dependabot[bot] opened a new pull request, #1976: URL: https://github.com/apache/dubbo-go/pull/1976
Bumps [github.com/hashicorp/vault/sdk](https://github.com/hashicorp/vault) from 0.5.2 to 0.5.3. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/hashicorp/vault/blob/main/CHANGELOG.md";>github.com/hashicorp/vault/sdk's changelog</a>.</em></p> <blockquote> <h2>0.5.3 (May 27th, 2016)</h2> <p>SECURITY:</p> <ul> <li>Consul ACL Token Revocation: An issue was reported to us indicating that generated Consul ACL tokens were not being properly revoked. Upon investigation, we found that this behavior was reproducible in a specific scenario: when a generated lease for a Consul ACL token had been renewed prior to revocation. In this case, the generated token was not being properly persisted internally through the renewal function, leading to an error during revocation due to the missing token. Unfortunately, this was coded as a user error rather than an internal error, and the revocation logic was expecting internal errors if revocation failed. As a result, the revocation logic believed the revocation to have succeeded when it in fact failed, causing the lease to be dropped while the token was still valid within Consul. In this release, the Consul backend properly persists the token through renewals, and the revocation logic has been changed to consider any error type to have been a failure to revoke, causing the lease to persist and attempt to be revoked later.</li> </ul> <p>We have written an example shell script that searches through Consul's ACL tokens and looks for those generated by Vault, which can be used as a template for a revocation script as deemed necessary for any particular security response. The script is available at <a href="https://gist.github.com/jefferai/6233c2963f9407a858d84f9c27d725c0";>https://gist.github.com/jefferai/6233c2963f9407a858d84f9c27d725c0</a></p> <p>Please note that any outstanding leases for Consul tokens produced prior to 0.5.3 that have been renewed will continue to exhibit this behavior. As a result, we recommend either revoking all tokens produced by the backend and issuing new ones, or if needed, a more advanced variant of the provided example could use the timestamp embedded in each generated token's name to decide which tokens are too old and should be deleted. This could then be run periodically up until the maximum lease time for any outstanding pre-0.5.3 tokens has expired.</p> <p>This is a security-only release. There are no other code changes since 0.5.2. The binaries have one additional change: they are built against Go 1.6.1 rather than Go 1.6, as Go 1.6.1 contains two security fixes to the Go programming language itself.</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/hashicorp/vault/commit/9617c6eb79c3453aa569d620fc71e90f7e32f72f";><code>9617c6e</code></a> Cut version 0.5.3</li> <li><a href="https://github.com/hashicorp/vault/commit/48125e4674e4c2c83ad58899b455966977332d0f";><code>48125e4</code></a> Port build script from master</li> <li><a href="https://github.com/hashicorp/vault/commit/1cecd804d670905710eb2057509af9784f83aaa9";><code>1cecd80</code></a> Update Changelog</li> <li><a href="https://github.com/hashicorp/vault/commit/b78d21c6ae0efa85dda2bd0dbbc8186203e38eda";><code>b78d21c</code></a> Return nil if token not in internal data</li> <li><a href="https://github.com/hashicorp/vault/commit/d983c5e95778e4f093ac4721da69efafb52aec41";><code>d983c5e</code></a> minor wording fix</li> <li><a href="https://github.com/hashicorp/vault/commit/e859b0e9b044b0dddffe92b62318018afd388947";><code>e859b0e</code></a> Use Go 1.6.1, not 1.6.2</li> <li><a href="https://github.com/hashicorp/vault/commit/94c895f12457020ff8fac2b2e147af1b6048d720";><code>94c895f</code></a> Update changelog</li> <li><a href="https://github.com/hashicorp/vault/commit/a930d31d01562fc6886ec95292469475e4cab933";><code>a930d31</code></a> Bump Go version in Dockerfile</li> <li><a href="https://github.com/hashicorp/vault/commit/c5da57aad1bcc902783a274c40e27db94728f672";><code>c5da57a</code></a> Bump version</li> <li><a href="https://github.com/hashicorp/vault/commit/c6fb200a4a6dbf0ee6b6e53e6d236c190f8db2cc";><code>c6fb200</code></a> Fix the consul secret backends renewal revocation problem</li> <li>Additional commits viewable in <a href="https://github.com/hashicorp/vault/compare/v0.5.2...v0.5.3";>compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
