[ANN] Vault 1.5.3, 1.4.6, 1.3.10, and 1.2.7 Released

[Meggie Ladlow]

Hi everyone!

The Vault team is announcing the releases of 1.5.3, 1.4.6, 1.3.10, and 1.2.7.

Open-source binaries can be downloaded at [1,11,12,13]. Enterprise binaries are available to customers as well.

As a reminder, if you believe you have found a security issue in Vault, please responsibly disclose by emailing secu...@hashicorp.com and do not use the public issue tracker. Our security policy and our PGP key can be found at [2].

The fixes and improvements in this release are enumerated below.

• AWS IAM Header Handling: We’ve made STS header handling more fault-tolerant.
• SSH Secret Engine Signing Fix: We’ve fixed a bug that prevented signing with non-RSA keys. This fix applies to 1.4.6 and 1.5.3. The bug is not present in 1.3 and 1.2.
• Fully Open Source Dependencies: We made last week’s releases from some private repositories due to the nature of the security vulnerabilities. While the SHA of the binary matched the git tag SHA, it meant that the tags could not be built by those without access to the private repositories. With this set of releases, all of the dependencies are now OSS, and the git tags will be buildable. 

See the Changelog at [3,8,9,10] for the full list of improvements and bug fixes.

OSS [5] and Enterprise [6] Docker images will be available soon.

---

Upgrading

See [4] for general upgrade instructions.

As always, we recommend upgrading and testing this release in an isolated environment. If you experience any non-security issues, please report them on the Vault GitHub issue tracker or post to the Vault Discuss Forum at [7].

Sincerely, The Vault Team

[1] https://releases.hashicorp.com/vault/1.5.3/

[2] https://www.hashicorp.com/security

[3] https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#153

[4] https://www.vaultproject.io/docs/upgrading

[5] https://hub.docker.com/_/vault

[6] https://hub.docker.com/r/hashicorp/vault-enterprise

[7] https://discuss.hashicorp.com/c/vault

[8] https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#146

[9] https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#1310

[10] https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#127

[11] https://releases.hashicorp.com/vault/1.4.6/

[12] https://releases.hashicorp.com/vault/1.3.10/

[13] https://releases.hashicorp.com/vault/1.2.7/

[James Page]

On Fri, Aug 28, 2020 at 12:03 AM 'Meggie Ladlow' via Vault <vault...@googlegroups.com> wrote:

Hi everyone!

The Vault team is announcing the releases of 1.5.3, 1.4.6, 1.3.10, and 1.2.7.

Please could the release tags be pushed to the github.com repository as we build vault using git tags.

 

--
On September 15 at 5pm EDT, inbound messages to this group will be disabled, and it will be used for outbound announcements only. To prepare for this switch, please direct questions and conversations to our primary medium to communicate with practitioners: https://discuss.hashicorp.com/c/vault/30. We look forward to collaborating with you there!
 
GitHub Issues: https://github.com/hashicorp/vault/issues
 
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/324a3782-8094-4239-8212-b86e9def0a38n%40googlegroups.com.