Content-Transfer-Encoding: 7bit
Content-Type: multipart/mixed; boundary="_----------=_1473427564285350"
MIME-Version: 1.0
Date: Fri, 9 Sep 2016 13:26:04 +0000
From: "Filip Hajny" <fhajny@netbsd.org>
Subject: CVS commit: pkgsrc/security/vault
To: pkgsrc-changes@NetBSD.org
Reply-To: fhajny@netbsd.org
Message-Id: <20160909132604.EC9CDFBD1@cvs.NetBSD.org>
Sender: pkgsrc-changes-owner@NetBSD.org
Precedence: bulk

This is a multi-part message in MIME format.

--_----------=_1473427564285350
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="US-ASCII"

Module Name:	pkgsrc
Committed By:	fhajny
Date:		Fri Sep  9 13:26:04 UTC 2016

Modified Files:
	pkgsrc/security/vault: Makefile distinfo

Log Message:
Update security/vault to 0.6.1.

0.6.1 (August 22, 2016)

DEPRECATIONS/BREAKING CHANGES:

- Once the active node is 0.6.1, standby nodes must also be 0.6.1
  in order to connect to the HA cluster.
- Status codes for sealed/uninitialized Vaults have changed to
  503/501 respectively.
- Root tokens (tokens with the root policy) can no longer be
  created except by another root token or the generate-root
  endpoint.
- Issued certificates from the pki backend against new roles
  created or modified after upgrading will contain a set of
  default key usages.
- The dynamodb physical data store no longer supports HA by
  default.
- The ldap backend no longer searches for memberOf groups as part
  of its normal flow. Instead, the desired group filter must be
  specified.
- app-id is now deprecated with the addition of the new AppRole
  backend.

FEATURES:

- AppRole Authentication Backend: The approle backend is a
  machine-oriented authentication backend that provides a similar
  concept to App-ID while adding many missing features, including a
  pull model that allows for the backend to generate authentication
  credentials rather than requiring operators or other systems to
  push credentials in.
- Request Forwarding: Vault servers can now forward requests to
  each other rather than redirecting clients. This feature is off
  by default in 0.6.1 but will be on by default in the next release.
- Convergent Encryption in Transit: The transit backend now
  supports a convergent encryption mode where the same plaintext
  will produce the same ciphertext.
- Improved LDAP Group Filters: The ldap auth backend now uses
  templates to define group filters, providing the capability to
  support some directories that could not easily be supported before
  (especially specific Active Directory setups with nested groups).
- Key Usage Control in PKI: Issued certificates from roles created
  or modified after upgrading contain a set of default key usages
  for increased compatibility with OpenVPN and some other software.
- Request Retrying in the CLI and Go API: Requests that fail with
  a 5xx error code will now retry after a backoff. The maximum
  total number of retries (including disabling this functionality)
  can be set with an environment variable.
- Service Discovery in vault init: The new -auto option on vault
  init will perform service discovery using Consul.
- MongoDB Secret Backend: Generate dynamic unique MongoDB database
  credentials based on configured roles.
- Circonus Metrics Integration: Vault can now send metrics to
  Circonus.

IMPROVEMENTS:

- audit: Added a unique identifier to each request which will also
  be found in the request portion of the response.
- auth/aws-ec2: Added a new constraint bound_account_id to the
  role
- auth/aws-ec2: Added a new constraint bound_iam_role_arn to the
  role
- auth/aws-ec2: Added ttl field for the role
- auth/ldap, secret/cassandra, physical/consul: Clients with
  tls.Config have the minimum TLS version set to 1.2 by default.
- auth/token: Added endpoint to list accessors
- auth/token: Added disallowed_policies option to token store
  roles
- auth/token: root or sudo tokens can now create periodic tokens
  via auth/token/create; additionally, the same token can now be
  periodic and have an explicit max TTL
- build: Add support for building on Solaris/Illumos
- cli: Output formatting in the presence of warnings in the
  response object
- cli: vault auth command supports a -path option to take in the
  path at which the auth backend is enabled, thereby allowing
  authenticating against different paths using the command options
- cli: vault auth -methods will now display the config settings of
  the mount
- cli: vault read/write/unwrap -field now allows selecting token
  response fields
- cli: vault write -field now allows selecting wrapped response
  fields
- command/status: Version information and cluster details added to
  the output of vault status command
- core: Response wrapping is now enabled for login endpoints
- core: The duration of leadership is now exported via events
  through telemetry
- core: sys/capabilities-self is now accessible as part of the
  default policy
- core: sys/renew is now accessible as part of the default policy
- core: Unseal keys will now be returned in both hex and base64
  forms, and either can be used
- core: Responses from most /sys endpoints now return normal
  api.Secret structs in addition to the values they carried
  before.
- physical/etcd: Support ETCD_ADDR env var for specifying
  addresses
- physical/consul: Allowing additional tags to be added to Consul
  service registration via service_tags option
- secret/aws: Listing of roles is supported now
- secret/cassandra: Add connect_timeout value for Cassandra
  connection configuration
- secret/mssql,mysql,postgresql: Reading of connection settings is
  supported in all the sql backends
- secret/mysql: Added optional maximum idle connections value to
  MySQL connection configuration
- secret/mysql: Use a combination of the role name and token
  display name in generated user names and allow the length to be
  controlled
- secret/{cassandra,mssql,mysql,postgresql}: SQL statements can
  now be passed in via one of four ways: a semicolon-delimited
  string, a base64-delimited string, a serialized JSON string array,
  or a base64-encoded serialized JSON string array
- secret/ssh: Added allowed_roles to vault-ssh-helper's config and
  returning role name as part of response of verify API
- secret/ssh: Added passthrough of command line arguments to ssh
- sys/health: Added version information to the response of health
  status endpoint
- sys/health: Cluster information isbe returned as part of health
  status when Vault is unsealed
- sys/mounts: MountTable data is compressed before serializing to
  accommodate thousands of mounts
- website: The token concepts page has been completely rewritten

BUG FIXES:

- auth/aws-ec2: Added a nil check for stored whitelist identity
  object during renewal
- auth/cert: Fix panic if no client certificate is supplied
- auth/token: Don't report that a non-expiring root token is
  renewable, as attempting to renew it results in an error
- cli: Don't retry a command when a redirection is received
- core: Fix regression causing status codes to be 400 in most
  non-5xx error cases
- core: Fix panic that could occur during a leadership transition
- physical/postgres: Remove use of prepared statements as this
  causes connection multiplexing software to break
- physical/consul: Multiple Vault nodes on the same machine
  leading to check ID collisions were resulting in incorrect
  health check responses
- physical/consul: Fix deregistration of health checks on exit
- secret/postgresql: Check for existence of role before attempting
  deletion
- secret/postgresql: Handle revoking roles that have privileges on
  sequences
- secret/postgresql(,mysql,mssql): Fix incorrect use of database
  over transaction object which could lead to connection
  exhaustion
- secret/pki: Fix parsing CA bundle containing trailing whitespace
- secret/pki: Fix adding email addresses as SANs
- secret/pki: Ensure that CRL values are always UTC, per RFC
- sys/seal-status: Fixed nil Cluster object while checking seal
  status

0.6.0 (June 14th, 2016)

SECURITY:

Although sys/revoke-prefix was intended to revoke prefixes of
secrets (via lease IDs, which incorporate path information) and
auth/token/revoke-prefix was intended to revoke prefixes of tokens
(using the tokens' paths and, since 0.5.2, role information), in
implementation they both behaved exactly the same way since a
single component in Vault is responsible for managing lifetimes of
both, and the type of the tracked lifetime was not being checked.
The end result was that either endpoint could revoke both secret
leases and tokens. We consider this a very minor security issue as
there are a number of mitigating factors: both endpoints require
sudo capability in addition to write capability, preventing
blanket ACL path globs from providing access; both work by using
the prefix to revoke as a part of the endpoint path, allowing them
to be properly ACL'd; and both are intended for emergency
scenarios and users should already not generally have access to
either one. In order to prevent confusion, we have simply removed
auth/token/revoke-prefix in 0.6, and sys/revoke-prefix will be
meant for both leases and tokens instead.

DEPRECATIONS/BREAKING CHANGES:

- auth/token/revoke-prefix has been removed. See the security
  notice for details.
- Vault will now automatically register itself as the vault
  service when using the consul backend and will perform its own
  health checks.
- List operations that do not find any keys now return a 404
  status code rather than an empty response object
- CA certificates issued from the pki backend no longer have
  associated leases, and any CA certs already issued will ignore
  revocation requests from the lease manager.

FEATURES:

- AWS EC2 Auth Backend: Provides a secure introduction mechanism
  for AWS EC2 instances allowing automated retrieval of Vault
  tokens.
- Response Wrapping: Nearly any response within Vault can now be
  wrapped inside a single-use, time-limited token's cubbyhole,
  taking the Cubbyhole Authentication Principles mechanism to its
  logical conclusion.
- Azure Physical Backend: You can now use Azure blob object
  storage as your Vault physical data store
- Swift Physical Backend: You can now use Swift blob object
  storage as your Vault physical data store
- Consul Backend Health Checks: The Consul backend will
  automatically register a vault service and perform its own
  health checking.
- Explicit Maximum Token TTLs: You can now set explicit maximum
  TTLs on tokens that do not honor changes in the system- or
  mount-set values.
- Non-Renewable Tokens: When creating tokens directly through the
  token authentication backend, you can now specify in both token
  store roles and the API whether or not a token should be
  renewable, defaulting to true.
- RabbitMQ Secret Backend: Vault can now generate credentials for
  RabbitMQ. Vhosts and tags can be defined within roles.

IMPROVEMENTS:

- audit: Add the DisplayName value to the copy of the Request
  object embedded in the associated Response, to match the
  original Request object
- audit: Enable auditing of the seal and step-down commands
- backends: Remove most root/sudo paths in favor of normal ACL
  mechanisms.
- command/auth: Restore the previous authenticated token if the
  auth command fails to authenticate the provided token
- command/write: -format and -field can now be used with the write
  command
- core: Add mlock support for FreeBSD, OpenBSD, and Darwin
- core: Don't keep lease timers around when tokens are revoked
- core: If using the disable_cache option, caches for the policy
  store and the transit backend are now disabled as well
- credential/cert: Renewal requests are rejected if the set of
  policies has changed since the token was issued
- credential/cert: Check CRLs for specific non-CA certs configured
  in the backend
- credential/ldap: If groupdn is not configured, skip searching
  LDAP and only return policies for local groups, plus a warning
- credential/ldap: vault list support for users and groups
- credential/ldap: Support for the memberOf attribute for group
  membership searching
- credential/userpass: Add list support for users
- credential/userpass: Remove user configuration paths from
  requiring sudo, in favor of normal ACL mechanisms
- credential/token: Sanitize policies and add default policies in
  appropriate places
- credential/token: Setting the renewable status of a token is now
  possible via vault token-create and the API.
- secret/aws: Use chain credentials to allow environment/EC2
  instance/shared providers
- secret/aws: Support for STS AssumeRole functionality
- secret/consul: Reading consul access configuration supported.
- secret/pki: Added exclude_cn_from_sans field to prevent adding
  the CN to DNS or Email Subject Alternate Names
- secret/pki: Added list support for certificates
- sys/capabilities: Enforce ACL checks for requests that query the
  capabilities of a token on a given path
- sys/health: Status information can now be retrieved with HEAD

BUG FIXES:

- command/read: Fix panic when using -field with a non-string
  value
- command/token-lookup: Fix TTL showing as 0 depending on how a
  token was created.
- command/various: Tell the JSON decoder to not convert all
  numbers to floats; fixes some various places where numbers were
  showing up in scientific notation
- command/server: Prioritized devRootTokenID and devListenAddress
  flags over their respective env vars
- command/ssh: Provided option to disable host key checking.
- core: Properly persist mount-tuned TTLs for auth backends
- core: Don't accidentally crosswire SIGINT to the reload handler
- credential/github: Make organization comparison case-insensitive
  during login
- credential/github: Fix panic when renewing a token created with
  some earlier versions of Vault
- credential/github: The token used to log in via vault auth can
  now be specified in the VAULT_AUTH_GITHUB_TOKEN environment
  variable
- credential/ldap: Fix problem where certain error conditions when
  configuring or opening LDAP connections would cause a panic
  instead of return a useful error message
- credential/token: Fall back to normal parent-token semantics if
  allowed_policies is empty for a role.
- credential/token: Fix issues renewing tokens when using the
  "suffix" capability of token roles
- credential/token: Fix lookup via POST showing the request token
  instead of the desired token
- credential/various: Fix renewal conditions when default policy
  is not contained in the backend config
- physical/s3: Don't panic in certain error cases from bad S3
  responses
- secret/consul: Use non-pooled Consul API client to avoid leaving
  files open
- secret/pki: Don't check whether a certificate is destined to be
  a CA certificate if sign-verbatim endpoint is used

0.5.3 (May 27th, 2016)

SECURITY:

Consul ACL Token Revocation: An issue was reported to us
indicating that generated Consul ACL tokens were not being
properly revoked. Upon investigation, we found that this behavior
was reproducible in a specific scenario: when a generated lease
for a Consul ACL token had been renewed prior to revocation. In
this case, the generated token was not being properly persisted
internally through the renewal function, leading to an error
during revocation due to the missing token. Unfortunately, this
was coded as a user error rather than an internal error, and the
revocation logic was expecting internal errors if revocation
failed. As a result, the revocation logic believed the revocation
to have succeeded when it in fact failed, causing the lease to be
dropped while the token was still valid within Consul. In this
release, the Consul backend properly persists the token through
renewals, and the revocation logic has been changed to consider
any error type to have been a failure to revoke, causing the lease
to persist and attempt to be revoked later.


To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.3 pkgsrc/security/vault/Makefile
cvs rdiff -u -r1.1 -r1.2 pkgsrc/security/vault/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


--_----------=_1473427564285350
Content-Disposition: inline
Content-Length: 1598
Content-Transfer-Encoding: binary
Content-Type: text/x-diff; charset=us-ascii

Modified files:

Index: pkgsrc/security/vault/Makefile
diff -u pkgsrc/security/vault/Makefile:1.2 pkgsrc/security/vault/Makefile:1.3
--- pkgsrc/security/vault/Makefile:1.2	Sat Aug 20 09:21:46 2016
+++ pkgsrc/security/vault/Makefile	Fri Sep  9 13:26:04 2016
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.2 2016/08/20 09:21:46 bsiegert Exp $
+# $NetBSD: Makefile,v 1.3 2016/09/09 13:26:04 fhajny Exp $
 
-DISTNAME=	vault-0.5.2
-PKGREVISION=	1
+DISTNAME=	vault-0.6.1
 CATEGORIES=	security
 MASTER_SITES=	${MASTER_SITE_GITHUB:=hashicorp/}
 

Index: pkgsrc/security/vault/distinfo
diff -u pkgsrc/security/vault/distinfo:1.1 pkgsrc/security/vault/distinfo:1.2
--- pkgsrc/security/vault/distinfo:1.1	Fri May  6 13:35:52 2016
+++ pkgsrc/security/vault/distinfo	Fri Sep  9 13:26:04 2016
@@ -1,6 +1,6 @@
-$NetBSD: distinfo,v 1.1 2016/05/06 13:35:52 fhajny Exp $
+$NetBSD: distinfo,v 1.2 2016/09/09 13:26:04 fhajny Exp $
 
-SHA1 (vault-0.5.2.tar.gz) = ab6d4eb8ed1c98204aec722ae157a2e1f8be5253
-RMD160 (vault-0.5.2.tar.gz) = 90c3cc33fc80e77817712ab04654db180a7525b3
-SHA512 (vault-0.5.2.tar.gz) = 38df443b3725ead5911960ab23bdc562d0b8adefb26db569d91c951f5e4e863c902a4fba6dcb56477df61754050c86bd8c252acbe2ba378a36ca87b6ef552e25
-Size (vault-0.5.2.tar.gz) = 3590947 bytes
+SHA1 (vault-0.6.1.tar.gz) = fdc204c49406e067a7d25adaf3a9de6af182a9f0
+RMD160 (vault-0.6.1.tar.gz) = c91ee06522ef30291dc589b7294bf89353a2100d
+SHA512 (vault-0.6.1.tar.gz) = e1bfa5fbcc68b82a407de5ba40c44084d15c3f42bc4027783b25f97d0ef044d5d88a3650b412f2044b73cc525d115f1441a657861ad977644ca7f7a0259a18c7
+Size (vault-0.6.1.tar.gz) = 4665607 bytes


--_----------=_1473427564285350--