Change8

v1.21.4

Breaking Changes
📦 vaultView on GitHub →
1 breaking3 features🐛 9 fixes🔧 5 symbols

Summary

This release focuses heavily on security updates by upgrading several dependencies to address known CVEs and Go vulnerabilities. It also includes numerous bug fixes, particularly around PKI protocols (SCEP, EST, CMPv2) and enterprise features.

⚠️ Breaking Changes

  • The ability to bulk delete secrets engines from the list view in the UI has been removed. Users must now delete secrets engines individually.

Migration Steps

  1. If you relied on bulk deletion of secrets engines in the UI, you must now delete them individually.

✨ New Features

  • The sys/seal-backend-status endpoint in core/seal now provides more information about seal backends.
  • The secrets/pki (enterprise) SCEP GetCACaps endpoint now returns the POSTPKIOperation capability for better legacy client support.
  • The secrets/pki SCEP GetCACaps endpoint now dynamically reflects the configured encryption and digest algorithms.

🐛 Bug Fixes

  • Resolved an issue in core (enterprise) where the POST body on binary paths was not buffered, preventing re-reading during non-logical forwarding attempts, which affected SCEP, EST, and CMPv2 certificate issuances with slow entity replication.
  • Fixed excessive logging when updating existing aliases in core/identity (enterprise).
  • Client credentials are no longer required when using Azure Managed Identities in managed keys (core/managed-keys enterprise).
  • Fixed a bug where requests to external plugins that modify storage were not populating the X-Vault-Index response header (plugins enterprise).
  • Allowed issuance of certificates without the server_flag key usage from SCEP, EST, and CMPV2 protocols in secrets/pki.
  • Addressed cache invalidation issues with CMPv2 on performance standby nodes in secrets/pki (enterprise).
  • Addressed issues using SCEP on performance standby nodes failing due to configuration invalidation issues along with errors writing to storage (secrets/pki enterprise).
  • The secrets/pki root/sign-intermediate endpoint no longer fails when provided a CSR with a basic constraint extension containing isCa set to true.
  • Glob-style DNS names are now allowed in alt_names for secrets/pki.

Affected Symbols

sys/seal-backend-statusPOSTPKIOperationSCEP GetCACaps endpointX-Vault-Index response headerroot/sign-intermediate endpoint