You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@dubbo.apache.org by GitBox <gi...@apache.org> on 2022/06/13 12:04:29 UTC
[GitHub] [dubbo-go] dependabot[bot] opened a new pull request, #1933: build(deps): bump github.com/hashicorp/vault/sdk from 0.3.0 to 0.5.1
dependabot[bot] opened a new pull request, #1933:
URL: https://github.com/apache/dubbo-go/pull/1933
Bumps [github.com/hashicorp/vault/sdk](https://github.com/hashicorp/vault) from 0.3.0 to 0.5.1.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/hashicorp/vault/blob/main/CHANGELOG.md">github.com/hashicorp/vault/sdk's changelog</a>.</em></p>
<blockquote>
<h2>0.5.1 (February 25th, 2016)</h2>
<p>DEPRECATIONS/CHANGES:</p>
<ul>
<li>RSA keys less than 2048 bits are no longer supported in the PKI backend.
1024-bit keys are considered unsafe and are disallowed in the Internet PKI.
The <code>pki</code> backend has enforced SHA256 hashes in signatures from the
beginning, and software that can handle these hashes should be able to
handle larger key sizes. <a href="https://github-redirect.dependabot.com/hashicorp/vault/issues/1095">GH-1095</a></li>
<li>The PKI backend now does not automatically delete expired certificates,
including from the CRL. Doing so could lead to a situation where a time
mismatch between the Vault server and clients could result in a certificate
that would not be considered expired by a client being removed from the CRL.
The new <code>pki/tidy</code> endpoint can be used to trigger expirations. <a href="https://github-redirect.dependabot.com/hashicorp/vault/issues/1129">GH-1129</a></li>
<li>The <code>cert</code> backend now performs a variant of channel binding at renewal time
for increased security. In order to not overly burden clients, a notion of
identity is used. This functionality can be disabled. See the 0.5.1 upgrade
guide for more specific information <a href="https://github-redirect.dependabot.com/hashicorp/vault/issues/1127">GH-1127</a></li>
</ul>
<p>FEATURES:</p>
<ul>
<li><strong>Codebase Audit</strong>: Vault's 0.5 codebase was audited by iSEC. (The terms of
the audit contract do not allow us to make the results public.) <a href="https://github-redirect.dependabot.com/hashicorp/vault/issues/220">GH-220</a></li>
</ul>
<p>IMPROVEMENTS:</p>
<ul>
<li>api: The <code>VAULT_TLS_SERVER_NAME</code> environment variable can be used to control
the SNI header during TLS connections <a href="https://github-redirect.dependabot.com/hashicorp/vault/issues/1131">GH-1131</a></li>
<li>api/health: Add the server's time in UTC to health responses <a href="https://github-redirect.dependabot.com/hashicorp/vault/issues/1117">GH-1117</a></li>
<li>command/rekey and command/generate-root: These now return the status at
attempt initialization time, rather than requiring a separate fetch for the
nonce <a href="https://github-redirect.dependabot.com/hashicorp/vault/issues/1054">GH-1054</a></li>
<li>credential/cert: Don't require root/sudo tokens for the <code>certs/</code> and <code>crls/</code>
paths; use normal ACL behavior instead <a href="https://github-redirect.dependabot.com/hashicorp/vault/issues/468">GH-468</a></li>
<li>credential/github: The validity of the token used for login will be checked
at renewal time <a href="https://github-redirect.dependabot.com/hashicorp/vault/issues/1047">GH-1047</a></li>
<li>credential/github: The <code>config</code> endpoint no longer requires a root token;
normal ACL path matching applies</li>
<li>deps: Use the standardized Go 1.6 vendoring system</li>
<li>secret/aws: Inform users of AWS-imposed policy restrictions around STS
tokens if they attempt to use an invalid policy <a href="https://github-redirect.dependabot.com/hashicorp/vault/issues/1113">GH-1113</a></li>
<li>secret/mysql: The MySQL backend now allows disabling verification of the
<code>connection_url</code> <a href="https://github-redirect.dependabot.com/hashicorp/vault/issues/1096">GH-1096</a></li>
<li>secret/pki: Submitted CSRs are now verified to have the correct key type and
minimum number of bits according to the role. The exception is intermediate
CA signing and the <code>sign-verbatim</code> path <a href="https://github-redirect.dependabot.com/hashicorp/vault/issues/1104">GH-1104</a></li>
<li>secret/pki: New <code>tidy</code> endpoint to allow expunging expired certificates.
<a href="https://github-redirect.dependabot.com/hashicorp/vault/issues/1129">GH-1129</a></li>
<li>secret/postgresql: The PostgreSQL backend now allows disabling verification
of the <code>connection_url</code> <a href="https://github-redirect.dependabot.com/hashicorp/vault/issues/1096">GH-1096</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/hashicorp/vault/commit/0ce2ba38b7bbb880d9ff2f373f8ff3273572dff6"><code>0ce2ba3</code></a> Cut version 0.5.1</li>
<li><a href="https://github.com/hashicorp/vault/commit/0a4bcf83d8fa73d6687abbfe81aa018d7c18ac86"><code>0a4bcf8</code></a> changelog++</li>
<li><a href="https://github.com/hashicorp/vault/commit/b280daa10700c58274ec3169cbd91b6a5c3f265a"><code>b280daa</code></a> changelog++</li>
<li><a href="https://github.com/hashicorp/vault/commit/adb98d757a98b0233eee823533a359a09e1a3982"><code>adb98d7</code></a> Update documentation around VAULT_TLS_SERVER_NAME</li>
<li><a href="https://github.com/hashicorp/vault/commit/8970f3aa68c544f24ae69af3994b9eeae1f28ca5"><code>8970f3a</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/hashicorp/vault/issues/1131">#1131</a> from rmt/master</li>
<li><a href="https://github.com/hashicorp/vault/commit/2f79bb12ee34acc280f07634a9c6632b8f7b9fbd"><code>2f79bb1</code></a> Bump TF variables</li>
<li><a href="https://github.com/hashicorp/vault/commit/b906f22fe910de2d7d14c9bf444b7e5a29328422"><code>b906f22</code></a> Add VAULT_TLS_SERVER_NAME environment variable</li>
<li><a href="https://github.com/hashicorp/vault/commit/c77e00d77316b778708bc6df9a0ea027b2fd2cfe"><code>c77e00d</code></a> TF_DEV->VAULT_DEV_BUILD</li>
<li><a href="https://github.com/hashicorp/vault/commit/7a036842ea35e015cc6a4231ef2b543d16a84776"><code>7a03684</code></a> changelog++</li>
<li><a href="https://github.com/hashicorp/vault/commit/cc0f5590dbf6ddd19133fd6f9f8ad4398cd7a06b"><code>cc0f559</code></a> Bump website version number</li>
<li>Additional commits viewable in <a href="https://github.com/hashicorp/vault/compare/v0.3.0...v0.5.1">compare view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
</details>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org
[GitHub] [dubbo-go] dependabot[bot] closed pull request #1933: build(deps): bump github.com/hashicorp/vault/sdk from 0.3.0 to 0.5.1
Posted by GitBox <gi...@apache.org>.
dependabot[bot] closed pull request #1933: build(deps): bump github.com/hashicorp/vault/sdk from 0.3.0 to 0.5.1
URL: https://github.com/apache/dubbo-go/pull/1933
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org
[GitHub] [dubbo-go] dependabot[bot] commented on pull request #1933: build(deps): bump github.com/hashicorp/vault/sdk from 0.3.0 to 0.5.1
Posted by GitBox <gi...@apache.org>.
dependabot[bot] commented on PR #1933:
URL: https://github.com/apache/dubbo-go/pull/1933#issuecomment-1160361500
Superseded by #1942.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org