[ANN] Vault 0.10.3 released

[Jeff Mitchell]

Hello,

The Vault team has released HashiCorp Vault 0.10.3.

Open-source binaries can be downloaded at [1]. Enterprise binaries are available to customers now. Docker images will be submitted for building soon.

As a reminder, if you believe you have found a security issue in Vault, please responsibly disclose by emailing secu...@hashicorp.com and do not use the public issue tracker. Our security policy and our PGP key can be found at [2].

Note: there are a few minor behavioral changes, most notably that (like all other auth methods) successful authentications using the 'ldap', 'okta', and 'radius' auth methods will produce a token even if no policies have been specifically configured for that user, which ensures that these users will properly get a token with the 'default' policy. See the Changelog for more information.

In addition to a number of improvements and bug fixes, this version addresses a few regressions in 0.10.2:

* AppRole roles using only CIDRs and not Secret-IDs would panic during login

* Security fixes in 0.10.2 led to a request processing slowdown

Additionally, there are several notable new features:

* Active Directory Secrets Engine Root Rotation: The AD secrets engine now contains an endpoint that allows the initially-configured account credentials to be rotated by Vault. Triggering this after submitting configuration ensures that only Vault knows its own credentials.

* URI SANs in PKI: You can now encode URI SANs into issued certificates, and restrict allowed values via a glob-supporting list.

* Token CIDR binding for AppRole: AppRole now lets you specify CIDRs to bind generated tokens to, which can be distinct from the CIDRs that Secret-IDs are bound to.

* KV rollback command: There is now a `vault kv rollback` command that makes it easier to restore a previous version of a secret in KV v2, and uses check-and-set to ensure that it happens atomically.

See the Changelog at [3] for the full list.

One last thing: if you love Vault, consider voting to help it win the OSCON 2018 Breakout Project of the Year. See https://www.oreilly.com/ideas/vote-for-the-oscon-2018-open-source-awards

---

Upgrading

See [4] for general upgrade instructions..

As always, we recommend upgrading and testing this release in an isolated environment. If you experience any non-security issues, please report them on the Vault GitHub issue tracker or post to the Vault mailing list.

We hope you enjoy Vault 0.10.3!

Sincerely,

The Vault Team

[1] https://releases.hashicorp.com/vault/0.10.3/

[2] https://www.hashicorp.com/security.html

[3] https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#0103-june-20th-2018

[4] https://www.vaultproject.io/docs/install/upgrade.html