Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump github.com/hashicorp/vault/sdk from 0.5.2 to 0.5.3 #2079

Merged

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jul 18, 2022

Bumps github.com/hashicorp/vault/sdk from 0.5.2 to 0.5.3.

Changelog

Sourced from github.com/hashicorp/vault/sdk's changelog.

0.5.3 (May 27th, 2016)

SECURITY:

  • Consul ACL Token Revocation: An issue was reported to us indicating that generated Consul ACL tokens were not being properly revoked. Upon investigation, we found that this behavior was reproducible in a specific scenario: when a generated lease for a Consul ACL token had been renewed prior to revocation. In this case, the generated token was not being properly persisted internally through the renewal function, leading to an error during revocation due to the missing token. Unfortunately, this was coded as a user error rather than an internal error, and the revocation logic was expecting internal errors if revocation failed. As a result, the revocation logic believed the revocation to have succeeded when it in fact failed, causing the lease to be dropped while the token was still valid within Consul. In this release, the Consul backend properly persists the token through renewals, and the revocation logic has been changed to consider any error type to have been a failure to revoke, causing the lease to persist and attempt to be revoked later.

We have written an example shell script that searches through Consul's ACL tokens and looks for those generated by Vault, which can be used as a template for a revocation script as deemed necessary for any particular security response. The script is available at https://gist.github.com/jefferai/6233c2963f9407a858d84f9c27d725c0

Please note that any outstanding leases for Consul tokens produced prior to 0.5.3 that have been renewed will continue to exhibit this behavior. As a result, we recommend either revoking all tokens produced by the backend and issuing new ones, or if needed, a more advanced variant of the provided example could use the timestamp embedded in each generated token's name to decide which tokens are too old and should be deleted. This could then be run periodically up until the maximum lease time for any outstanding pre-0.5.3 tokens has expired.

This is a security-only release. There are no other code changes since 0.5.2. The binaries have one additional change: they are built against Go 1.6.1 rather than Go 1.6, as Go 1.6.1 contains two security fixes to the Go programming language itself.

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Jul 18, 2022
@cpanato
Copy link
Member

cpanato commented Jul 21, 2022

@dependabot rebase

Bumps [github.com/hashicorp/vault/sdk](https://github.com/hashicorp/vault) from 0.5.2 to 0.5.3.
- [Release notes](https://github.com/hashicorp/vault/releases)
- [Changelog](https://github.com/hashicorp/vault/blob/main/CHANGELOG.md)
- [Commits](hashicorp/vault@v0.5.2...v0.5.3)

---
updated-dependencies:
- dependency-name: github.com/hashicorp/vault/sdk
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot force-pushed the dependabot/go_modules/github.com/hashicorp/vault/sdk-0.5.3 branch from db0ea01 to 5a41b39 Compare July 21, 2022 11:11
@codecov-commenter
Copy link

Codecov Report

Merging #2079 (5a41b39) into main (cd39e55) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main    #2079   +/-   ##
=======================================
  Coverage   26.33%   26.33%           
=======================================
  Files         129      129           
  Lines        7564     7564           
=======================================
  Hits         1992     1992           
  Misses       5317     5317           
  Partials      255      255           

@cpanato cpanato merged commit 3e49138 into main Jul 21, 2022
@cpanato cpanato deleted the dependabot/go_modules/github.com/hashicorp/vault/sdk-0.5.3 branch July 21, 2022 11:43
@github-actions github-actions bot added this to the v1.10.0 milestone Jul 21, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file go Pull requests that update Go code
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants