Hi folks,
The Vault team is announcing the release of 1.15.4, as well as Vault 1.14.8 and 1.13.12.
There is important security content in these releases; see the SECURITY section of the Changelog at [5] for details. Upgrading is strongly recommended.
Community Edition binaries can be downloaded at [1, 2, 3]. Enterprise binaries are available to customers as well.
As a reminder, if you believe you have found a security issue in Vault, please responsibly disclose by emailing secu...@hashicorp.com and do not use the public issue tracker. Our security policy and our PGP key can be found at [4].
The major security fix in the release is:
Request handling: Fixes an issue present in both Vault and Vault Enterprise since Vault 1.12.0, where Vault is vulnerable to a denial of service through memory exhaustion of the host when handling large HTTP requests from a client. (see CVE-2023-6337 & HCSEC-2023-34)
Other major features and improvements in the release include:
Identity: Fixes an issue causing problems resolving duplicate entities on performance replica clusters.
See the Changelog at [5] for the full list of improvements and bug fixes.
See the Feature Deprecation Notice and Plans page [10] for our upcoming feature deprecation plans.
Community [8] and Enterprise [9] Docker images will be available soon.
---
Upgrading
See [6] for general upgrade instructions and [7] for upgrade instructions and known issues.
As always, we recommend upgrading and testing this release in an isolated environment. If you experience any non-security issues, please report them on the Vault GitHub issue tracker or post to the Vault Discuss Forum at [11].
We hope you enjoy Vault 1.15.4!
Sincerely, The Vault Team
[1] https://releases.hashicorp.com/vault/1.15.4
[2] https://releases.hashicorp.com/vault/1.14.8
[3] https://releases.hashicorp.com/vault/1.13.12
[4] https://www.hashicorp.com/security
[5] https://github.com/hashicorp/vault/blob/main/CHANGELOG.md
[6] https://developer.hashicorp.com/vault/docs/upgrading
[7] https://developer.hashicorp.com/vault/docs/release-notes/1.15.0
[8] https://hub.docker.com/r/hashicorp/vault
[9] https://hub.docker.com/r/hashicorp/vault-enterprise
[10] https://developer.hashicorp.com/vault/docs/deprecation
[11] https://discuss.hashicorp.com/c/vault