fix(deps): update module github.com/hashicorp/vault to v1.14.3 [security]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
github.com/hashicorp/vault	require	patch	v1.14.1 -> v1.14.3

GitHub Vulnerability Alerts

CVE-2023-4680

HashiCorp Vault and Vault Enterprise transit secrets engine allowed authorized users to specify arbitrary nonces, even with convergent encryption disabled. The encrypt endpoint, in combination with an offline attack, could be used to decrypt arbitrary ciphertext and potentially derive the authentication subkey when using transit secrets engine without convergent encryption. Introduced in 1.6.0 and fixed in 1.14.3, 1.13.7, and 1.12.11.

---

Release Notes

hashicorp/vault (github.com/hashicorp/vault)

v1.14.3

Compare Source

1.14.3

September 13, 2023

SECURITY:

• secrets/transit: fix a regression that was honoring nonces provided in non-convergent modes during encryption. [GH-22852]

CHANGES:

• core: Bump Go version to 1.20.8.

FEATURES:

• Merkle Tree Corruption Detection (enterprise): Add a new endpoint to check merkle tree corruption.

IMPROVEMENTS:

• auth/ldap: improved login speed by adding concurrency to LDAP token group searches [GH-22659]
• core/quotas: Add configuration to allow skipping of expensive role calculations [GH-22651]
• kmip (enterprise): reduce latency of KMIP operation handling

BUG FIXES:

• cli: Fix the CLI failing to return wrapping information for KV PUT and PATCH operations when format is set to table. [GH-22818]
• core/quotas: Only perform ResolveRoleOperation for role-based quotas and lease creation. [GH-22597]
• core/quotas: Reduce overhead for role calculation when using cloud auth methods. [GH-22583]
• core/seal: add a workaround for potential connection [hangs] in Azure autoseals. [GH-22760]
• core: All subloggers now reflect configured log level on reload. [GH-22038]
• kmip (enterprise): fix date handling error with some re-key operations
• raft/autopilot: Add dr-token flag for raft autopilot cli commands [GH-21165]
• replication (enterprise): Fix discovery of bad primary cluster addresses to be more reliable
• secrets/transit: fix panic when providing non-PEM formatted public key for import [GH-22753]
• ui: fixes long namespace names overflow in the sidebar

v1.14.2

Compare Source

August 30, 2023

CHANGES:

• auth/azure: Update plugin to v0.16.0 [GH-22277]
• core: Bump Go version to 1.20.7.
• database/snowflake: Update plugin to v0.9.0 [GH-22516]

IMPROVEMENTS:

• auto-auth/azure: Added Azure Workload Identity Federation support to auto-auth (for Vault Agent and Vault Proxy). [GH-22264]
• core: Log rollback manager failures during unmount, remount to prevent replication failures on secondary clusters. [GH-22235]
• kmip (enterprise): Add namespace lock and unlock support [GH-21925]
• replication (enterprise): Make reindex less disruptive by allowing writes during the flush phase.
• secrets/database: Improves error logging for static role rotations by including the database and role names. [GH-22253]
• storage/raft: Cap the minimum dead_server_last_contact_threshold to 1m. [GH-22040]
• ui: KV View Secret card will link to list view if input ends in "/" [GH-22502]
• ui: adds allowed_user_ids field to create role form and user_ids to generate certificates form in pki [GH-22191]
• ui: enables create and update KV secret workflow when control group present [GH-22471]
• website/docs: Fix link formatting in Vault lambda extension docs [GH-22396]

BUG FIXES:

• activity (enterprise): Fix misattribution of entities to no or child namespace auth methods [GH-18809]
• agent: Environment variable VAULT_CACERT_BYTES now works for Vault Agent templates. [GH-22322]
• api: Fix breakage with UNIX domain socket addresses introduced by newest Go versions as a security fix. [GH-22523]
• core (enterprise): Remove MFA Configuration for namespace when deleting namespace
• core/metrics: vault.raft_storage.bolt.write.time should be a counter not a summary [GH-22468]
• core/quotas (enterprise): Fix a case where we were applying login roles to lease count quotas in a non-login context.
  Also fix a related potential deadlock. [GH-21110]
• core: Remove "expiration manager is nil on tokenstore" error log for unauth requests on DR secondary as they do not have expiration manager. [GH-22137]
• core: Fix bug where background thread to update locked user entries runs on DR secondaries. [GH-22355]
• core: Fix readonly errors that could occur while loading mounts/auths during unseal [GH-22362]
• core: Fixed an instance where incorrect route entries would get tainted. We now pre-calculate namespace specific paths to avoid this. [GH-21470]
• expiration: Fix a deadlock that could occur when a revocation failure happens while restoring leases on startup. [GH-22374]
• license: Add autoloaded license path to the cache exempt list. This is to ensure the license changes on the active node is observed on the perfStandby node. [GH-22363]
• replication (enterprise): Fix bug sync invalidate CoreReplicatedClusterInfoPath
• replication (enterprise): Fix panic when update-primary was called on demoted clusters using update_primary_addrs
• replication (enterprise): Fixing a bug by which the atomicity of a merkle diff result could be affected. This means it could be a source of a merkle-diff & sync process failing to switch into stream-wal mode afterwards.
• sdk/ldaputil: Properly escape user filters when using UPN domains
  sdk/ldaputil: use EscapeLDAPValue implementation from cap/ldap [GH-22249]
• secrets/ldap: Fix bug causing schema and password_policy to be overwritten in config. [GH-22330]
• secrets/transform (enterprise): Batch items with repeated tokens in the tokenization decode api will now contain the decoded_value element
• secrets/transform (enterprise): Fix nil panic when encoding a tokenization transformation on a non-active node
• secrets/transform (enterprise): Tidy operations will be re-scheduled at a minimum of every minute, not a maximum of every minute
• storage/raft: Fix race where new follower joining can get pruned by dead server cleanup. [GH-20986]
• ui: Fix blank page or ghost secret when canceling KV secret create [GH-22541]
• ui: fixes max_versions default for secret metadata unintentionally overriding kv engine defaults [GH-22394]
• ui: fixes model defaults overwriting input value when user tries to clear form input [GH-22458]
• ui: fixes text readability issue in revoke token confirmation dialog [GH-22390]

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (v1.14.3). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.