dependabot[bot] opened a new pull request, #2062: URL: https://github.com/apache/dubbo-go/pull/2062
Bumps [github.com/hashicorp/vault/sdk](https://github.com/hashicorp/vault) from 0.5.3 to 0.6.0. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/hashicorp/vault/blob/main/CHANGELOG.md";>github.com/hashicorp/vault/sdk's changelog</a>.</em></p> <blockquote> <h2>0.6.0 (June 14th, 2016)</h2> <p>SECURITY:</p> <ul> <li>Although <code>sys/revoke-prefix</code> was intended to revoke prefixes of secrets (via lease IDs, which incorporate path information) and <code>auth/token/revoke-prefix</code> was intended to revoke prefixes of tokens (using the tokens' paths and, since 0.5.2, role information), in implementation they both behaved exactly the same way since a single component in Vault is responsible for managing lifetimes of both, and the type of the tracked lifetime was not being checked. The end result was that either endpoint could revoke both secret leases and tokens. We consider this a very minor security issue as there are a number of mitigating factors: both endpoints require <code>sudo</code> capability in addition to write capability, preventing blanket ACL path globs from providing access; both work by using the prefix to revoke as a part of the endpoint path, allowing them to be properly ACL'd; and both are intended for emergency scenarios and users should already not generally have access to either one. In order to prevent confusion, we have simply removed <code>auth/token/revoke-prefix</code> in 0.6, and <code>sys/revoke-prefix</code> will be meant for both leases and tokens instead.</li> </ul> <p>DEPRECATIONS/CHANGES:</p> <ul> <li><code>auth/token/revoke-prefix</code> has been removed. See the security notice for details. <a href="https://github-redirect.dependabot.com/hashicorp/vault/issues/1280";>GH-1280</a></li> <li>Vault will now automatically register itself as the <code>vault</code> service when using the <code>consul</code> backend and will perform its own health checks. See the Consul backend documentation for information on how to disable auto-registration and service checks.</li> <li>List operations that do not find any keys now return a <code>404</code> status code rather than an empty response object <a href="https://github-redirect.dependabot.com/hashicorp/vault/issues/1365";>GH-1365</a></li> <li>CA certificates issued from the <code>pki</code> backend no longer have associated leases, and any CA certs already issued will ignore revocation requests from the lease manager. This is to prevent CA certificates from being revoked when the token used to issue the certificate expires; it was not be obvious to users that they need to ensure that the token lifetime needed to be at least as long as a potentially very long-lived CA cert.</li> </ul> <p>FEATURES:</p> <ul> <li><strong>AWS EC2 Auth Backend</strong>: Provides a secure introduction mechanism for AWS EC2 instances allowing automated retrieval of Vault tokens. Unlike most Vault authentication backends, this backend does not require first deploying or provisioning security-sensitive credentials (tokens, username/password, client certificates, etc). Instead, it treats AWS as a Trusted Third Party and uses the cryptographically signed dynamic metadata information that uniquely represents each EC2 instance. <a href="https://www.hashicorp.com/vault.html";>Vault Enterprise</a> customers have access to a turnkey client that speaks the backend API and makes access to a Vault token easy.</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/hashicorp/vault/commit/f627c01df8d7bebb403cf899ca1beb24f5fc84cd";><code>f627c01</code></a> Cut version 0.6.0</li> <li><a href="https://github.com/hashicorp/vault/commit/5b7e6804e1ac53ed18e09eed8096f83843c9b56b";><code>5b7e680</code></a> Add updated wrapping information</li> <li><a href="https://github.com/hashicorp/vault/commit/926e56eff0a48dce9953f5d2e0a0d4aac436e7b3";><code>926e56e</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/hashicorp/vault/issues/1520";>#1520</a> from hashicorp/wrapinfo-accessor</li> <li><a href="https://github.com/hashicorp/vault/commit/65cdcd67992f520f7639dd04634738945072e830";><code>65cdcd6</code></a> Add some commenting</li> <li><a href="https://github.com/hashicorp/vault/commit/47dc1ccd259545cf2195173a72d8daa82b42b758";><code>47dc1cc</code></a> Add token accessor to wrap information if one exists</li> <li><a href="https://github.com/hashicorp/vault/commit/4f039d0427a2280f0a251017618b5170385cf3dd";><code>4f039d0</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/hashicorp/vault/issues/1518";>#1518</a> from hashicorp/fix-bound-ami-id</li> <li><a href="https://github.com/hashicorp/vault/commit/e5218943a84cb0448fb620063478c8e6e95ab4f0";><code>e521894</code></a> Added bound_ami_id check</li> <li><a href="https://github.com/hashicorp/vault/commit/117200c88a48f53d4faacbb2d69e6f511427ac3e";><code>117200c</code></a> Fix mah broken tests</li> <li><a href="https://github.com/hashicorp/vault/commit/c6ded383cb6750ac6b5c205cd2e15741402211c6";><code>c6ded38</code></a> cubbyhole-response-wrapping -> response-wrapping</li> <li><a href="https://github.com/hashicorp/vault/commit/1e67cd89351dd9db4949cae1efce786bf6f5c906";><code>1e67cd8</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/hashicorp/vault/issues/1513";>#1513</a> from hashicorp/field-data-get-default</li> <li>Additional commits viewable in <a href="https://github.com/hashicorp/vault/compare/v0.5.3...v0.6.0";>compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
