---
- branch: MAIN
  date: Tue Sep 26 07:41:14 UTC 2017
  files:
  - new: '1.18'
    old: '1.17'
    path: pkgsrc/security/vault/Makefile
    pathrev: pkgsrc/security/vault/Makefile@1.18
    type: modified
  - new: '1.12'
    old: '1.11'
    path: pkgsrc/security/vault/distinfo
    pathrev: pkgsrc/security/vault/distinfo@1.12
    type: modified
  id: 20170926T074114Z.e9c045be8571e1593f06bb6f7a39f22048072a03
  log: |
    Update security/vault to 0.8.3.

    CHANGES:

    - Policy input/output standardization: For all built-in authentication
      backends, policies can now be specified as a comma-delimited string or an
      array if using JSON as API input; on read, policies will be returned as an
      array; and the `default` policy will not be forcefully added to policies
      saved in configurations. Please note that the `default` policy will continue
      to be added to generated tokens, however, rather than backends adding
      `default` to the given set of input policies (in some cases, and not in
      others), the stored set will reflect the user-specified set.
    - `sign-self-issued` modifies Issuer in generated certificates: In 0.8.2 the
      endpoint would not modify the Issuer in the generated certificate, leaving
      the output self-issued. Although theoretically valid, in practice crypto
      stacks were unhappy validating paths containing such certs. As a result,
      `sign-self-issued` now encodes the signing CA's Subject DN into the Issuer
      DN of the generated certificate.
    - `sys/raw` requires enabling: While the `sys/raw` endpoint can be extremely
      useful in break-glass or support scenarios, it is also extremely dangerous.
      As of now, a configuration file option `raw_storage_endpoint` must be set in
      order to enable this API endpoint. Once set, the available functionality has
      been enhanced slightly; it now supports listing and decrypting most of
      Vault's core data structures, except for the encryption keyring itself.
    - `generic` is now `kv`: To better reflect its actual use, the `generic`
      backend is now `kv`. Using `generic` will still work for backwards
      compatibility.

    FEATURES:

    - GCE Support for GCP Auth: GCE instances can now authenticate to Vault
      using machine credentials.
    - Support for Kubernetes Service Account Auth: Kubernetes Service Accounts
      can now authenticate to vault using JWT tokens.

    IMPROVEMENTS:

    - configuration: Provide a config option to store Vault server's process ID
      (PID) in a file
    - mfa (Enterprise): Add the ability to use identity metadata in username
      format
    - mfa/okta (Enterprise): Add support for configuring base_url for API calls
    - secret/pki: `sign-intermediate` will now allow specifying a `ttl` value
      longer than the signing CA certificate's NotAfter value.
    - sys/raw: Raw storage access is now disabled by default

    BUG FIXES:

    - auth/okta: Fix regression that removed the ability to set base_url
    - core: Fix panic while loading leases at startup on ARM processors
    - secret/pki: Fix `sign-self-issued` encoding the wrong subject public key
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/security/vault'
  unixtime: '1506411674'
  user: fhajny