The Vault team is announcing the release of Vault 1.3.8 and Vault 1.2.5.
There is important security content in both of these releases, and we strongly recommend upgrading to one of them if you are using the GCP and/or AWS auth providers. For more information, see the SECURITY section of the Changleog at  and .
Additionally, Vault 1.2.5 includes a fix for a serious issue that can cause Enterprise Vault to seal itself and not be able to unseal after rotations or updates to its unseal keys. Users of OSS Vault, Shamir unseal, and Transit Auto Unseal are not impacted by this issue. The issue impacts versions of Vault as early as Vault 1.0, but is fixed in Vault 1.3.7, 1.4.3, and 1.5. If you are running an affected version, we recommend avoiding seal migrations, rekeys, and key rotations in the external seal KMS, and we recommend taking a storage backup prior to key rotation.
Open-source binaries can be downloaded at  and . Enterprise binaries are available to customers as well.
As a reminder, if you believe you have found a security issue in Vault, please responsibly disclose by emailing firstname.lastname@example.org and do not use the public issue tracker. Our security policy and our PGP key can be found at .
See the Changelog at  and  for the full list of improvements and bug fixes.
OSS  and Enterprise  Docker images will be available soon.
See  for general upgrade instructions.
As always, we recommend upgrading and testing this release in an isolated environment. If you experience any non-security issues, please report them on the Vault GitHub issue tracker or post to the Vault Discuss Forum at .
Sincerely, The Vault Team