CVS commit: pkgsrc/security/vault

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/security/vault
From: "Filip Hajny" <fhajny%netbsd.org@localhost>
Date: Wed, 6 Sep 2017 11:44:07 +0000

Module Name:    pkgsrc
Committed By:   fhajny
Date:           Wed Sep  6 11:44:07 UTC 2017

Modified Files:
        pkgsrc/security/vault: Makefile distinfo

Log Message:
## 0.8.2 (September 5th, 2017)

SECURITY:

- In prior versions of Vault, if authenticating via AWS IAM and
  requesting a periodic token, the period was not properly respected.
  This could lead to tokens expiring unexpectedly, or a token lifetime
  being longer than expected. Upon token renewal with Vault 0.8.2 the
  period will be properly enforced.

DEPRECATIONS/CHANGES:

- `vault ssh` users should supply `-mode` and `-role` to reduce the
  number of API calls. A future version of Vault will mark these
  optional values are required. Failure to supply `-mode` or `-role`
  will result in a warning.
- Vault plugins will first briefly run a restricted version of the
  plugin to fetch metadata, and then lazy-load the plugin on first
  request to prevent crash/deadlock of Vault during the unseal process.
  Plugins will need to be built with the latest changes in order for them
  to run properly.

FEATURES:

- Lazy Lease Loading: On startup, Vault will now load leases from
  storage in a lazy fashion (token checks and revocation/renewal
  requests still force an immediate load). For larger installations this
  can significantly reduce downtime when switching active nodes or
  bringing Vault up from cold start.
- SSH CA Login with `vault ssh`: `vault ssh` now supports the SSH CA
  backend for authenticating to machines. It also supports remote host
  key verification through the SSH CA backend, if enabled.
- Signing of Self-Issued Certs in PKI: The `pki` backend now supports
  signing self-issued CA certs. This is useful when switching root CAs.

IMPROVEMENTS:

- audit/file: Allow specifying `stdout` as the `file_path` to log to
  standard output
- auth/aws: Allow wildcards in `bound_iam_principal_id`
- auth/okta: Compare groups case-insensitively since Okta is only
  case-preserving
- auth/okta: Standarize Okta configuration APIs across backends
- cli: Add subcommand autocompletion that can be enabled with `vault
  -autocomplete-install`
- cli: Add ability to handle wrapped responses when using `vault auth`.
  What is output depends on the other given flags; see the help output
  for that command for more information.
- core: TLS cipher suites used for cluster behavior can now be set via
  `cluster_cipher_suites` in configuration
- core: The `plugin_name` can now either be specified directly as part
  of the parameter or within the `config` object when mounting a secret
  or auth backend via `sys/mounts/:path` or `sys/auth/:path` respectively
- core: It is now possible to update the `description` of a mount when
  mount-tuning, although this must be done through the HTTP layer
- secret/databases/mongo: If an EOF is encountered, attempt reconnecting
  and retrying the operation
- secret/pki: TTLs can now be specified as a string or an integer number
  of seconds
- secret/pki: Self-issued certs can now be signed via
  `pki/root/sign-self-issued`
- storage/gcp: Use application default credentials if they exist

BUG FIXES:

- auth/aws: Properly use role-set period values for IAM-derived token
  renewals
- auth/okta: Fix updating organization/ttl/max_ttl after initial setting
- core: Fix PROXY when underlying connection is TLS
- core: Policy-related commands would sometimes fail to act
  case-insensitively
- storage/consul: Fix parsing TLS configuration when using a bare IPv6
  address
- plugins: Lazy-load plugins to prevent crash/deadlock during unseal
  process.
- plugins: Skip mounting plugin-based secret and credential mounts when
  setting up mounts if the plugin is no longer present in the catalog.


To generate a diff of this commit:
cvs rdiff -u -r1.16 -r1.17 pkgsrc/security/vault/Makefile
cvs rdiff -u -r1.10 -r1.11 pkgsrc/security/vault/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/security/vault/Makefile
diff -u pkgsrc/security/vault/Makefile:1.16 pkgsrc/security/vault/Makefile:1.17
--- pkgsrc/security/vault/Makefile:1.16 Wed Sep  6 09:03:04 2017
+++ pkgsrc/security/vault/Makefile      Wed Sep  6 11:44:07 2017
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.16 2017/09/06 09:03:04 wiz Exp $
+# $NetBSD: Makefile,v 1.17 2017/09/06 11:44:07 fhajny Exp $
 
-DISTNAME=      vault-0.8.1
+DISTNAME=      vault-0.8.2
 CATEGORIES=    security
 MASTER_SITES=  ${MASTER_SITE_GITHUB:=hashicorp/}
 

Index: pkgsrc/security/vault/distinfo
diff -u pkgsrc/security/vault/distinfo:1.10 pkgsrc/security/vault/distinfo:1.11
--- pkgsrc/security/vault/distinfo:1.10 Thu Aug 17 07:58:53 2017
+++ pkgsrc/security/vault/distinfo      Wed Sep  6 11:44:07 2017
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.10 2017/08/17 07:58:53 fhajny Exp $
+$NetBSD: distinfo,v 1.11 2017/09/06 11:44:07 fhajny Exp $
 
-SHA1 (vault-0.8.1.tar.gz) = 5c03b57bdae9148fbf15a7ab3b3a7aff6456a2ba
-RMD160 (vault-0.8.1.tar.gz) = 16c31bd2607d9eed9be54c8c40bc312cb960098f
-SHA512 (vault-0.8.1.tar.gz) = d1400a203dc61d76ffb710388913b45cd5287e1215f34d3fe8e85a36c24024b0eb882b8403f44c85c863658b035a9b7f2c19cb5599cdfd21e0a79788b8d1413a
-Size (vault-0.8.1.tar.gz) = 7263861 bytes
+SHA1 (vault-0.8.2.tar.gz) = 7f313e711b4e0331b933dfa61fbbfc2b807abc5a
+RMD160 (vault-0.8.2.tar.gz) = 88f1b6d8530beb4ec3a9fbdbc138bd6f2931c93a
+SHA512 (vault-0.8.2.tar.gz) = 279056211aefbab09b6533ce5b0fea355511a84c3f21cbbae0fa08b0affd2254fcd0a9479a317d07e9b99c5a2bd6d8c9caa5c32f14f73b21d8c4be3f24345669
+Size (vault-0.8.2.tar.gz) = 7293367 bytes

Prev by Date: CVS commit: pkgsrc/print
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/print
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index