Vault 1.12.2, 1.11.6, and 1.10.9 released!

Hi folks,

The Vault team is announcing the release of Vault 1.12.2, 1.11.6, and 1.10.9.

Open-source binaries can be downloaded at [1, 2, 3]. Enterprise binaries are available to customers as well.

As a reminder, if you believe you have found a security issue in Vault, please responsibly disclose by emailing secu…@hashicorp.com and do not use the public issue tracker. Our security policy and our PGP key can be found at [4].

There are some upcoming changes in Vault 1.13, and in Consul 1.14, that will affect some Vault users:

  • AliCloud Auth Method: The AliCloud auth plugin will now require the role parameter on login. This has always been documented as a required field but the requirement will now be enforced.
  • Consul 1.14: If you are using Vault with Consul storage, and the Consul servers are using Consul on Kubernetes, when you upgrade to Consul 1.14 you will need to edit your helm chart. Full instructions are available on the Consul documentation [11].
  • Log XI Environment Variable: We are removing an undocumented environment variable (LOGXI_FORMAT). Any users of that environment variable should switch to the VAULT_LOG_FORMAT environment variable.
  • PKI: Consul rotates intermediates by generating a new one directly, replacing it in versions of Vault prior to 1.11. With PKI’s multi-issuer feature however, this adds a second intermediate but does not update the default issuer, meaning the rotation doesn’t take effect. If you are running a version of Consul prior to 1.14.2, 1.13.4, or 1.12.7, set the automatic_default_issuer_on_import option on config/issuers of the corresponding PKI mount to true.
  • Replication (Enterprise): In 1.12, we fixed a race condition in the merkle-sync/merkle-diff process but the improvement is disabled by default. In 1.13 the improvement will be enabled by default for Integrated Storage users, and users of Consul 1.14+.

The major features and improvements in 1.12.2 are:

  • Agent: Fixed a panic when rendering certificate templates
  • Control Groups: Fixed a memory leak when using control group factors in a policy
  • Plugins: Added plugin version information to key plugin lifecycle log output
  • Snowflake Secrets Engine: Allows parallel requests to Snowflake
  • SDK: Added support for paging when searching for LDAP groups using filters

See the Changelog at [5] for the full list of improvements and bug fixes.

See the Feature Deprecation Notice and Plans page [9] for our full upcoming feature deprecation plans.

Verified publisher OSS [7] and Enterprise [8] Docker images are also available.


Upgrading

See [6] for general upgrade instructions.

As always, we recommend upgrading and testing this release in an isolated environment. If you experience any non-security issues, please report them on the Vault GitHub issue tracker or post to the Vault Discuss Forum at [10].

We hope you enjoy Vault 1.12.2!

Sincerely, The Vault Team

[1] Vault v1.12.2 Binaries | HashiCorp Releases
[2] Vault v1.11.6 Binaries | HashiCorp Releases
[3] Vault v1.10.9 Binaries | HashiCorp Releases
[4] Security at HashiCorp
[5] https://github.com/hashicorp/vault/blob/main/CHANGELOG.md#1122
[6] Upgrading Vault - Guides | Vault | HashiCorp Developer
[7] Docker Hub
[8] Docker Hub
[9] Feature Deprecation Notice | Vault | HashiCorp Developer
[10] Vault - HashiCorp Discuss
[11] Upgrading Consul on Kubernetes Components | Consul | HashiCorp Developer