$npx -y @buildinternet/releases show rel_2SZ6TpGfUctLTv_aMev6x
1.13.10
November 09, 2023
SECURITY:
core: inbound client requests triggering a policy check can lead to an unbounded consumption of memory. A large number of these requests may lead to denial-of-service. This vulnerability, CVE-2023-5954, was introduced in Vault 1.15.0, 1.14.3, and 1.13.7, and is fixed in Vault 1.15.2, 1.14.6, and 1.13.10. [HSEC-2023-33]
CHANGES:
auth/approle: Normalized error response messages when invalid credentials are provided [GH-23786]
secrets/mongodbatlas: Update plugin to v0.9.2 [GH-23849]
FEATURES:
cli/snapshot: Add CLI tool to inspect Vault snapshots [GH-23457]
IMPROVEMENTS:
storage/etcd: etcd should only return keys when calling List() [GH-23872]
BUG FIXES:
api/seal-status: Fix deadlock on calls to sys/seal-status with a namespace configured
on the request. [GH-23861]
core (enterprise): Do not return an internal error when token policy type lookup fails, log it instead and continue.
core/activity: Fixes segments fragment loss due to exceeding entry record size limit [GH-23781]
core/mounts: Fix reading an "auth" mount using "sys/internal/ui/mounts/" when filter paths are enforced returns 500 error code from the secondary [GH-23802]
core: Skip unnecessary deriving of policies during Login MFA Check. [GH-23894]
core: fix bug where deadlock detection was always on for expiration and quotas.
These can now be configured individually with detect_deadlocks. [GH-23902]
core: fix policies with wildcards not matching list operations due to the policy path not having a trailing slash [GH-23874]
expiration: Fix fatal error "concurrent map iteration and map write" when collecting metrics from leases. [GH-24027]