fix(deps): update module github.com/hashicorp/vault to v1.15.5 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/hashicorp/vault	v1.15.3 -> v1.15.5

GitHub Vulnerability Alerts

CVE-2023-6337

HashiCorp Vault and Vault Enterprise 1.12.0 and newer are vulnerable to a denial of service through memory exhaustion of the host when handling large unauthenticated and authenticated HTTP requests from a client. Vault will attempt to map the request to memory, resulting in the exhaustion of available memory on the host, which may cause Vault to crash.

Fixed in Vault 1.15.4, 1.14.8, 1.13.12.

CVE-2024-0831

Vault and Vault Enterprise (“Vault”) may expose sensitive information when enabling an audit device which specifies the log_raw option, which may log sensitive information to other audit devices, regardless of whether they are configured to use log_raw.

---

Release Notes

hashicorp/vault (github.com/hashicorp/vault)

v1.15.5

Compare Source

1.15.5

January 31, 2024

CHANGES:

• core: Bump Go version to 1.21.5.
• database/snowflake: Update plugin to v0.9.1 [GH-25020]
• secrets/ad: Update plugin to v0.16.2 [GH-25058]
• secrets/openldap: Update plugin to v0.11.3 [GH-25040]

IMPROVEMENTS:

• command/server: display logs on startup immediately if disable-gated-logs flag is set [GH-24280]
• core/activity: Include secret_syncs in activity log responses [GH-24710]
• oidc/provider: Adds code_challenge_methods_supported to OpenID Connect Metadata [GH-24979]
• storage/raft: Upgrade to bbolt 1.3.8, along with an extra patch to reduce time scanning large freelist maps. [GH-24010]
• sys (enterprise): Adds the chroot_namespace field to this sys/internal/ui/resultant-acl endpoint, which exposes the value of the chroot namespace from the
  listener config.
• ui: latest version of chrome does not automatically redirect back to the app after authentication unless triggered by the user, hence added a link to redirect back to the app. [GH-18513]

BUG FIXES:

• audit/socket: Provide socket based audit backends with 'prefix' configuration option when supplied. [GH-25004]
• audit: Fix bug where use of 'log_raw' option could result in other devices logging raw audit data [GH-24968]
• auth/saml (enterprise): Fixes support for Microsoft Entra ID enterprise applications
• core (enterprise): fix a potential deadlock if an error is received twice from underlying storage for the same key
• core: upgrade github.com/hashicorp/go-kms-wrapping/wrappers/azurekeyvault/v2 to
  support azure workload identities. [GH-24954]
• helper/pkcs7: Fix slice out-of-bounds panic [GH-24891]
• kmip (enterprise): Only return a Server Correlation Value to clients using KMIP version 1.4.
• plugins: fix panic when registering containerized plugin with a custom runtime on a perf standby
• ui: Allows users to dismiss the resultant-acl banner. [GH-25106]
• ui: Correctly handle redirects from pre 1.15.0 Kv v2 edit, create, and show urls. [GH-24339]
• ui: Fixed minor bugs with database secrets engine [GH-24947]
• ui: Fixes input for jwks_ca_pem when configuring a JWT auth method [GH-24697]
• ui: Fixes policy input toolbar scrolling by default [GH-23297]
• ui: The UI can now be used to create or update database roles by operator without permission on the database connection. [GH-24660]
• ui: fix KV v2 details view defaulting to JSON view when secret value includes { [GH-24513]
• ui: fix incorrectly calculated capabilities on PKI issuer endpoints [GH-24686]
• ui: fix issue where kv v2 capabilities checks were not passing in the full secret path if secret was inside a directory. [GH-24404]
• ui: fix navigation items shown to user when chroot_namespace configured [GH-24492]

v1.15.4

Compare Source

1.15.4

SECURITY:

• core: Fixes an issue present in both Vault and Vault Enterprise since Vault 1.12.0, where Vault is vulnerable to a denial of service through memory exhaustion of the host when handling large HTTP requests from a client. Upgrading is strongly recommended.(see CVE-2023-6337 & HCSEC-2023-34)

CHANGES:

• identity (enterprise): POST requests to the /identity/entity/merge endpoint are now always forwarded from standbys to the active node. [GH-24325]

BUG FIXES:

• agent/logging: Agent should now honor correct -log-format and -log-file settings in logs generated by the consul-template library. [GH-24252]
• api: Fix deadlock on calls to sys/leader with a namespace configured on the request. [GH-24256]
• core: Fix a timeout initializing Vault by only using a short timeout persisting barrier keyring encryption counts. [GH-24336]
• ui: Correctly handle directory redirects from pre 1.15.0 Kv v2 list view urls. [GH-24281]
• ui: Fix payload sent when disabling replication [GH-24292]
• ui: When Kv v2 secret is an object, fix so details view defaults to readOnly JSON editor. [GH-24290]

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (v1.15.5). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.