Hi folks,
The Vault team is announcing the release of Vault 1.3.7.
This release includes a fix for a serious issue that can cause Enterprise Vault to seal itself and not be able to unseal after rotations or updates to its unseal keys. Users of OSS Vault, Shamir unseal, and Transit Auto Unseal are not impacted by this issue. The issue impacts at least Vault 1.0 through 1.4.2 and we strongly recommend upgrading to 1.3.7 or 1.4.3. If you are running an affected version, we recommend avoiding seal migrations, rekeys, and key rotations in the external seal KMS, and we recommend taking a storage backup prior to key rotation.
Open-source binaries can be downloaded at [1]. Enterprise binaries are available to customers as well.
As a reminder, if you believe you have found a security issue in Vault, please responsibly disclose by emailing security@hashicorp.com and do not use the public issue tracker. Our security policy and our PGP key can be found at [2].
See the Changelog at [3] for the full list of improvements and bug fixes.
OSS [5] and Enterprise [6] Docker images will be available soon.
Upgrading
See [4] for general upgrade instructions.
As always, we recommend upgrading and testing this release in an isolated environment. If you experience any non-security issues, please report them on the Vault GitHub issue tracker or post to the Vault Discuss Forum at [7].
We hope you enjoy Vault 1.3.7!
Sincerely,The Vault Team
[1] https://releases.hashicorp.com/vault/1.3.7/
[2] https://www.hashicorp.com/security
[3] https://github.com/hashicorp/vault/blob/master/CHANGELOG.md#137
[4] https://www.vaultproject.io/docs/upgrading
[5] https://hub.docker.com/_/vault
[6] https://hub.docker.com/r/hashicorp/vault-enterprise
[7] https://discuss.hashicorp.com/c/vault