diff --git a/website/content/docs/updates/change-tracker.mdx b/website/content/docs/updates/change-tracker.mdx new file mode 100644 index 000000000000..d21102bc413c --- /dev/null +++ b/website/content/docs/updates/change-tracker.mdx @@ -0,0 +1,31 @@ +--- +layout: docs +page_title: Change tracker +description: >- + History of important upgrade changes for Vault updateds +--- + +# Vault change tracker + +Summary tables of important changes that may affect your ability to upgrade +Vault. + +## Changes for 1.20.x + +@include 'release-notes/change-summary/1_20.mdx' + +## Changes for 1.19.x + +@include 'release-notes/change-summary/1_19.mdx' + +## Changes for 1.18.x + +@include 'release-notes/change-summary/1_18.mdx' + +## Changes for 1.17.x + +@include 'release-notes/change-summary/1_17.mdx' + +## Changes for 1.16.x + +@include 'release-notes/change-summary/1_16.mdx' \ No newline at end of file diff --git a/website/content/docs/updates/important-changes.mdx b/website/content/docs/updates/important-changes.mdx index 8750d9c6ee15..74bdb6e54ddd 100644 --- a/website/content/docs/updates/important-changes.mdx +++ b/website/content/docs/updates/important-changes.mdx @@ -15,9 +15,17 @@ valid_change_types: >- # Important changes +**Last updated**: 2025-06-05 + Always review important or breaking changes and remediation recommendations before upgrading Vault. +## New behavior + +None. + +## Breaking changes + ## Breaking configuration change for disable_mlock ((#disable_mlock-config)) | Change | Affected version | Affected deployments @@ -83,88 +91,17 @@ the 10 minute window do not require a nonce and succeed as expected. To cancel a rekey operation, provide the nonce value from the `/sys/rekey/init` or `sys/rekey-recovery-key/init` response. -## Transit support for Ed25519ph and Ed25519ctx signatures ((#ed25519)) - -| Change | Affected version | Affected deployments -| ------------ | ---------------- | -------------------- -| New behavior | 1.19.0 | Transit plugins using Ed25519 keys - -Prior versions of sign and verify API endpoints backed by an Ed25519 key ignored -`prehashed=true` or `hash_algorithm=sha2-512` parameters. As a result, the -endpoint always returned or verified a Pure Ed25519 signature. - -The Transit plugin now assumes input hashed using the SHA-512 algorithm and -returns an Ed25519ph or Pure Ed25519 signature based on the configuration of -`prehashed` and `hash_algorithm` parameters: - -| Vault edition | `prehashed` | `hash_algorithm` | Return value -| ------------- | ---------- | --------------------------- | ------------ -| Enterprise | not set | not set | Pure Ed25519 -| Enterprise | false | any value other than sha2-512 | Pure Ed25519 -| Enterprise | false | sha2-512 | Error -| Enterprise | true | any value other than sha2-512 | Error -| Enterprise | true | sha2-512 | Ed25519ph -| CE | not set | not set | Pure Ed25519 -| CE | false | any value other than sha2-512 | Pure Ed25519 -| CE | false | sha2-512 | Error -| CE | true | any value other than sha2-512 | Error -| CE | true | sha2-512 | Error - - -## Identity system duplicate cleanup ((#dedupe)) - -| Change | Affected version | Affected deployments -| ------------ | ---------------- | -------------------- -| New behavior | 1.19.0 | any - -Vault 1.19.0 includes a feature flag that, when enabled, forces deduplication of -existing identities and forbids duplicate identities going forward. Once -activated, the deduplication feature corrects historical identity bugs with a -one-time deduplication process and restores Vault to secure, default behavior. - -Vault does not enforce deduplication until you activate the relevant feature -flag. - -### Recommendation - -Vault 1.19.0 also includes improved reporting in server logs to help diagnose -whether you have duplicate identities in your Vault instance. - -After upgrading, review your server logs for identity duplicate reporting. - -refer to the [resolve duplicate identities](/vault/docs/secrets/identity/deduplication) -guides to understand deduplication log messages, determine if you need to take -action, make the necessary updates, and ensure the forced deduplication process -resolves safely. - - -## LDAP user DN search with `upndomain` ((#ldap)) - -| Change | Affected version | Affected deployments -| -------- | ---------------- | -------------------- -| Breaking | 1.19.x | any - -Security improvements to -[`hashicorp/cap/ldap`](https://github.com/hashicorp/cap/tree/main/ldap) ensure -that user DN searches with `upndomain` configured return an error if the search -returns more than one result. - -### Recommendation - -In previous Vault versions, DN searches with `upndomain` configured returned the -last user found for searches with multiple results. Review and update any code -that performs DN searches to handle multi-result errors and/or revise the search -to ensure a single result. +## Bugs -Refer to [the Github PR](https://github.com/hashicorp/cap/pull/151) for more -details. +None. +## Known issues -## Duplicate unseal/seal wrap HSM keys ((#hsm-keys)) +### Duplicate unseal/seal wrap HSM keys ((#hsm-keys)) -| Change | Affected version | Affected deployments -| ----------- | ------------------------------ | -------------------- -| Known issue | 1.19.x, 1.18.x, 1.17.x, 1.16.x | HSM-HA configurations migrating from Shamir to HSM-backed unseal/seal wraps. +| Change | Status | Affected version | Affected deployments +| ----------- | ------ | -------------------------------------- | -------------------- +| Known issue | Open | 1.20.x, 1.19.x, 1.18.x, 1.17.x, 1.16.x | HSM-HA configurations migrating from Shamir to HSM-backed unseal/seal wraps. Vault may create duplicate HSM keys when you migrate from Shamir to an HSM-backed unseal configuration for high availability (HA) HSM deployments. Key @@ -177,218 +114,7 @@ Duplicate HSM keys can cause the following errors: [seal-wrapped values](/vault/docs/enterprise/sealwrap#wrapped-parameters). - nodes fail to unseal after a restart with errors such as `CKR_DATA_INVALID`. -### Recommendation +#### Recommendation Always run Vault with `generate_key = false` and manually create all required keys within the HSM during the setup process. - - -## Anonymized cluster data returned with license utilization ((#anon-data)) - -| Change | Affected version | Affected deployments -| ------------ | ---------------- | -------------------- -| New behavior | 1.19.0 | any - -As of version 1.19.0 Vault Enterprise collects -[anonymous usage data](/vault/docs/enterprise/license/product-usage-reporting#anonymous-product-usage-reporting) -about the running Vault cluster and automatically sends the cluster usage data -along with the standard utilization data currently reported through automated -license reporting. - - -## RADIUS authentication is no longer case sensitive ((#case-sensitive)) - -| Change | Affected version | Affected deployments -| ------------ | ---------------- | -------------------- -| New behavior | 1.19.0 | any - -As of Vault 1.19.0 the RADIUS authentication plugin does not enforce case -sensitivity on entered credentials. - - -## Login/token renewal failures after group changes ((#group-writes)) - -| Change | Affected version | Affected deployments -| ----------- | ---------------- | -------------------- -| Known issue | 1.19.0 | any - -Performance standby nodes cannot persist updated group membership to storage. -As a result, standby nodes return a `500` error during login or token renewal if -the external group associated with the client entity changes. - -### Recommendation - -Direct all logins and token renewals to the active/primary node. -Or upgrade to Vault 1.19.3+ - - -## Strict validation for Azure auth login requests ((#strict-azure)) - -| Change | Affected version | Affected deployments -| ------------ | -------------------------------- | -------------------- -| New behavior | 1.19.1, 1.18.7, 1.17.14, 1.16.18 | any - -Azure auth plugin requires `resource_group_name`, `vm_name`, and `vmss_name` to match the JWT claims on login - -Vault versions before 1.19.1, 1.18.7, 1.17.14, and 1.16.18 did not strictly -validate the `resource_group_name`, `vm_name`, and `vmss_name` parameters -against their token claims for clients logging in with Azure authentication. - -### Recommendation - -Review the [Token validation](/vault/docs/auth/azure#token-validation) section -of the Azure authN plugin guide for more information on the new validation -requirements. - - -## Static LDAP role rotations on upgrade ((#ldap-static-role-rotations)) - -| Change | Affected version | Affected deployments -| ------------ | ---------------------------------------------------------------------- | -------------------- -| Known issue | 1.19.0 - 1.19.1, 1.18.5 - 1.18.7, 1.17.12 - 1.17.14, 1.16.16 - 1.16.18 | any - -Vault automatically rotates existing static roles tied to LDAP credentials once -when upgrading to an affected version. After the one-time rotation, the static -roles behave as expected. - -### Recommendation - -If you rely on LDAP static roles, upgrade to Vault 1.19.3+, 1.18.9+, 1.17.16+, -or 1.16.20+. - - -## Static DB role rotations on upgrade ((#db-static-role-rotations)) - -| Change | Affected version | Affected deployments -| ------------ | ----------------------------------------------------------------------- | -------------------- -| Known issue | 1.19.0 - 1.19.2, 1.18.5 - 1.18.8, 1.17.12 - 1.17.15, 1.16.16 - 1.16.19 | any - -Any database static role that was created prior to Vault 1.15.0 will be affected upon upgrading to the affected Vault versions. -Vault will automatically rotate static database credentials once, for all roles created prior to 1.15.0, when upgrading to affected versions. -After the one-time rotation, the static roles behave as expected. - -### Recommendation -Upgrade to 1.19.3+, 1.18.9+, 1.17.16, 1.16.20+ - - -## Vault log file missing subsystem logs ((#missing-logs)) - -| Change | Affected version | Affected deployments -| ------------ | -------------------------------- | -------------------- -| Bug | 1.16.0, 1.17.13, 1.18.6, 1.19.0 | any - -Log entries, including plugin logs, for Vault deployments using `log_file` do -not capture all relevant information even though the information appears as -expected in standard error and standard output. - -### Recommendation - -Upgrade to one of the following Vault versions: 1.16.18+, 1.17.14+, 1.18.7+, -1.19.1+ - - -## Automated rotation stops after unseal ((#rotation-stops)) - -| Change | Affected version | Affected deployments -| ------------ | ---------------- | -------------------- -| Bug | 1.19.0 - 1.19.2 | any - -After unsealing Vault, the rotation manager does not reinstate the rotation -queue. The stopped queue then causes automated root credential rotations to -stop. - -### Recommendation - -Update the root configuration on affected backends to recreate the rotation -schedule with the previous values. - - - - -```shell-session -$ vault write aws/config/root \ - rotation_schedule="" \ - rotation_window="" -``` - - - - -```shell-session -$ vault write gcp/config/root rotation_period="" -``` - - - - - -## Azure Auth fails to authenticate Uniform VMSS instances ((#azure-vmss)) - -| Change | Affected version | Affected deployments -| ------------ | -------------------------------------------------------------- | -------------------- -| Bug | 1.16.18-1.16.20, 1.17.14-1.17.16, 1.18.7-1.18.9, 1.19.1-1.19.3 | any - -A previous update to validate JWT claims against the provided VM, VMSS, and -resource group names without accounting for the uniform VMSS format introduced a -regression that causes Azure authentication from a uniform VMSS instance with a -user assigned managed identity on the VMSS to incorrectly return an error. - -### Recommendation - -Upgrade to one of the following Vault versions: 1.16.21+, 1.17.17+, 1.18.10+, -1.19.4+ - - -## External Vault Enterprise plugins can't run on a standby node when it becomes active ((#external-enterprise-plugins)) - -| Change | Affected version | Affected deployments -| ------------ | -------------------------------------------------------------- | -------------------- -| Bug | 1.16.17-1.16.20, 1.17.13-1.17.16, 1.18.6-1.18.9, 1.19.0-1.19.3 | any - -External Enterprise plugins can't run on a standby node when it becomes active -because standby nodes don't extract the artifact when the plugin -is registered. - -### Recommendation - -As a workaround, add the plugin `.zip` artifact on every node and register the plugin on the -active node. Then, extract the contents of the zip file on the follower nodes -similar to the following folder structure for -`vault-plugin-secrets-keymgmt_0.16.0+ent_darwin_arm64.zip`. - -``` -/vault-plugin-secrets-keymgmt_0.16.0+ent_darwin_arm64 -├── metadata.json -├── metadata.json.sig -└── vault-plugin-secrets-keymgmt -``` - -Alternatively, upgrade to one of the following Vault versions: 1.16.21+, 1.17.17+, -1.18.10+, 1.19.4+. See [Register external plugins](/vault/docs/plugins/register) -for more details. - -## AWS STS configuration can fail if STS endpoints are unspecified ((#aws-fallback-sts)) - -| Change | Affected version | Affected deployments -| ------ | ---------------- | -------------------- -| Bug | 1.19.0-1.19.3 | any - -When configuring an sts endpoint in the AWS Secrets engine, or when upgrading Vault with such an endpoint, -if no sts_endpoint is set, the engine will return an error stating that the number of endpoints and regions do not match: - -``` -{"errors":["number of regions does not match number of endpoints"]} -``` - -### Recommendation - -Explicitly set the default endpoint and region when configuring sts: - -``` -{ -... - sts_region = "us-east-1" - sts_endpoint = "https://sts.amazonaws.com" -... -} -``` diff --git a/website/content/docs/updates/release-notes.mdx b/website/content/docs/updates/release-notes.mdx index f59e4b051409..d17795998d7a 100644 --- a/website/content/docs/updates/release-notes.mdx +++ b/website/content/docs/updates/release-notes.mdx @@ -7,42 +7,11 @@ description: >- # Vault release notes -- **Version**: 1.19.x -- **GA date**: 2025-03-05 +- **Version**: 1.20.x +- **GA date**: TBD @include 'release-notes/intro.mdx' -## Previous releases - -- Vault 1.18.x [release notes](/vault/docs/v1.18.x/release-notes/1.18.0) and - [important changes](/vault/docs/v1.18.x/upgrading/upgrade-to-1.18.x) -- Vault 1.17.x [release notes](/vault/docs/v1.17.x/release-notes/1.17.0) and - [important changes](/vault/docs/v1.17.x/upgrading/upgrade-to-1.17.x) -- Vault 1.16.x [release notes](/vault/docs/v1.16.x/release-notes/1.16.1) and - [important changes](/vault/docs/v1.16.x/upgrading/upgrade-to-1.16.x) - -## Important changes - -| Change | Affected releases | Description -|---------------- | ------------------------------ | ----------- -| Support change | 1.16.x | 1.16.x moves to [long term support](/vault/docs/enterprise/lts) and 1.19 becomes the current LTS version. -| New behavior | 1.19.x | [Transit support for Ed25519ph and Ed25519ctx signatures](/vault/docs/updates/important-changes#ed25519) -| New behavior | 1.19.x | [Identity system duplicate cleanup](/vault/docs/updates/important-changes##dedupe) -| Breaking change | 1.19.x | [Security improvement for LDAP user DN search with `upndomain`](/vault/docs/updates/important-changes#ldap) -| Known issue | 1.19.x, 1.18.x, 1.17.x, 1.16.x | [Duplicate unseal/seal wrap HSM keys](/vault/docs/updates/important-changes##hsm-keys) -| New behavior | 1.19.x | [Anonymized cluster data returned with license utilization](/vault/docs/updates/important-changes#anon-data) -| New behavior | 1.19.x | [Uppercase values are no longer forced to lower case](/vault/docs/updates/important-changes#case-sensitive) -| Known issue | 1.19.x | [Login/token renewal failures after group changes](/vault/docs/updates/important-changes#group-writes) -| New behavior | 1.19.x, 1.18.x, 1.17.x, 1.16.x | [Strict validation for Azure auth login requests](/vault/docs/updates/important-changes#strict-azure) -| Known issue | 1.19.x, 1.18.x, 1.17.x, 1.16.x | [Unexpected LDAP static role rotations on upgrade](/vault/docs/updates/important-changes#ldap-static-role-rotations) -| Known issue | 1.19.x, 1.18.x, 1.17.x, 1.16.x | [Unexpected DB static role rotations on upgrade](/vault/docs/updates/important-changes#db-static-role-rotations) -| Known issue | 1.19.x, 1.18.x, 1.17.x, 1.16.x | [Vault log file missing subsystem logs](/vault/docs/updates/important-changes#missing-logs) -| Known issue | 1.19.x | [Automated rotation stops after unseal](/vault/docs/updates/important-changes#rotation-stops) -| Known issue | 1.19.x, 1.18.x, 1.17.x, 1.16.x | [Azure Auth fails to authenticate Uniform VMSS instances](/vault/docs/updates/important-changes#azure-vmss) -| Known issue | 1.19.x, 1.18.x, 1.17.x, 1.16.x | [External Vault Enterprise plugins can't run on a standby node when it becomes active](/vault/docs/updates/important-changes#external-enterprise-plugins) -| Known issue | 1.19.x | [AWS STS secrets can fail if STS endpoints are unspecified](/vault/docs/updates/important-changes#aws-fallback-sts) -| Breaking | 1.20.x | [`disable_mlock` required for integrated storage](/vault/docs/updates/important-changes#disable_mlock-config) - ## Feature deprecations and EOL Deprecated in 1.20.x | Retired in 1.20.x @@ -52,18 +21,14 @@ Deprecated in 1.20.x | Retired in 1.20.x @include 'release-notes/deprecation-note.mdx' -## Vault companion updates - -Companion updates are Vault updates that live outside the main Vault binary. - -**None**. +## Important changes +@include 'release-notes/change-summary/1_20.mdx' -## Community updates -Follow the learn more links for more information, or browse the list of -[Vault tutorials updated to highlight changes for the most recent GA release](/vault/tutorials/new-release). +## System management and operational updates +@include 'release-notes/section-notes/ops.mdx' @@ -78,26 +43,44 @@ Follow the learn more links for more information, or browse the list of - + + +
- Faster availability after restart + Pending GAPending - Identity loading on restart is up to 40% faster and Vault logs include new - diagnostic information to troubleshoot cluster slowness with the - `post_unseal_trace_directory` configuration setting. + Pending

- Learn more: `post_unseal_trace_directory` parameter details + Learn more: TDB
+ + +## Manage 3rd-party secrets + +@include 'release-notes/section-notes/ops.mdx' + + + + + + + + + + + + - + @@ -105,7 +88,9 @@ Follow the learn more links for more information, or browse the list of
ReleaseUpdateDescription
- Raft integrated storage + Pending ENHANCEDPending - Corrects a previous issue with Raft nodes generating stale data by - preventing stale nodes from servicing requests to the cluster. + Pending +

+ Learn more: TDB
-## Enterprise updates +## Manage certificates + +@include 'release-notes/section-notes/ops.mdx' @@ -115,146 +100,142 @@ Follow the learn more links for more information, or browse the list of + - + + +
Description
- Identity + Pending ENHANCEDPending - Opt-in resolution of accidental duplicates in the identity system with a - gated feature to force deduplication. + Pending

- Learn more: Find and resolve duplicate Vault identities + Learn more: TDB
+ + +## Manage identities and authentication + +@include 'release-notes/section-notes/identity.mdx' + + + + + + + + + + + + - + - - - - - + +
ReleaseUpdateDescription
- Autopilot + Pending ENHANCEDPending - Improved upgrade stability with better cluster leadership reconciliation. + Pending

- Learn more: Autopilot overview + Learn more: TDB
- Database support - ENHANCED - Onboard static database accounts without immediate rotation, precise - timing, or coordinating with maintenance windows. -

- Learn more: Onboarding static DB users -
- - - Events - - ENHANCED - - Vault now sends event notifications to subscribers on all Vault nodes - within a cluster. - - - - ENHANCED - - Notification subscriptions for secret deletion no longer requires a root - token. - - - - - Plugin support - - ENHANCED - - Run Vault Enterprise plugins external to Vault. Running plugins externally - is useful in deployments when the plugin requires different environment - variable values than the Vault binary. - - +## Manage static secrets - - - Automated root credential rotation - - GA - - Use a rotation manager to regularly rotate credentials for - AWS ( - secrets, -   - authN - ), - Azure ( - secrets, -   - authN - ), - GCP ( - secrets, -   - authN - ), - LDAP ( - secrets, -   - authN - ), - and DB plugins -   - without manual intervention. - - +@include 'release-notes/section-notes/static-secrets.mdx' + + + + + + + + + + + - + + +
ReleaseUpdateDescription
- AWS plugin + Pending ENHANCEDPending - Vault now supports AWS static role credentials for multiple AWS accounts - with a single mount path to better manage AWS credentials at scale. + Pending

- Learn more: STS AssumeRole + Learn more: TDB
+ + +## Secure sensitive data + +@include 'release-notes/section-notes/sensitive-data.mdx' + + + + + + + + + + + + - + + +
ReleaseUpdateDescription
- GUI support for WIF plugin configuration + Pending GAPending - Use the Vault GUI to enable and configure WIF with -  AWS, -  Azure, and -  GCP + Pending +

+ Learn more: TDB
+ + +## Support regulatory compliance + +@include 'release-notes/section-notes/compliance.mdx' + + + + + + + + + + + + - + diff --git a/website/content/partials/release-notes/change-summary/1_16.mdx b/website/content/partials/release-notes/change-summary/1_16.mdx new file mode 100644 index 000000000000..f0ae98f299ca --- /dev/null +++ b/website/content/partials/release-notes/change-summary/1_16.mdx @@ -0,0 +1,36 @@ +Change | Found | Fixed | Recs | Edition | Issue +--------------- | ------- |-------- | ------- | ---------- | ----- +Breaking change | 1.16.0 | N/A | **Yes** | All | [Docker image no longer contains curl](/vault/docs/v1.16.x/updates/important-changes#docker-image-no-longer-contains-curl) +New behavior | 1.16.0 | N/A | No | Enterprise | [Activity log changes](/vault/docs/v1.16.x/updates/important-changes#activity-log-changes) +New behavior | 1.16.0 | N/A | No | All | [Auto-rolled billing start date](/vault/docs/v1.16.x/updates/important-changes#auto-rolled-billing-start-date) +New behavior | 1.16.0 | N/A | **Yes** | All | [Default lease count quota enabled when upgrading from Vault versions before 1.9](/vault/docs/v1.16.x/updates/important-changes#default-lease-count-quota-enabled-when-upgrading-from-vault-versions-before-1-9) +New behavior | 1.16.0 | N/A | **Yes** | All | [External plugin variables take precedence over system variables](/vault/docs/v1.16.x/updates/important-changes#external-plugin-variables-take-precedence-over-system-variables) +New behavior | 1.16.0 | N/A | **Yes** | All | [LDAP auth login changes](/vault/docs/v1.16.x/updates/important-changes#ldap-auth-entity-alias-names-no-longer-include-upndomain) +New behavior | 1.16.0 | N/A | **Yes** | All | [Product usage reporting](/vault/docs/v1.16.x/updates/important-changes#product-usage-reporting) +New behavior | 1.16.0 | N/A | **Yes** | All | [Secrets Sync cannot be activated from chroot namespace](/vault/docs/v1.16.x/updates/important-changes#secrets-sync-cannot-be-activated-from-chroot-namespace) +New behavior | 1.16.0 | N/A | No | Enterprise | [Secrets Sync now requires setting a one-time flag before use](/vault/docs/v1.16.x/updates/important-changes#secrets-sync-now-requires-setting-a-one-time-flag-before-use) +New behavior | 1.16.18 | N/A | No | All | [Strict validation for Azure auth login requests](/vault/docs/v1.16.x/updates/important-changes#strict-azure) +Bug | 1.16.0 | 1.16.18 | Upgrade | All | [Vault log file missing subsystem logs](/vault/docs/v1.16.x/updates/important-changes#vault-log-file-missing-subsystem-logs) +Bug | 1.16.17 | 1.16.21 | **Yes** | Enterprise | [External Enterprise plugins cannot run on a standby node when it becomes active](/vault/docs/v1.16.x/updates/important-changes#external-ent-plugins) +Bug | 1.16.18 | 1.16.21 | Upgrade | All | [Azure authN fails to authenticate Uniform VMSS instances](/vault/docs/v1.16.x/updates/important-changes#azure-auth-fails-to-authenticate-uniform-vmss-instances) +Known issue | 1.16.0 | 1.16.3 | **Yes** | All | [Azure secrets engine role creation failing](/vault/docs/v1.16.x/updates/important-changes#azure-secrets-engine-role-creation-failing) +Known issue | 1.16.0 | 1.16.3 | **Yes** | All | [Cached activation flags for secrets sync on follower nodes are not updated](/vault/docs/v1.16.x/updates/important-changes#secret-sync-flag) +Known issue | 1.16.0 | No | **Yes** | Enterprise | [Duplicate identity groups created when concurrent requests sent to the primary and PR secondary cluster](/vault/docs/v1.16.x/updates/important-changes#duplicate-identity-groups-created-when-concurrent-requests-sent-to-the-primary-and-pr-secondary-cluster) +Known issue | 1.16.0 | No | **Yes** | All | [Duplicate unseal/seal wrap HSM keys](/vault/docs/v1.16.x/updates/important-changes#hsm-keys) +Known issue | 1.16.0 | 1.16.1 | Upgrade | All | [Error logging in with LDAP auth method](/vault/docs/v1.16.x/updates/important-changes#error-logging-in-with-ldap-auth-method) +Known issue | 1.16.0 | 1.16.1 | Upgrade | All | [Error logging in with LDAP auth method when anonymous group search is enabled](/vault/docs/v1.16.x/updates/important-changes#error-logging-in-with-ldap-auth-method-when-anonymous-group-search-is-enabled) +Known issue | 1.16.0 | No | **Yes** | All | [Existing clusters do not show the current Vault version in UI by default](/vault/docs/v1.16.x/updates/important-changes#existing-clusters-do-not-show-the-current-vault-version-in-ui-by-default) +Known issue | 1.16.0 | No | **Yes** | Enterprise | [Manual entity merges sent to a PR secondary cluster are not persisted to storage](/vault/docs/v1.16.x/updates/important-changes#manual-entity-merges-sent-to-a-pr-secondary-cluster-are-not-persisted-to-storage) +Known issue | 1.16.0 | 1.16.4 | **Yes** | All | [New nodes added by autopilot upgrades provisioned with the wrong version](/vault/docs/v1.16.x/updates/important-changes#new-nodes-added-by-autopilot-upgrades-provisioned-with-the-wrong-version) +Known issue | 1.16.0 | 1.16.3 | **Yes** | Enterprise | [Performance Standbys revert to Standby mode on unseal](/vault/docs/v1.16.x/updates/important-changes#performance-standbys-revert-to-standby-mode-on-unseal) +Known issue | 1.16.0 | No | **Yes** | All | [PKI OCSP GET requests can return HTTP redirect responses](/vault/docs/v1.16.x/updates/important-changes#pki-ocsp-get-requests-can-return-http-redirect-responses) +Known issue | 1.16.0 | 1.16.6 | **Yes** | Enterprise | [Potential DoS when using the deny_unauthorized proxy protocol behavior for a TCP listener](/vault/docs/v1.16.x/updates/important-changes#potential-dos-when-using-the-deny_unauthorized-proxy-protocol-behavior-for-a-tcp-listener) +Known issue | 1.16.0 | No | **Yes** | All | [Sending SIGHUP to vault standby node causes panic](/vault/docs/v1.16.x/updates/important-changes#sending-sighup-to-vault-standby-node-causes-panic) +Known issue | 1.16.0 | No | Upgrade | All | [Unwanted secret rotation for DB and LDAP roles on restart](/vault/docs/v1.16.x/updates/important-changes#database-and-ldap-secrets-engine-unwanted-secret-rotation-on-backend-restart) +Known issue | 1.16.1 | 1.16.2 | **Yes** | All | [Error configuring the JWT auth method](/vault/docs/v1.16.x/updates/important-changes#error-configuring-the-jwt-auth-method) +Known issue | 1.16.16 | No | No | All | [Authorization failure with Azure federated identity credentials](/vault/docs/v1.16.x/updates/important-changes#authorization-failures-using-azure-federated-identity-credentials) +Known issue | 1.16.16 | 1.16.20 | Upgrade | All | [Unexpected DB static role rotations on upgrade](/vault/docs/v1.16.x/updates/important-changes#database-static-role-rotations-on-upgrade) +Known issue | 1.16.16 | 1.16.20 | Upgrade | All | [Unexpected LDAP static role rotations on upgrade](/vault/docs/v1.16.x/updates/important-changes#ldap-static-role-rotations-on-upgrade) +Known issue | 1.16.3 | 1.16.6 | **Yes** | All | [JWT auth login requires bound audiences on the role](/vault/docs/v1.16.x/updates/important-changes#jwt-auth-login-requires-bound-audiences-on-the-role) +Known issue | 1.16.3 | 1.16.7 | Upgrade | Enterprise | [Vault standby nodes not deleting removed entity-aliases from in-memory database](/vault/docs/v1.16.x/updates/important-changes#deleting-an-entity-aliases-does-not-remove-it-from-the-in-memory-database-on-standby-nodes) +Known issue | 1.16.7 | 1.16.9 | Upgrade | All | [Client tokens and token accessors audited in plaintext](/vault/docs/v1.16.x/updates/important-changes#client-tokens-and-token-accessors-audited-in-plaintext) \ No newline at end of file diff --git a/website/content/partials/release-notes/change-summary/1_17.mdx b/website/content/partials/release-notes/change-summary/1_17.mdx new file mode 100644 index 000000000000..80f4d9c8e644 --- /dev/null +++ b/website/content/partials/release-notes/change-summary/1_17.mdx @@ -0,0 +1,29 @@ +Change | Found | Fixed | Recs | Edition | Issue +--------------- | ------- |-------- | ------- | ---------- | ----- +Beta deprecated | 1.17.0 | N/A | No | All | [Request limiter deprecated](/vault/docs/v1.17.x/updates/important-changes#request-limiter) +Opt out feature | 1.17.0 | N/A | **Yes** | All | [PKI sign-intermediate now truncates `notAfter` field to signing issuer](/vault/docs/v1.17.x/updates/important-changes#pki-truncate) +New behavior | 1.17.0 | N/A | No | All | [Allowed audit headers now have unremovable defaults](/vault/docs/v1.17.x/updates/important-changes#audit-headers) +New behavior | 1.17.0 | N/A | **Yes** | All | [JWT auth login requires `bound_audiences` parameter on role](/vault/docs/v1.17.x/updates/important-changes#jwt-auth-login-requires-bound-audiences-on-the-role) +New behavior | 1.17.14 | N/A | No | All | [Strict validation for Azure auth login requests](/vault/docs/v1.17.x/updates/important-changes#strict-azure) +New behavior | 1.17.3 | N/A | **Yes** | All | [Secrets Sync SSRF Protection May Block Private Endpoints](/vault/docs/v1.17.x/updates/important-changes#secrets-sync-ssrf-protection-may-block-private-endpoints) +New behavior | 1.17.9 | N/A | No | All | [Default report months deprecated for `sys/internal/counters`](/vault/docs/v1.17.x/updates/important-changes#activity-log-changes) +New behavior | 1.17.9 | N/A | **Yes** | All | [Vault product usage metrics reporting](/vault/docs/v1.17.x/updates/important-changes#product-usage-reporting) +Bug | 1.17.0 | 1.17.17 | **Yes** | Enterprise | [External Enterprise plugins cannot run on a standby node when it becomes active](/vault/docs/v1.17.x/updates/important-changes#external-ent-plugins) +Bug | 1.17.0 | 1.17.14 | Upgrade | All | [Vault log file missing subsystem logs](/vault/docs/v1.17.x/updates/important-changes#vault-log-file-missing-subsystem-logs) +Bug | 1.17.14 | 1.17.17 | **Yes** | All | [Azure authN fails to authenticate Uniform VMSS instances](/vault/docs/v1.17.x/updates/important-changes#azure-auth-fails-to-authenticate-uniform-vmss-instances) +Known issue | 1.17.0 | 1.17.4 | **Yes** | All | [AWS Auth Role configuration requires an external_id](/vault/docs/v1.17.x/updates/important-changes#aws-auth-role-configuration-requires-an-external_id) +Known issue | 1.17.0 | 1.17.6 | **Yes** | All | [Cached activation flags for secrets sync on follower nodes are not updated](/vault/docs/v1.17.x/updates/important-changes#cached-activation-flags-for-secrets-sync-on-follower-nodes-are-not-updated) +Known issue | 1.17.0 | 1.17.5 | Upgrade | All | [Client tokens and token accessors audited in plaintext](/vault/docs/v1.17.x/updates/important-changes#client-tokens-and-token-accessors-audited-in-plaintext) +Known issue | 1.17.0 | 1.17.3 | Upgrade | All | [Deleting an entity-aliases does not remove it from the in-memory database on standby nodes](/vault/docs/v1.17.x/updates/important-changes#deleting-an-entity-aliases-does-not-remove-it-from-the-in-memory-database-on-standby-nodes) +Known issue | 1.17.0 | No | **Yes** | Enterprise | [Duplicate identity groups created when concurrent requests sent to the primary and PR secondary cluster](/vault/docs/v1.17.x/updates/important-changes#duplicate-identity-groups-created-when-concurrent-requests-sent-to-the-primary-and-pr-secondary-cluster) +Known issue | 1.17.0 | No | **Yes** | All | [Duplicate unseal/seal wrap HSM keys](/vault/docs/v1.17.x/updates/important-changes#seal-seal-wrapped-duplicate-hsm-keys) +Known issue | 1.17.0 | 1.17.2 | Upgrade | Enterprise | [Input data on Transit Generate CMAC Response](/vault/docs/v1.17.x/updates/important-changes#input-data-on-transit-generate-cmac-response) +Known issue | 1.17.0 | No | **Yes** | Enterprise | [Manual entity merges sent to a PR secondary cluster are not persisted to storage](/vault/docs/v1.17.x/updates/important-changes#manual-entity-merges-sent-to-a-pr-secondary-cluster-are-not-persisted-to-storage) +Known issue | 1.17.0 | No | **Yes** | All | [PKI OCSP GET requests can return HTTP redirect responses](/vault/docs/v1.17.x/updates/important-changes#pki-ocsp) +Known issue | 1.17.0 | No | Upgrade | All | [Unwanted secret rotation for DB and LDAP roles on restart](/vault/docs/v1.17.x/updates/important-changes#database-and-ldap-secrets-engine-unwanted-secret-rotation-on-backend-restart) +Known issue | 1.17.0 | 1.17.1 | Upgrade | All | [Vault Agent and Vault Proxy consume an excessive amount of CPU](/vault/docs/v1.17.x/updates/important-changes#vault-agent-and-vault-proxy-consume-an-excessive-amount-of-cpu) +Known issue | 1.17.0 | 1.17.3 | Upgrade | Enterprise | [Vault standby nodes not deleting removed entity-aliases from in-memory database](/vault/docs/v1.17.x/updates/important-changes#deleting-an-entity-aliases-does-not-remove-it-from-the-in-memory-database-on-standby-nodes) +Known issue | 1.17.1 | 1.17.2 | **Yes** | All | [Potential DoS when using the deny_unauthorized proxy protocol behavior for a TCP listener](/vault/docs/v1.17.x/updates/important-changes#potential-dos-when-using-the-deny_unauthorized-proxy-protocol-behavior-for-a-tcp-listener) +Known issue | 1.17.12 | No | No | All | [Authorization failure with Azure federated identity credentials](/vault/docs/v1.17.x/updates/important-changes#authorization-failures-using-azure-federated-identity-credentials) +Known issue | 1.17.12 | 1.17.16 | Upgrade | All | [Unexpected DB static role rotations on upgrade](/vault/docs/v1.17.x/updates/important-changes#database-static-role-rotations-on-upgrade) +Known issue | 1.17.12 | 1.17.16 | Upgrade | All | [Unexpected LDAP static role rotations on upgrade](/vault/docs/v1.17.x/updates/important-changes#ldap-static-role-rotations-on-upgrade) \ No newline at end of file diff --git a/website/content/partials/release-notes/change-summary/1_18.mdx b/website/content/partials/release-notes/change-summary/1_18.mdx new file mode 100644 index 000000000000..4282c742f99e --- /dev/null +++ b/website/content/partials/release-notes/change-summary/1_18.mdx @@ -0,0 +1,15 @@ +Change | Found | Fixed | Recs | Edition | Issue +------------ | ------ |-------- | ------- | ---------- | ----- +Beta removed | 1.18.0 | N/A | No | All | [Request limiter removed](/vault/docs/v1.18.x/updates/important-changes#request-limiter-configuration-removal) +New behavior | 1.18.0 | N/A | No | All | [Activity log changes](/vault/docs/v1.18.x/updates/important-changes#default-activity-log-querying-period) +New behavior | 1.18.0 | N/A | **Yes** | All | [Docker image no longer contains curl](/vault/docs/v1.18.x/updates/important-changes#docker-image-no-longer-contains-curl) +New behavior | 1.18.2 | N/A | **Yes** | All | [Anonymous product usage metrics collection](/vault/docs/v1.18.x/updates/important-changes#product-usage-reporting) +New behavior | 1.18.7 | N/A | No | All | [Strict validation for Azure auth login requests](/vault/docs/v1.18.x/updates/important-changes#azure-auth-plugin-requires-resource_group_name-vm_name-and-vmss_name-to-match-the-jwt-claims-on-login) +Bug | 1.18.0 | 1.18.7 | Upgrade | All | [Vault log file missing subsystem logs](/vault/docs/v1.18.x/updates/important-changes#vault-log-file-missing-subsystem-logs) +Bug | 1.18.6 | 1.18.10 | **Yes** | Enterprise | [External Enterprise plugins cannot run on a standby node when it becomes active](/vault/docs/v1.18.x/updates/important-changes#external-ent-plugins) +Bug | 1.18.7 | 1.18.10 | **Yes** | All | [Azure authN fails to authenticate Uniform VMSS instances](/vault/docs/v1.18.x/updates/important-changes#azure-auth-fails-to-authenticate-uniform-vmss-instances) +Known issue | 1.18.0 | No | **Yes** | All | [Duplicate unseal/seal wrap HSM keys](/vault/docs/v1.18.x/updates/important-changes#seal-seal-wrapped-duplicate-hsm-keys) +Known issue | 1.18.0 | 1.18.9 | **Yes** | All | [Unwanted secret rotation for DB and LDAP roles on restart](/vault/docs/v1.18.x/updates/important-changes#database-and-ldap-secrets-engine-unwanted-secret-rotation-on-backend-restart) +Known issue | 1.18.5 | No | No | All | [Authorization failure with Azure federated identity credentials](/vault/docs/v1.18.x/updates/important-changes#authorization-failures-using-azure-federated-identity-credentials) +Known issue | 1.18.5 | 1.18.9 | Upgrade | All | [Unexpected DB static role rotations on upgrade](/vault/docs/v1.18.x/updates/important-changes#database-static-role-rotations-on-upgrade) +Known issue | 1.18.5 | 1.18.9 | Upgrade | All | [Unexpected LDAP static role rotations on upgrade](/vault/docs/v1.18.x/updates/important-changes#ldap-static-role-rotations-on-upgrade) diff --git a/website/content/partials/release-notes/change-summary/1_19.mdx b/website/content/partials/release-notes/change-summary/1_19.mdx new file mode 100644 index 000000000000..a4828a1c0539 --- /dev/null +++ b/website/content/partials/release-notes/change-summary/1_19.mdx @@ -0,0 +1,19 @@ +Change | Found | Fixed | Recs | Edition | Issue +--------------- | ------ |------- | ------- | ---------- | ----- +Support change | 1.19.0 | N/A | N/A | All | 1.16.x moves to [long term support](/vault/docs/enterprise/lts) and 1.19 becomes the current LTS version +Breaking change | 1.19.0 | N/A | **Yes** | All | [Security improvement for LDAP user DN search with upndomain](/vault/docs/v1.19.x/updates/important-changes#ldap) +New behavior | 1.19.0 | N/A | No | Enterprise | [Anonymized cluster data returned with license utilization](/vault/docs/v1.19.x/updates/important-changes#anon-data) +New behavior | 1.19.0 | N/A | **Yes** | All | [Identity system duplicate cleanup](/vault/docs/v1.19.x/updates/important-changes#dedupe) +New behavior | 1.19.0 | N/A | No | All | [RADIUS authentication is no longer case sensitive](/vault/docs/v1.19.x/updates/important-changes#case-sensitive) +New behavior | 1.19.0 | N/A | No | All | [Transit support for Ed25519ph and Ed25519ctx signatures](/vault/docs/v1.19.x/updates/important-changes#ed25519) +New behavior | 1.19.1 | N/A | **Yes** | All | [Strict validation for Azure auth login requests](/vault/docs/v1.19.x/updates/important-changes#strict-azure) +Bug | 1.19.0 | 1.19.3 | **Yes** | All | [Automated rotation stops after unseal](/vault/docs/v1.19.x/updates/important-changes#rotation-stops) +Bug | 1.19.0 | 1.19.4 | **Yes** | All | [AWS STS configuration can fail with unspecified STS endpoints](/vault/docs/v1.19.x/updates/important-changes#aws-fallback-sts) +Bug | 1.19.0 | 1.19.4 | **Yes** | Enterprise | [External Enterprise plugins cannot run on a standby node when it becomes active](/vault/docs/v1.19.x/updates/important-changes#external-ent-plugins) +Bug | 1.19.0 | 1.19.1 | Upgrade | All | [Vault log file missing subsystem logs](/vault/docs/v1.19.x/updates/important-changes#missing-logs) +Bug | 1.19.1 | 1.19.4 | **Yes** | All | [Azure authN fails to authenticate Uniform VMSS instances](/vault/docs/v1.19.x/updates/important-changes#azure-vmss) +Known issue | 1.19.0 | No | **Yes** | All | [Duplicate unseal/seal wrap HSM keys](/vault/docs/v1.19.x/updates/important-changes#hsm-keys) +Known issue | 1.19.0 | 1.19.3 | **Yes** | All | [Login/token renewal failures after group changes](/vault/docs/v1.19.x/updates/important-changes#group-writes) +Known issue | 1.19.0 | 1.19.3 | Upgrade | All | [Unexpected DB static role rotations on upgrade](/vault/docs/v1.19.x/updates/important-changes#db-static-role-rotations) +Known issue | 1.19.0 | 1.19.3 | Upgrade | All | [Unexpected LDAP static role rotations on upgrade](/vault/docs/v1.19.x/updates/important-changes#ldap-static-role-rotations) +Known issue | 1.19.0 | 1.19.3 | **Yes** | All | [Unwanted secret rotation for DB and LDAP roles on restart](/vault/docs/v1.19.x/updates/important-changes#secret-rotate-on-restart) \ No newline at end of file diff --git a/website/content/partials/release-notes/change-summary/1_20.mdx b/website/content/partials/release-notes/change-summary/1_20.mdx new file mode 100644 index 000000000000..ba1fe400389d --- /dev/null +++ b/website/content/partials/release-notes/change-summary/1_20.mdx @@ -0,0 +1,4 @@ +Change | Found | Fixed | Recs | Edition | Issue +--------------- | ------ |------- | ------- | ---------- | ----- +Breaking change | 1.20.0 | N/A | **Yes** | All | [`disable_mlock` required for integrated storage](/vault/docs/v1.20.x/updates/important-changes#disable_mlock-config) +Known issue | 1.20.0 | No | **Yes** | All | [Duplicate unseal/seal wrap HSM keys](/vault/docs/v1.20.x/updates/important-changes#hsm-keys) diff --git a/website/content/partials/release-notes/section-notes/3rd-party.mdx b/website/content/partials/release-notes/section-notes/3rd-party.mdx new file mode 100644 index 000000000000..501e1087f502 --- /dev/null +++ b/website/content/partials/release-notes/section-notes/3rd-party.mdx @@ -0,0 +1,4 @@ +Integrate Vault with the other elements of your development environment. +Generate and revoke on-demand credentials for database systems and cloud +providers like AWS, and control access to external information like encryption +keys and cloud credentials. \ No newline at end of file diff --git a/website/content/partials/release-notes/section-notes/certs.mdx b/website/content/partials/release-notes/section-notes/certs.mdx new file mode 100644 index 000000000000..5e737874314f --- /dev/null +++ b/website/content/partials/release-notes/section-notes/certs.mdx @@ -0,0 +1,2 @@ +Configure Vault to work with certificate authorities like KMIP and PKI to manage +certificate life cycles and authenticate clients. \ No newline at end of file diff --git a/website/content/partials/release-notes/section-notes/compliance.mdx b/website/content/partials/release-notes/section-notes/compliance.mdx new file mode 100644 index 000000000000..32e7a10cf61c --- /dev/null +++ b/website/content/partials/release-notes/section-notes/compliance.mdx @@ -0,0 +1,2 @@ +Configure Vault as part of an HSM solution, FIPS compliant architecture, or +PKCS11 authN workflow. \ No newline at end of file diff --git a/website/content/partials/release-notes/section-notes/identity.mdx b/website/content/partials/release-notes/section-notes/identity.mdx new file mode 100644 index 000000000000..56f1728fc260 --- /dev/null +++ b/website/content/partials/release-notes/section-notes/identity.mdx @@ -0,0 +1,3 @@ +Manage identities and control client access to sensitive information with +managed entities, identity tokens, OIDC workflows, and workload identity +federation (WIF). \ No newline at end of file diff --git a/website/content/partials/release-notes/section-notes/ops.mdx b/website/content/partials/release-notes/section-notes/ops.mdx new file mode 100644 index 000000000000..e69de29bb2d1 diff --git a/website/content/partials/release-notes/section-notes/sensitive-data.mdx b/website/content/partials/release-notes/section-notes/sensitive-data.mdx new file mode 100644 index 000000000000..2daceed3ae65 --- /dev/null +++ b/website/content/partials/release-notes/section-notes/sensitive-data.mdx @@ -0,0 +1,2 @@ +Define custom parameters to encrypt or tokenize sensitive data in transit and at +rest without storing the data in Vault. \ No newline at end of file diff --git a/website/content/partials/release-notes/section-notes/static-secrets.mdx b/website/content/partials/release-notes/section-notes/static-secrets.mdx new file mode 100644 index 000000000000..aee1c892a8cf --- /dev/null +++ b/website/content/partials/release-notes/section-notes/static-secrets.mdx @@ -0,0 +1,3 @@ +Store and rotate arbitrary secrets in Vault with the Key/Value and Cubbyhole +plugins. Vault encrypts data before writing out to persistent storage so +accessing the raw storage is insufficient to access the information. \ No newline at end of file diff --git a/website/data/docs-nav-data.json b/website/data/docs-nav-data.json index 363330f240da..e94d6229bebb 100644 --- a/website/data/docs-nav-data.json +++ b/website/data/docs-nav-data.json @@ -967,6 +967,10 @@ "title": "Deprecation notices", "path": "updates/deprecation" }, + { + "title": "Change tracker", + "path": "updates/change-tracker" + }, { "title": "Full changelog", "href": "https://raw.githubusercontent.com/hashicorp/vault/refs/heads/main/CHANGELOG.md"
ReleaseUpdateDescription
- PKI: Constrained CA support + Pending GAPending - Use the PKI plugin to instantiate intermediate CAs with customer defined - constraints (permitted URI , IPs, excluded DNS, etc.) and delegate PKI - administration. + Pending

- Learn more: PKI plugin API + Learn more: TDB