Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): bump github.com/hashicorp/vault from 1.17.6 to 1.18.0 #668

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): bump github.com/hashicorp/vault from 1.17.6 to 1.18.0 #668

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Oct 10, 2024

Bumps github.com/hashicorp/vault from 1.17.6 to 1.18.0.

Release notes

Sourced from github.com/hashicorp/vault's releases.

v1.18.0

CHANGES:

  • activity (enterprise): filter all fields in client count responses by the request namespace [GH-27790]
  • activity (enterprise): remove deprecated fields distinct_entities and non_entity_tokens [GH-27830]
  • activity log: Deprecated the field "default_report_months". Instead, the billing start time will be used to determine the start time when querying the activity log endpoints. [GH-27350]
  • activity log: Deprecates the current_billing_period field for /sys/internal/counters/activity. The default start time will automatically be set the billing period start date. [GH-27426]
  • activity: The activity export API now requires the sudo ACL capability. [GH-27846]
  • activity: The activity export API now responds with a status of 204 instead 400 when no data exists within the time range specified by start_time and end_time. [GH-28064]
  • activity: The startTime will be set to the start of the current billing period by default. The endTime will be set to the end of the current month. This applies to /sys/internal/counters/activity, /sys/internal/counters/activity/export, and the vault operator usage command that utilizes /sys/internal/counters/activity. [GH-27379]
  • api: Update backoff/v3 to backoff/v4.3.0 [GH-26868]
  • auth/alicloud: Update plugin to v0.19.0 [GH-28263]
  • auth/azure: Update plugin to v0.19.0 [GH-28294]
  • auth/cf: Update plugin to v0.18.0 [GH-27724]
  • auth/cf: Update plugin to v0.19.0 [GH-28266]
  • auth/gcp: Update plugin to v0.19.0 [GH-28366]
  • auth/jwt: Update plugin to v0.21.0 [GH-27498]
  • auth/jwt: Update plugin to v0.22.0 [GH-28349]
  • auth/kerberos: Update plugin to v0.13.0 [GH-28264]
  • auth/kubernetes: Update plugin to v0.20.0 [GH-28289]
  • auth/oci: Update plugin to v0.17.0 [GH-28307]
  • cli: The undocumented -dev-three-node and -dev-four-cluster CLI options have been removed. [GH-27578]
  • consul-template: updated to version 0.39.1 [GH-27799]
  • core(enterprise): Updated the following two control group related errors responses to respond with response code 400 instead of 500: control group: could not find token, and control group: token is not a valid control group token.
  • core: Bump Go version to 1.22.7
  • database/couchbase: Update plugin to v0.12.0 [GH-28327]
  • database/elasticsearch: Update plugin to v0.16.0 [GH-28277]
  • database/mongodbatlas: Update plugin to v0.13.0 [GH-28268]
  • database/redis-elasticache: Update plugin to v0.5.0 [GH-28293]
  • database/redis: Update plugin to v0.4.0 [GH-28404]
  • database/snowflake: Update plugin to v0.12.0 [GH-28275]
  • sdk: Upgrade to go-secure-stdlib/plugincontainer@v0.4.0, which also bumps github.com/docker/docker to v26.1.5+incompatible [GH-28269]
  • secrets/ad: Update plugin to v0.19.0 [GH-28361]
  • secrets/alicloud: Update plugin to v0.18.0 [GH-28271]
  • secrets/azure: Update plugin to v0.19.2 [GH-27652]
  • secrets/azure: Update plugin to v0.20.0 [GH-28267]
  • secrets/gcp: Update plugin to v0.20.0 [GH-28324]
  • secrets/gcpkms: Update plugin to v0.18.0 [GH-28300]
  • secrets/gcpkms: Update plugin to v0.19.0 [GH-28360]
  • secrets/kubernetes: Update plugin to v0.9.0 [GH-28287]
  • secrets/kv: Update plugin to v0.20.0 [GH-28334]
  • secrets/mongodbatlas: Update plugin to v0.13.0 [GH-28348]
  • secrets/openldap: Update plugin to v0.14.0 [GH-28325]
  • secrets/ssh: Add a flag, allow_empty_principals to allow keys or certs to apply to any user/principal. [GH-28466]
  • secrets/terraform: Update plugin to v0.10.0 [GH-28312]
  • secrets/terraform: Update plugin to v0.9.0 [GH-28016]

... (truncated)

Changelog

Sourced from github.com/hashicorp/vault's changelog.

1.18.0

October 9, 2024

SECURITY:

  • secrets/identity: A privileged Vault operator with write permissions to the root namespace's identity endpoint could escalate their privileges to Vault's root policy (CVE-2024-9180) HCSEC-2024-21

CHANGES:

  • activity (enterprise): filter all fields in client count responses by the request namespace [GH-27790]
  • activity (enterprise): remove deprecated fields distinct_entities and non_entity_tokens [GH-27830]
  • activity log: Deprecated the field "default_report_months". Instead, the billing start time will be used to determine the start time when querying the activity log endpoints. [GH-27350]
  • activity log: Deprecates the current_billing_period field for /sys/internal/counters/activity. The default start time will automatically be set the billing period start date. [GH-27426]
  • activity: The activity export API now requires the sudo ACL capability. [GH-27846]
  • activity: The activity export API now responds with a status of 204 instead 400 when no data exists within the time range specified by start_time and end_time. [GH-28064]
  • activity: The startTime will be set to the start of the current billing period by default. The endTime will be set to the end of the current month. This applies to /sys/internal/counters/activity, /sys/internal/counters/activity/export, and the vault operator usage command that utilizes /sys/internal/counters/activity. [GH-27379]
  • api: Update backoff/v3 to backoff/v4.3.0 [GH-26868]
  • auth/alicloud: Update plugin to v0.19.0 [GH-28263]
  • auth/azure: Update plugin to v0.19.0 [GH-28294]
  • auth/cf: Update plugin to v0.18.0 [GH-27724]
  • auth/cf: Update plugin to v0.19.0 [GH-28266]
  • auth/gcp: Update plugin to v0.19.0 [GH-28366]
  • auth/jwt: Update plugin to v0.21.0 [GH-27498]
  • auth/jwt: Update plugin to v0.22.0 [GH-28349]
  • auth/kerberos: Update plugin to v0.13.0 [GH-28264]
  • auth/kubernetes: Update plugin to v0.20.0 [GH-28289]
  • auth/oci: Update plugin to v0.17.0 [GH-28307]
  • cli: The undocumented -dev-three-node and -dev-four-cluster CLI options have been removed. [GH-27578]
  • consul-template: updated to version 0.39.1 [GH-27799]
  • core(enterprise): Updated the following two control group related errors responses to respond with response code 400 instead of 500: control group: could not find token, and control group: token is not a valid control group token.
  • core: Bump Go version to 1.22.7
  • database/couchbase: Update plugin to v0.12.0 [GH-28327]
  • database/elasticsearch: Update plugin to v0.16.0 [GH-28277]
  • database/mongodbatlas: Update plugin to v0.13.0 [GH-28268]
  • database/redis-elasticache: Update plugin to v0.5.0 [GH-28293]
  • database/redis: Update plugin to v0.4.0 [GH-28404]
  • database/snowflake: Update plugin to v0.12.0 [GH-28275]
  • sdk: Upgrade to go-secure-stdlib/plugincontainer@v0.4.0, which also bumps github.com/docker/docker to v26.1.5+incompatible [GH-28269]
  • secrets/ad: Update plugin to v0.19.0 [GH-28361]
  • secrets/alicloud: Update plugin to v0.18.0 [GH-28271]
  • secrets/azure: Update plugin to v0.19.2 [GH-27652]
  • secrets/azure: Update plugin to v0.20.0 [GH-28267]
  • secrets/gcp: Update plugin to v0.20.0 [GH-28324]
  • secrets/gcpkms: Update plugin to v0.18.0 [GH-28300]
  • secrets/gcpkms: Update plugin to v0.19.0 [GH-28360]
  • secrets/kubernetes: Update plugin to v0.9.0 [GH-28287]

... (truncated)

Commits
  • 77f26ba [VAULT-31571] This is an automated pull request to build all artifacts for a ...
  • 3d01c8a containerize: use latest docker action (#28612)
  • 552b7c7 VAULT-31402: Add verification for all container images (#28605) (#28610)
  • 92ad805 backport of commit bae00721d2a07299f50cdbaf3dc5348d26cc92a3 (#28602)
  • 5edfee5 backport of commit 6a145af82a5b0e3c64ab659d99c14d165e647af8 (#28599)
  • 3c48f23 backport of commit 1eaca82bbd7ab52cb10b4b1b7f8fd3f8f46a7638 (#28588)
  • 6eb4053 backport of commit c7b029eb01d4839b0c8d1460f3f993d75fd3478a (#28595)
  • 7739a6e backport of commit 287f5606b02a7099bbf246e9d76990f16551bc5c (#28591)
  • e00633a backport of commit e8a432c4f881eb401368ee350161aa9e2b916b57 (#28584)
  • e1a0787 backport of commit baf794b6218e4c1490b97438f16eff06db3b69d3 (#28582)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps): bump github.com/hashicorp/vault from 1.17.6 to 1.18.0
cb4488d 
Bumps [github.com/hashicorp/vault](https://github.com/hashicorp/vault) from 1.17.6 to 1.18.0.
- [Release notes](https://github.com/hashicorp/vault/releases)
- [Changelog](https://github.com/hashicorp/vault/blob/main/CHANGELOG.md)
- [Commits](hashicorp/vault@v1.17.6...v1.18.0)

---
updated-dependencies:
- dependency-name: github.com/hashicorp/vault
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot requested a review from werne2j as a code owner October 10, 2024 22:21
@dependabot dependabot bot added the dependencies Updating dependencies label Oct 10, 2024
@dependabot dependabot bot requested a review from jkayani as a code owner October 10, 2024 22:21
@dependabot dependabot bot added the go Pull requests that update Go code label Oct 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@werne2j werne2j Awaiting requested review from werne2j werne2j is a code owner

@jkayani jkayani Awaiting requested review from jkayani jkayani is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
dependencies Updating dependencies go Pull requests that update Go code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants