You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@dubbo.apache.org by GitBox <gi...@apache.org> on 2022/07/18 12:04:27 UTC
[GitHub] [dubbo-go] dependabot[bot] opened a new pull request, #1976: build(deps): bump github.com/hashicorp/vault/sdk from 0.5.2 to 0.5.3
dependabot[bot] opened a new pull request, #1976:
URL: https://github.com/apache/dubbo-go/pull/1976
Bumps [github.com/hashicorp/vault/sdk](https://github.com/hashicorp/vault) from 0.5.2 to 0.5.3.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/hashicorp/vault/blob/main/CHANGELOG.md">github.com/hashicorp/vault/sdk's changelog</a>.</em></p>
<blockquote>
<h2>0.5.3 (May 27th, 2016)</h2>
<p>SECURITY:</p>
<ul>
<li>Consul ACL Token Revocation: An issue was reported to us indicating that
generated Consul ACL tokens were not being properly revoked. Upon
investigation, we found that this behavior was reproducible in a specific
scenario: when a generated lease for a Consul ACL token had been renewed
prior to revocation. In this case, the generated token was not being
properly persisted internally through the renewal function, leading to an
error during revocation due to the missing token. Unfortunately, this was
coded as a user error rather than an internal error, and the revocation
logic was expecting internal errors if revocation failed. As a result, the
revocation logic believed the revocation to have succeeded when it in fact
failed, causing the lease to be dropped while the token was still valid
within Consul. In this release, the Consul backend properly persists the
token through renewals, and the revocation logic has been changed to
consider any error type to have been a failure to revoke, causing the lease
to persist and attempt to be revoked later.</li>
</ul>
<p>We have written an example shell script that searches through Consul's ACL
tokens and looks for those generated by Vault, which can be used as a template
for a revocation script as deemed necessary for any particular security
response. The script is available at
<a href="https://gist.github.com/jefferai/6233c2963f9407a858d84f9c27d725c0">https://gist.github.com/jefferai/6233c2963f9407a858d84f9c27d725c0</a></p>
<p>Please note that any outstanding leases for Consul tokens produced prior to
0.5.3 that have been renewed will continue to exhibit this behavior. As a
result, we recommend either revoking all tokens produced by the backend and
issuing new ones, or if needed, a more advanced variant of the provided example
could use the timestamp embedded in each generated token's name to decide which
tokens are too old and should be deleted. This could then be run periodically
up until the maximum lease time for any outstanding pre-0.5.3 tokens has
expired.</p>
<p>This is a security-only release. There are no other code changes since 0.5.2.
The binaries have one additional change: they are built against Go 1.6.1 rather
than Go 1.6, as Go 1.6.1 contains two security fixes to the Go programming
language itself.</p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/hashicorp/vault/commit/9617c6eb79c3453aa569d620fc71e90f7e32f72f"><code>9617c6e</code></a> Cut version 0.5.3</li>
<li><a href="https://github.com/hashicorp/vault/commit/48125e4674e4c2c83ad58899b455966977332d0f"><code>48125e4</code></a> Port build script from master</li>
<li><a href="https://github.com/hashicorp/vault/commit/1cecd804d670905710eb2057509af9784f83aaa9"><code>1cecd80</code></a> Update Changelog</li>
<li><a href="https://github.com/hashicorp/vault/commit/b78d21c6ae0efa85dda2bd0dbbc8186203e38eda"><code>b78d21c</code></a> Return nil if token not in internal data</li>
<li><a href="https://github.com/hashicorp/vault/commit/d983c5e95778e4f093ac4721da69efafb52aec41"><code>d983c5e</code></a> minor wording fix</li>
<li><a href="https://github.com/hashicorp/vault/commit/e859b0e9b044b0dddffe92b62318018afd388947"><code>e859b0e</code></a> Use Go 1.6.1, not 1.6.2</li>
<li><a href="https://github.com/hashicorp/vault/commit/94c895f12457020ff8fac2b2e147af1b6048d720"><code>94c895f</code></a> Update changelog</li>
<li><a href="https://github.com/hashicorp/vault/commit/a930d31d01562fc6886ec95292469475e4cab933"><code>a930d31</code></a> Bump Go version in Dockerfile</li>
<li><a href="https://github.com/hashicorp/vault/commit/c5da57aad1bcc902783a274c40e27db94728f672"><code>c5da57a</code></a> Bump version</li>
<li><a href="https://github.com/hashicorp/vault/commit/c6fb200a4a6dbf0ee6b6e53e6d236c190f8db2cc"><code>c6fb200</code></a> Fix the consul secret backends renewal revocation problem</li>
<li>Additional commits viewable in <a href="https://github.com/hashicorp/vault/compare/v0.5.2...v0.5.3">compare view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
</details>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org
[GitHub] [dubbo-go] AlexStocks merged pull request #1976: build(deps): bump github.com/hashicorp/vault/sdk from 0.5.2 to 0.5.3
Posted by GitBox <gi...@apache.org>.
AlexStocks merged PR #1976:
URL: https://github.com/apache/dubbo-go/pull/1976
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@dubbo.apache.org
For additional commands, e-mail: notifications-help@dubbo.apache.org