Index | index by Group | index by Distribution | index by Vendor | index by creation date | index by Name | Mirrors | Help | Search |
Name: openbao-mysql-legacy-database-plugin | Distribution: openSUSE Tumbleweed |
Version: 2.4.1 | Vendor: openSUSE |
Release: 1.1 | Build date: Fri Sep 19 15:04:43 2025 |
Group: Productivity/Security | Build host: reproducible |
Size: 15730532 | Source RPM: openbao-2.4.1-1.1.src.rpm |
Packager: http://bugs.opensuse.org | |
Url: https://github.com/openbao/openbao | |
Summary: OpenBao database plugin for MySQL Legacy |
OpenBao database plugin for MySQL Legacy
MPL-2.0
* Fri Sep 19 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 2.4.1: * SECURITY - http: Limit the complexity of JSON in HTTP request bodies through max_request_json_memory and max_request_json_strings. HCSEC-2025-24 / CVE-2025-6203 / CVE-2025-59043. [GH-1756] * BUG FIXES - auth/jwt: Add missing OIDC flow in JWK validator construction [GH-1779] - auth/jwt: Support token renewal with CEL roles. [GH-1776] - auth/mfa: Allow single-flow MFA to work with inline authentication. [GH-1753] - auth/mfa: Correctly persist tokens created through two-step MFA login enforcement. [GH-1753] - command: fix operator init not allowing for 0 as recovery_shares value. [GH-1754] - command: fix operator rotate-keys not returning recovery keys when server is initialized with 0 recovery_shares. [GH-1754] * Fri Aug 29 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 2.4.0: * SECURITY - audit/file: Restrict mode parameter - Refuse setting an irregular file mode - Silently strip any executable bits [GH-1651] * CHANGES - certutil.ParsePublicKeyPEM of the package github.com/openbao/openbao/sdk/v2/helper/certutil will now return a crypto.PublicKey instead of any. You might need to remove type assertions from your code. [GH-1611] - database: Drop obsolete upgrade check in roleAtPath() function introduced in v0.10 of Vault. [GH-1675] - sdk/framework: Remove LegacyStringToSliceHookFunc, use mapstructure.StringToWeakSliceHookFunc instead. [GH-1626] - sdk/helper: Removed sdk/helper/base62, sdk/helper/mlock, sdk/helper/parseutil, sdk/helper/password, sdk/helper/strutil, and sdk/helper/tlsutil packages. Please use github.com/openbao/go-secure-stdlib/xxx or github.com/hashicorp/go-secure-stdlib/xxx instead. - sdk/database/helper/connutil: Removed Initialize from ConnectionProducer interface, and SQLConnectionProducer struct. [GH-1676] - sdk/logical: Introduce context to logical.HandleListPage(...). [GH-1696] - sdk: Bump Go version to 1.24.0 [GH-1690] - vault/seal: removal of deprecated migration path of an old pre-Vault v1.0 (encrypted) recovery config location [GH-1424] * FEATURES - Allow filtering LIST, SCAN responses via the list_scan_response_keys_filter_path parameter to restrict information to only readable or listable values. [GH-1389] - Configuration-Based Audit Devices: Create and remove audit devices through server configuration updates. Changes are applied on restart and SIGHUP with issues appearing in the logs. [GH-1700] - Declarative Self-Initialization: allow server operators to define initial service state through request-driven initialization that occurs automatically on first server start. Operators can reference environment variables and files to provision initial authentication, audit, and secret mounts in addition to having full control over general requests to OpenBao It is suggested to put the minimal necessary configuration in this and use a proper IaC platform like OpenTofu to perform further configuration of the instance. [GH-1506] - Delay recovery key generation for auto-unseal mechanisms and make rotation authenticated: Add authenticated root and recovery key rotation endpoints, allow delayed recovery key generation (setting initial shares to 0). Solve the issue with the unauthenticated recovery key rotation APIs. [GH-1518] - Inline, Write-less Authentication: support passing authentication information inline with the desired main operation to avoid the need for separate authentication calls, storing and maintaining tokens. This authentication form will not work with operations that create leases. In this form of authentication, no storage writes occur as a result of authentication allowing its use on future read-enabled standby nodes. [GH-1433] - Add static key unseal mechanism to allow auto-unseal in environments with explicit trust chaining. [GH-1425] * IMPROVEMENTS - api/auth/jwt: initial implementation of JWT Auth Method [GH-1526] - auth/oidc: Add new show_qr=true cli option to display a QR code of the login URL. [GH-1561] - auto-unsealing: Improved the clarity of the warning message logged when the server is uninitialized and auto-unsealing is configured. [GH-1411] - builtin/credential/jwt: Support TLS authentication against explicit alt name/subject. [GH-1533] - cel: Add cel-go ext helpers for string, list, optional, regex, math, set, and encoder operations [GH-1697] - cel: Unify CEL helper functions between JWT and PKI modules, making email validation and other utilities available across both authentication and certificate management [GH-1697] - cli: add new subcommand "bao operator validate-config" to validate a configuration file syntax [GH-1609] - core: sys/seal-status: endpoint now always returns the barrier seal type, explicitly adds recovery seal type [GH-1638] - deps: Update go-jose v3 to go-jose v4 [GH-1477] - secrets/kv: Add CAS (Compare-And-Swap) support for metadata operations in KV v2 secrets engine. Metadata updates now support versioning via metadata_cas parameter and metadata_cas_required configuration option to prevent concurrent modification conflicts. [GH-1372] - ui: change the message 'Vault is sealed to 'OpenBao is Sealed' by changing the title of the unseal template [GH-1652] - seal/pkcs11: Support and default to software encryption for RSA key types. [GH-1742] * DEPRECATIONS - storage/postgresql: remove support for legacy PostgreSQL versions before 9.5 which require a special upsert function. [GH-1570] * BUGFIXES - api: Fix compatibility with sys/health from Vault Enterprise [GH-1730] - command: fixes typo in Windows command for setting BAO_ADDR in development mode [GH-1527] - core/namespaces: Prevent infinite loop in namespace loading due to incorrect list pagination when more than 100 sibling namespaces exist under a given parent [GH-1696] - identity: fix nil panic when collecting metrics with unsafe_cross_namespace_identity=true. [GH-1715] - pki: Truncate should error on expired certificates [GH-1369] - releases: add missing container image manifests for *-hsm variants [GH-1597] - sdk: Various constants in the sdk package mistakenly had no explicit type. They now now typed correctly. [GH-1523] - secrets/pki: Prevent infinite loop in tidy stemming from incorrect list pagination [GH-1696] - storage/postgresql: more graceful handling of parallel table creation [GH-1506] * Fri Aug 08 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 2.3.2: * Breaking Changes Due to security vulnerabilities, there are three breaking changes in this security release: - audit subsystem will no longer allow creation of new devices via the API except by setting unsafe_allow_api_audit_creation. In the v2.4.0 release, support for configuration-based audit device definition will be added. - auth/ldap has changed entity formats to normalize against whitespace and case-sensitivity when the unsafe username_as_alias=true parameter is set. - TOTP codes now must be exactly N numeric digits and cannot contain leading or trailing whitespace and will be rejected by the API if they do. * SECURITY - audit: Add server configuration options to disable audit mount creation via the API and to disable audit log prefixing. HCSEC-2025-14 / CVE-2025-6000 / CVE-2025-54997. [GH-1634] - unsafe_allow_api_audit_creation (default: false) controls the ability to create audit mounts via the API - allow_audit_log_prefixing (default: false) controls the availability of the prefix audit mount option - auth/mfa: correctly limit reuse of TOTP codes during login MFA enforcement. HCSEC-2025-19 / CVE-2025-6015 / CVE-2025-55003. [GH-1629] - auth/userpass: Prevent timing-based leak in userpass auth method. HCSEC-2025-15 / CVE-2025-6011 / CVE-2025-54999. Assumed to also apply to HCSEC-2025-21 / CVE-2025-6010. [GH-1628] - core/auth: Correctly handle alias lookahead for user lockout consistency. HCSEC-2025-16 / CVE-2025-6004 / CVE-2025-54998. - auth/userpass: Consistently handle alias lookahead as case insensitive. HCSEC-2025-16 / CVE-2025-6004 / CVE-2025-54998. - auth/ldap: Attempt consistent entity aliasing w.r.t. spacing and casing. HCSEC-2025-16 / CVE-2025-6004 / CVE-2025-54998 and HCSEC-2025-20 / CVE-2025-6013 / CVE-2025-55001. [GH-1632] - core/identity: Correctly lowercase policy names to prevent root policy assignment. HCSEC-2025-13 / CVE-2025-5999 / CVE-2025-54996. [GH-1627] - secrets/totp: Fix TOTP verification reuse bypass when the TOTP code contains spaces. HCSEC-2025-17 / CVE-2025-6014 / CVE-2025-55000. [GH-1625] * IMPROVEMENTS - core: Update to Go 1.24.6. [GH-1637] * BUG FIXES - Ignore missing mounts when deleting a namespace. This can happen when a mount is unmounted in parallel. [GH-1594] - agent/template: add missing backoff mechanism for the templating server [GH-1448] - core/namespaces: fixed race condition in namespace deletion operation during instance sealing [GH-1525] - core/policies: fix bug with missing existing policies in namespaces during failover, startup [GH-1613] - identity/oidc: Fix unintentional lowercasing of namespace accessor in assignments. [GH-1539] * Mon Jun 30 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 2.3.1: * Bump to v2.3.1 - Drop Illumos support per policy in #711 (#1503) * Bump sdk to v2.3.1, add changelog to v2.3.0 (#1501) * Bump API to v2.3.1 in core, sdk (#1500) * Minor improvements to CEL for PKI (#1390) (#1499) * Allow disabling unauthenticated rekey (#1498) * Add changelog entry for sdk/framework vulnerability (#1497) * Fix PostgreSQL table creation on replica (#1478) (#1494) * Namespaces UI support (#1406) (#1484) * Fix identity store resolution (#1432) (#1491) * Go dependency bumps to fix vulnerabilities in dependencies (#1492) * Backport go-viper/mapstructure/v2 move (#1488) * Point goreleaser and container image contacts to new OpenSSF domain (#1415) (#1489) * Fix changelog entries (#1440) (#1487) * HSM: Add arm64 builds & Alpine containers (#1427) (#1486) * Fix flaky PostgreSQL backend connection test (#1368) (#1485) * Fix detailed metadata on list results (#1388) (#1483) * CEL for Certificate Issuance Policy (#794) (#1482) * Deprecation notice for undocumented duplicate PKCS#11 seal options (#1385) (#1481) * Bump github.com/ebitengine/purego to v0.8.4 (#1373) * Changelog for v2.3.0-beta20250528 (#1371) * Update to go-kms-wrapping/v2.4.0 (#1370) * Track lock in namespace entry directly (#1367) * Add check and set for policies (#1162) * Namespaces locking/unlocking implementation (#1347) * Add policy and path expiration (#1142) * Add NeoNephos to supporters section of homepage (#1363) * Support clearing views via pagination, with transaction (#1102) * Describe how user access and roles are managed to cover OSPS-AC-02.01 (#1359) * Use per-namespace storage layouts for identity (#1360) * Update contributors and maintainers information (#1305) * add hsm docker distribution to downloads page (#1353) * MFA Login namespace adjustments (#1348) * Describe usage of artifacts stores to cover OSPS-QA-05 (#1355) * Describe how dependencies are tracked as part of OSPS-QA-02.01 (#1354) * Detailed metadata in policy endpoint (#1224) * Display seal configuration info keys in logs (#1346) * Renew `goodcertbadroot.pem` (#1351) * discarded ctx cancel functions * struct literal uses unkeyed fields * malformed struct field tag * the ctxCancel function is not used on all paths (possible context leak) * unreachable code * Release note on PKCS#11 library finalization (see go-kms-wrapping) * Better document configuration directories * Add changelog entry * Fix description of OU field in UI * Namespaces: Test flake, deadlock, race condition cleanup (#1311) * Add changelog to namespaces (#1321) * Fix `/sys/remount` across namespaces (#1259) * Hierarchical namespace storage (#1317) * Move namespace resolution from http to core (#1279) * Delete namespace-level quota on namespace deletion (#1296) * fairshare job manager/worker: stop synchronously (#1291) * Namespace-aware password policy storage & lookup (#1282) * Add namespace-aware rate-limit quota (#1161) * fix(identity): ensure identity store is set only for root namespace (#1271) * Fix preSeal ordering w.r.t NamespaceStore (#1269) * Implement Cascading Delete for Namespaces and Associated Resources (#1206) * move namespace uuid into namespace struct (#1167) * Forbid illegal namespace characters (#1203) * Namespaces Regression: Restricted APIs in `sys/raw` (#1163) * Tests for namespace route resolution - issue #1020 (#1201) * Fix namespace, mount name exclusion logic (#1202) * Namespace aware identity store #1110 (#1159) * Namespace-aware Expiration Manager #1125 (#1158) * Namespace-aware token store #1068 (#1123) * Implement namespace name restrictions #1023 (#1143) * feat: add `bao namespace scan` (#1133) * Refactor namespace store (#1113) * implement namespace aware plugin storage (#1157) * Add support for child namespaces (#1051) * Implement namespace aware Cubbyhole #1067 (#1112) * Polish namespaces API (#1041) * Add PATCH support to namespaces API (#1027) * Namespace aware policy store #1069 (#1106) * Create required mounts when setting up namespace (#1047) * Correctly handle request routing (#1028) * Polish NamespaceStore implementation (#1026) * Add NamespaceStore to the namespace branch (#896) * Fix various minor docs formatting issues (#1344) * Add JSON configuration example to website (#1338) * Bump dependencies (#1318) * Bump ubi9-minimal from 9.5 to 9.6 (#1329) * Allow building with HSM support on MacOS (#1330) * Bump to Go 1.24.3 (#1324) * Prevent information disclosure on invalid request (#1323) * PostgreSQL - Remove redundant PermitPool (#1299) * Fix deadlock on legacy root key path migration (#1234) * Support retrying PostgreSQL connection (#1280) * Allow lazy discovery of OIDC connection information (#1306) * Bump actions/setup-go from 5.4.0 to 5.5.0 in /.github/actions/set-up-go (#1309) * Fix marshaling and setting nil request body (#1315) * Add JWT CEL Role RFC (#1312) * Add OSPS to policies (#1313) * Describe coverage of OSPS requirement OSPS-QA-01.02 (#1307) * Fix incorrect conversion between integer types (on <64 bit systems) (#1310) * Bump go.opentelemetry.io/otel/trace from 1.34.0 to 1.35.0 (#1294) * CEL auth program evaluation during JWT login (#869) * Add CEL best practices RFC (#1267) * Affirm Level 1: OSPS-LE-02.01 (#1287) * Affirm Level 1: OSPS-VM-02.01 has been met (#1273) * Allow empty PostgreSQL connection URLs (#1297) * chore(tools): rm codechecker bin (#1292) * Affirm Level 1: OSPS-DO-01.01 (#1286) * Affirm Level 1: OSPS-GV-03.01 (#1285) * Document coverage of OSPS requirement OSPS-QA-01.01 (#1289) * Minor cleanup of the rekey webpage (#1288) * Bump actions/download-artifact from 4.2.1 to 4.3.0 (#1275) * Bump github.com/go-sql-driver/mysql from 1.8.1 to 1.9.2 (#1277) * Bump github.com/openbao/go-kms-wrapping/wrappers/pkcs11/v2 (#1276) * chore: remove artifacts in `dependencies/` (#1272) * Fix make goreleaser-check after split (#1257) * Add release notes for v2.2.1 to website (#1256) * Update critical dependencies (#1251) * Return quoted string when -output-curl-string flag is passed #1038 (#1238) * Bump ember-test-selectors from 6.0.0 to 7.1.0 in /ui (#1239) * match ssh test to updated behaviour (#1243) * (secrets/pki): add not_before_bound and not_after_bound (#1172) * Bump github.com/golangci/revgrep (#1240) * Bump k8s.io/api from 0.32.1 to 0.32.3 (#1241) * Bump actions/setup-node from 4.3.0 to 4.4.0 (#1242) * Do not encode empty subproblems in ACME (#1236) * Fix name of org-level maintainers team (#1237) * fix(ssh): `generate_signing_key=false` not honored on issuer submission endpoints (#1235) * Bump actions/upload-artifact from 4.6.1 to 4.6.2 (#1148) * Fix test-ui (#1211) * Upgrade ESLint and prettier (#1218) * Bump highlight.js from 10.7.2 to 11.11.1 in /ui (#1035) * Bump honnef.co/go/tools from 0.4.3 to 0.6.1 (#1217) * Bump mvdan.cc/gofumpt from 0.7.0 to 0.8.0 (#1216) * Fix vault/diagnose test failure (#1221) * Add h1 for mfa-validate api-doc (#1230) * Clarify that region is required (#1220) * doc(telemetry.mdx): add metrics_prefix (#1214) * Do not set LimitNOFILE (#1179) * update SSH‑CA configure acceptance test for multi‑issuer flow (#1210) * build: update Go version and dependencies (#1209) * Another attempt to fix TestOIDC_PeriodicFunc (#1178) * Transactions for ssh-related functions (#989) * Bump github.com/ory/dockertest/v3 from 3.10.0 to 3.12.0 (#1197) * Add guide for listing detailed endpoints (#1190) * Bump typescript from 5.8.2 to 5.8.3 in /website (#1195) * Bump golang.org/x/text from 0.23.0 to 0.24.0 (#1196) * Bump actions/go-dependency-submission from 2.0.1 to 2.0.3 (#1192) * Bump actions/setup-go from 5.3.0 to 5.4.0 in /.github/actions/set-up-go (#1193) * fix mirror workflow (#1191) * Add Dave to DevWG voting members (#1187) * Add support for automatic unsealing of OpenBao using a KMIP protocol (#1144) * Add action to mirror repo to Codeberg (#1186) * Bump actions/cache from 4.2.2 to 4.2.3 (#1149) * Bump react-dom from 19.0.0 to 19.1.0 in /website (#1174) * Bump gotest.tools/gotestsum from 1.10.0 to 1.12.1 (#1118) * Bump actions/download-artifact from 4.1.9 to 4.2.1 (#1150) * Bump actions/setup-node from 4.2.0 to 4.3.0 (#1151) * Bump actions/cache from 4.2.2 to 4.2.3 in /.github/actions/set-up-go (#1152) * Bump github.com/hashicorp/go-secure-stdlib/password from 0.1.1 to 0.1.4 (#1153) * Add link to dev-wg project in CONTRIBUTING.md (#1180) * Add new moderators: voigt, Gabrielopesantos, karras (#1171) * docs: Add SSH CA Multi-issuer RFC to website docs (#1146) * Support Multiple Issuers for SSH Secret Engine Mounts (#880) * config.go: fix config file filename comment (de-vault) (#1141) * Validate policies can contain comments, be JSON (#1134) * PKI test failure (#1139) * Remove beta warning (#1138) * Add hex to templating for ACL policies (#1081) * Add webpage for OSPS baseline (#1124) * fix(docs/pkcs11): remove documentation regarding key generation (#1135) * Allow periodicFunc to execute "now" (#1129) * docs: Correct config file location in token helper docs (#1132) * Add EdgeX Selects OpenBao Blog (#1127) * Add GitLab to supporters section of homepage (#1128) * Address timing issue caused by race-detection slowdown (#1100) * Fix vulns (#1126) * Fix ACME TLS documentation (#1122) * Mitigate security risks found using Zizmor (#924) * add rfc#432 to docs rfc index (#1116) * Bump ember-cli-deprecation-workflow from 2.1.0 to 3.2.0 in /ui (#1104) * website: Fix typos in website content (#1108) * Officially add TSC membership process (#1101) * Bump browser-actions/setup-chrome from 1.7.2 to 1.7.3 (#1089) * Bump actions/setup-node from 4.1.0 to 4.2.0 (#1092) * Bump webpack from 5.97.1 to 5.98.0 in /ui (#1094) * Use consistent path for root key (#1006) * Bump github.com/shirou/gopsutil/v4 from 4.24.12 to 4.25.2 (#1095) * Bump actions/download-artifact from 4.1.8 to 4.1.9 * Bump actions/upload-artifact from 4.6.0 to 4.6.1 * Bump actions/setup-go from 4.0.1 to 5.3.0 in /.github/actions/set-up-go * Add wildcard so dependabot traverses child directories (#1088) * Add v2.2.0 changelog to release notes (#1085) * Nit: Fix link to create/update role in api/pki docs (#1071) * Bump github.com/hashicorp/cap from 0.8.0 to 0.9.0 (#1058) * Bump actions/cache to v4, use pinning (#1064) * Bump prettier-eslint-cli from 7.1.0 to 8.0.1 in /ui (#1059) * Bump typescript from 5.7.3 to 5.8.2 in /website (#1057) * Simplify Goreleaser templates (#1039) * userpass: fix the wrong error return value (#1055) * Add blog post for horizontal scalability (#1049) * fix(ui): repairs missing checkmarks, in checkboxes, due to invalid usage of sass-svg-uri (#1042) * Bump github.com/hashicorp/cap from 0.3.0 to 0.8.0 (#1036) * Bump swagger-ui-dist from 5.18.2 to 5.19.0 in /ui (#1034) * Bump d3-transition from 1.3.2 to 3.0.1 in /ui (#1032) * fix prerelease image tagging (#1030) * Revive Valkey plugin (#1019) * Add API and CLI commands to promote/demote nodes in the Raft cluster (#996) * cleanup leftover DR Token options (#1018) * Add transaction wrappers to database endpoints (#995) * Add transactions to AppRole funcs (#992) * Bump github.com/natefinch/atomic (#1012) * Update libraries.mdx (#1015) * Bump @types/rsvp from 4.0.4 to 4.0.9 in /ui (#1011) * Bump qunit-dom from 2.0.0 to 3.4.0 in /ui (#1010) * Bump @types/ember-resolver from 5.0.13 to 9.0.2 in /ui (#1009) * Bump ember-cli-htmlbars from 6.0.1 to 6.3.0 in /ui (#1008) * identity: return metadata when listing entity-aliases (#1013) * Minor docs improvements and chore (#1005) * Mon Jun 30 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 2.3.1: OpenBao v2.3.0 is unreleased due to a bug in Illumos builds. * SECURITY - core/sys: Add listener parameter (disable_unauthed_rekey_endpoints, default: false) to optionally disable unauthenticated rekey operations (to sys/rekey/* and sys/rekey-recovery-key/*) for a listener. This will be set to true in a future release; see the deprecation notice for more information. Auditing is now enabled for these endpoints as well. CVE-2025-52894. Upstream HCSEC-2025-11 / CVE-2025-4656. - sdk/framework: prevent additional information disclosure on invalid request. CVE-2025-52893. [GH-1495] * CHANGES - packaging/systemd: Do not set LimitNOFILE, allowing Go to automatically manage this value on behalf of the server. See also golang/go#46279. [GH-1179] - storage/postgresql: Support empty connection URLs to use standard component-wise variables [GH-1297] - packaging: Support for Illumos removed due to broken builds [GH-1503] * FEATURES - KMIP Auto-Unseal: Add support for automatic unsealing of OpenBao using a KMIP protocol. [GH-1144] - Namespaces UI Support: Added namespace UI support, including namespace picker and namespace management pages. [GH-1406] - Namespaces: Support for tenant isolation using namespaces, application API compatible with upstream's implementation. - Create, read, update, delete a hierarchical directory of namespaces - Manage isolated per-namespace secrets engines, auth methods, tokens, policies and more - Migrate (remount) secrets engines and auth methods between namespaces - Lock and unlock namespaces - Route requests to namespaces via path (/my-namespace/secrets) or X-Vault-Namespace header (or both!) - CLI support via the bao namespace family of commands and the -namespace flag. [GH-1165] - Add ARM64 HSM builds and Alpine-based HSM container images [GH-1427] - Support Common Expression Language (CEL) in PKI. CEL allows role authors to create flexible, dynamic certificate policies with complex, custom validation support and arbitrary control over the final certificate object. [GH-794] - auth/jwt: Add support for Common Expression Language (CEL) login roles. CEL allows role authors to create flexible, dynamic policies with complex, custom claim validation support and arbitrary templating of logical.Auth data. [GH-869] - ssh: Support multiple certificate issuers in SSH secret engine mounts, enabling safer rotation of SSH CA key material [GH-880] * IMPROVEMENTS - When using auto-unseal via KMS, KMS-specific configuration information (non-sensitive) is now logged at server startup. [GH-1346] - approle: Use transactions for read + write operations [GH-992] - auth/jwt: Support lazy resolution of oidc_discovery_url or jwks_url when skip_jwks_validation=true is specified on auth/jwt/config; OIDC status is now reported on reading the configuration. [GH-1306] - core/identity: add unsafe_cross_namespace_identity to give compatibility with Vault Enterprise's cross-namespace group membership. [GH-1432] - core/policies: Add check-and-set support for modifying policies, allowing for protection against concurrent modifications. [GH-1162] - core/policies: Add endpoint to allow detailed listing of policies [GH-1224] - core/policies: Allow setting expiration on policies and component paths, removing policies or preventing usage of path rules after expiration. [GH-1142] - core: Support pagination and transactions in ClearView, CollectKeys, and ScanView, improving secret disable memory consumption and request consistency. [GH-1102] - database/valkey: Revive Redis plugin as Valkey, the OSI-licensed fork of Redis [GH-1019] - database: Use transactions for read-then-write methods in the database package [GH-995] - pki: add not_after_bound and not_before_bound role parameters to safely limit issuance duration [GH-1172] - ssh: Use transactions for read-then-write or multiple write methods in the ssh package [GH-989] - storage/postgresql: support retrying database connection on startup to gracefully handle service ordering issues [GH-1280] * DEPRECATIONS - Configuration of PKCS#11 auto-unseal using the duplicate and undocumented module, token and key options is now deprecated. Use the documented alternative options lib, token_label and key_label instead, respectively. (More details) [GH-1385] * BUG FIXES - api: Stop marshaling nil interface data and adding it as a request body on an api.Request [GH-1315] - core/identity: load namespace entities, groups into MemDB preventing them from disappearing on restart. [GH-1432] - oidc: add some buffer time after calling oidcPeriodicFunc in test, to prevent flakiness [GH-1178] - pki: addresses a timing issue revealed in pki Backend_RevokePlusTidy test [GH-1139] - sealing/pkcs11: OpenBao now correctly finalizes the PKCS#11 library on shutdown (openbao/go-kms-wrapping#32). - This is unlikely to have caused many real-world issues so far. [GH-1349] - secrets/kv: Fix panic on detailed metadata list when results include a directory. [GH-1388] - storage/postgresql: Remove redundant PermitPool enforced by db.SetMaxOpenConns(...). [GH-1299] - storage/postgresql: skip table creation automatically on PostgreSQL replicas [GH-1478] - vault: addresses a timing issue revealed in OIDC_PeriodicFunc test [GH-1129] - vault: fixes a timing issue in OIDC_PeriodicFunc test [GH-1100] * Sat May 31 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 2.2.2: Release notes: https://github.com/openbao/openbao/blob/v2.2.2/CHANGELOG.md * SECURITY: - sdk/framework: prevent information disclosure on invalid request. HCSEC-2025-09 / CVE-2025-4166. [GH-1323] * BUG FIXES: - ui: Fix description of Organizational Unit (OU) field in PKI. [GH-1333] * Thu Apr 24 2025 Johannes Kastl <opensuse_buildservice@ojkastl.de> - Update to version 2.2.1: * Release v2.2.1 (#1255) * Backport core deps (#1252) * Return quoted string when -output-curl-string flag is passed [#1038] (#1238) (#1250) * build: update Go version and dependencies (#1209) (#1246) * Fix vulns (#1126) (#1245) * Fix vault/diagnose test failure (#1221) (#1247) * Do not encode empty subproblems in ACME (#1236) (#1248) * Fix name of org-level maintainers team (#1237) (#1249) * Wed Mar 05 2025 opensuse_buildservice@ojkastl.de - Update to version 2.2.0: Release notes: https://openbao.org/docs/release-notes/2-2-2/#220 Full list of changes: https://github.com/openbao/openbao/compare/v2.1.0...v2.2.0 * New Features: - ACME TLS Listener Certificate Provisioning: Automatically fetch TLS certificates for OpenBao Server's TCP listeners via an Automatic Certificate Management Environment (ACME - RFC 8555) capable certificate authority (CA). This allows OpenBao to be self-hosted, using a CA contained within the instance to sign the instance's own certificates. [GH-857] - PKCS#11 Auto-Unseal: Add support for automatic unsealing of OpenBao using a PKCS#11-enabled Hardware Security Module (HSM) or Key Management System (KMS). [GH-889] - Scanning: introduce the ability to recursively list (scan) within plugins, adding a separate scan ACL capability, operation type, HTTP verb (SCAN with GET fallback via ?scan=true), API, and CLI support. This also adds support to the KVv1 and KVv2 engines. [GH-763] - Transit: Add support for key derivation mechansims (derives a new key from a base key). - This path uses the named base key and derivation algorithm specific parameters to derive a new named key. - Currently, only the ECDH key agreement algorithm is supported: the base key is one's own ECC private key and the "peer_public_key" is the pem-encoded other party's ECC public key.The computed shared secret is the resulting derived key. [GH-811] - UI: Reintroduction of the WebUI. [GH-940] - raft: Added support for nodes to join the Raft cluster as non-voters. [GH-741] * Changes - command/server: Prevent and warn about loading of duplicate config file from config directory. [GH-816] - container: Set -dev-no-store-token in default container images, fixing default read-only containers. [GH-826] - core/seal: remove support for legacy pre-keyring barrier entries core/seal: remove support for legacy (direct) shamir unseal keys [GH-750] - core: Remove support for Solaris due to lack of Docker support. [GH-710] * Wed Jan 22 2025 opensuse_buildservice@ojkastl.de - Update to version 2.1.1: * Add changelog for v2.1.1 (#932) * Update all keys and certs to TTL 100 years (#793) (#931) * Fix expired cert auth test-fixture (#892) (#930) * Bump to latest Go 1.23.5 version (#912) (#929) * Bump alpine from 3.20 to 3.21 (#831) (#928) * Bump extended standard library dependencies (#927) * Fri Nov 29 2024 opensuse_buildservice@ojkastl.de - Update to version 2.1.0: * Note: - This release does not ship with the UI enabled. The UI will be available in the future. #129 - OpenBao does not provide support for Vault Enterprise features. If there is an enterprise feature you would like to see added to the project, please open a feature request. - OpenBao is fully API compatible with Vault 1.14.9, and seal compatible with the plugins the project supports. Plugin support for OpenBao can be found here. * New Features: - Remove Mount Table Limits: Using transactional storage, we've split the - auth and secret mount tables into separate storage entires, removing the - requirement that the entire table fit into a single storage entry limited by - max_entry_size. This allows potentially hundreds of thousands of mounts on - a single scaled-up server. [GH-622] - Transactional Storage: Plugin developers can now take advantage of safe - storage modification APIs when the underlying physical storage supports - them. The physical.TransactionalBackend and logical.TransactionalStorage - types allow developers to begin read-only and writable transactions, - committing or rolling back the desired changes. [GH-292] - Transit: Support PKI CSR and certificate storage alongside key material. This allows callers to securely create keys and submit requests for certificates without the key material leaving Transit. Storage of the certificate on the key avoids the need for an additional K/V mount. Rotation of this certificate and its chain is also supported. [GH-536] - auth/oidc: Add a new callback_mode role option value device to use the oidc device flow instead of a callback, add a new poll_interval role option to control how often to poll for a response, and add a new callbackmode=device option to the oidc login method in the cli. [GH-319] - auth/oidc: Add new callback_mode=direct role option to cause the oidc callback to be direct to the server instead of the client, and add a callbackmode=direct option to the oidc login method in the cli. [GH-318] - physical/postgres: Reintroduce Postgres database for OpenBao storage, implementing paginated list support. This feature is currently in preview and breaking changes may occur. [GH-467] * Changelog - 93609bf: Add changelog for v2.1.0 GA (#772) (@cipherboy) - d083548: Bump go-kms-wrapping, openbao-template prior to release (#770) (@cipherboy) - Full changelog see https://github.com/openbao/openbao/releases/tag/v2.1.0 https://github.com/openbao/openbao/releases/tag/v2.1.0-beta20241114.3 * Tue Nov 19 2024 opensuse_buildservice@ojkastl.de - Update to version 2.0.3: * This release does not ship with the UI enabled. The UI will be available in the future. #129 * OpenBao does not provide support for Vault Enterprise features. If there is an enterprise feature you would like to see added to the project, please open a feature request. * OpenBao is fully API compatible with Vault 1.14.9, and seal compatible with the plugins the project supports. Plugin support for OpenBao can be found [here](https://github.com/orgs/openbao/discussions/64). * Add v2.0.3 to CHANGELOG.md (#728) * Bump golang.org/x/net (#692) (#726) * Bump github.com/go-jose/go-jose/v3 to v3.0.3 (#693) (#727) * Bump go version to 1.22.9 for v2.0.3 release (#725) * Fix goreleaser prerelease status (#713) (#721) * Replace github.com/mholt/archiver/v3 with stdlib (#611) (#714) * Update to UBI 9.5 (#701) (#719) * Fix root namespace permission elevation (#695) (#718) * Bump github.com/golang-jwt/jwt/v4 (#691) (#717) * Compute raft peer bootstrap challenge via HKDF (#690) (#716) * Exclude changelog directory from release archive (#641) (#715) * Update goreleaser config version to 2 (#709) (#720) * Sun Oct 06 2024 opensuse_buildservice@ojkastl.de - Update to version 2.0.2: * This release does not ship with the UI enabled. The UI will be available in the future. #129 * OpenBao does not provide support for Vault Enterprise features. If there is an enterprise feature you would like to see added to the project, please open a feature request. * OpenBao is fully API compatible with Vault 1.14.9, and seal compatible with the plugins the project supports. Plugin support for OpenBao can be found [here](https://github.com/orgs/openbao/discussions/64). * use correct Alpine version (#589) * release: v2.0.2 (#586) * Bump to go 1.22.8 (#588) * Deny empty valid_principals during SSH issuance (#561) * Correctly handle IPv6 for HTTP-01 (#559) * add vault symlink to Docker images (#548) * Fix k8s registration variables (#527) * Fix aliasNameFromLoginRequest panic (#512) * fix command `vault print token` to `bao print token` in curl string generated by `buildCurlString()` (#511) * Tue Sep 10 2024 opensuse_buildservice@ojkastl.de - Update to version 2.0.1: * This release does not ship with the UI enabled. The UI will be available in the future. #129 * OpenBao does not provide support for Vault Enterprise features. If there is an enterprise feature you would like to see added to the project, please open a feature request. * OpenBao is fully API compatible with Vault 1.14.9, and seal compatible with the plugins the project supports. Plugin support for OpenBao can be found [here](https://github.com/orgs/openbao/discussions/64). * Changelog - Disable UI tests (#479) (@cipherboy) - Fix Ed25519 Pointer in PKI Existing handling (#461) (@cipherboy) - Fix api, sdk modules with v2.0.1 (#425) (@cipherboy) - Fix bao cli login success message (#452) (@sadikkuzu) - Fix broken zlint test (#458) (@cipherboy) - Pass BAO_ADDR to the token helper (#348) (@ruuda) - Update Docker dependency (#505) (@cipherboy) - Update to Go 1.22.6 toolchain for v2.0.1 (#504) (@cipherboy) - fix: variable name collision in docker-entrypoint (#446) (@jackhodgkiss) - labels use openbao as prefix instead of vault (#416) (@finkandreas) - release: v2.0.1 (@JanMa) - build using CGO_ENABLED=0 on i586, s390x and armv7l * Thu Jul 18 2024 opensuse_buildservice@ojkastl.de - Update to version 2.0.0: * This release does not ship with the UI enabled. The UI will be available in the future. #129 * This release provides initial support for artifact signing. * OpenBao does not provide support for Vault Enterprise features. If there is an enterprise feature you would like to see added to the project, please open a feature request. * OpenBao is fully API compatible with Vault 1.14.9, and seal compatible with the plugins the project supports. Plugin support for OpenBao can be found here. * Changelog - Gate Docker steps behind GOOS (#412) - Add GOOS matrix to release workflow (#411) - Update Go version, changelog, modules for GA (#410) - set bao binary version info with Goreleaser (#401) - Remove cross-cluster revocation from PKI (#365) - Update docs to include mlock removal RFC (#391) - Bump actions/upload-artifact from 4.3.3 to 4.3.4 (#395) - Clarify fork point in FAQ (#392) - docs: recreate images and diagrams (#397) - Bump test-summary/action from 2.2 to 2.4 (#387) - Remove mlock and replace with cgroups (#363) - Downgrade test-summary/action from 2.3 to 2.2 (#381) - Bump test-summary/action from 2.1 to 2.3 (#199) - Bump browser-actions/setup-chrome from 1.5.0 to 1.7.1 (#377) - Bump actions/github-script from 6.4.1 to 7.0.1 (#198) - Bump actions/upload-artifact from 3.1.2 to 4.3.3 (#376) - fix release asset parsing for download page (#378) - update website dependencies (#368) - docs(token): document the token format (#372) - Fix artifact signing, use default runner - Bump actions/configure-pages from 4 to 5 (#370) * Sun Feb 04 2024 Johannes Kastl <opensuse_buildservice@ojkastl.de> - new package openbao: provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys (open source fork of Hashicorp Vault)
/usr/bin/openbao-mysql-legacy-database-plugin
Generated by rpm2html 1.8.1
Fabrice Bellet, Thu Oct 23 22:58:29 2025