The Vault team is announcing the releases of 1.5.3, 1.4.6, 1.3.10, and 1.2.7.
Open-source binaries can be downloaded at [1,11,12,13]. Enterprise binaries are available to customers as well.
As a reminder, if you believe you have found a security issue in Vault, please responsibly disclose by emailing email@example.com and do not use the public issue tracker. Our security policy and our PGP key can be found at .
The fixes and improvements in this release are enumerated below.
- AWS IAM Header Handling : We’ve made STS header handling more fault-tolerant.
- SSH Secret Engine Signing Fix : We’ve fixed a bug that prevented signing with non-RSA keys. This fix applies to 1.4.6 and 1.5.3. The bug is not present in 1.3 and 1.2.
- Fully Open Source Dependencies : We made last week’s releases from some private repositories due to the nature of the security vulnerabilities. While the SHA of the binary matched the git tag SHA, it meant that the tags could not be built by those without access to the private repositories. With this set of releases, all of the dependencies are now OSS, and the git tags will be buildable.
See the Changelog at [3,8,9,10] for the full list of improvements and bug fixes.
OSS  and Enterprise  Docker images will be available soon.
See  for general upgrade instructions.
As always, we recommend upgrading and testing this release in an isolated environment. If you experience any non-security issues, please report them on the Vault GitHub issue tracker or post to the Vault Discuss Forum at .
Sincerely, The Vault Team