for_client_cert_header, to fix TLS certificate auth errors with Google Cloud Application Load Balancer. [GH-31501]
• secrets/database (enterprise): Add support for reading, listing, and recovering static roles from a loaded snapshot. Also add support for reading static credentials from a loaded snapshot. (24cd1aa5)
• secrets/ssh: Add support for recovering the SSH plugin CA from a loaded snapshot (enterprise only). (0087af9d)
• auth/cert: Recover from partially populated caches of trusted certificates if one or more certificates fails to load. [GH-31438]
• core: Role based quotas now work for cert auth (fc775dea)
• sys/mounts: enable unsetting allowed_response_headers [GH-31555]
• ui: Fix page loading error when users navigate away from identity entities and groups list views. (81170963)

Package Updates

[1.82.0]

• Update vault to 1.21.0
• Full Changelog
• auth/ldap: fix MFA/TOTP enforcement bypass when username_as_alias is enabled.
• activity: Renamed timestamp in export API response to token_creation_time.
• http: Add JSON configurable limits to HTTP handling for JSON payloads: max_json_depth, max_json_string_value_length, max_json_object_entry_count, max_json_array_element_count.
• AES-CBC in Transit (Enterprise): Add support for encryption and decryption with AES-CBC in the Transit Secrets Engine.
• KV v2 Version Attribution: Vault now includes attribution metadata for versioned KV secrets. This allows lookup of attribution information for each version of KV v2 secrets from CLI and API.
• Login MFA TOTP Self-Enrollment (Enterprise): Simplify creation of login MFA TOTP credentials for users, allowing them to self-enroll MFA TOTP using a QR code (TOTP secret) generated during login. The new functionality is configurable on the TOTP login MFA method configuration screen and via the enable_self_enrollment parameter in the API.
• activity (enterprise): Fix development_cluster setting being overwritten on performance secondaries upon cluster reload.
• auth/cert: Recover from partially populated caches of trusted certificates if one or more certificates fails to load.
• auth/spiffe: Address an issue updating a role with overlapping workload_id_pattern values it previously contained.
• core: Role based quotas now work for cert auth