jonah/openbao
1
0
Fork 0
mirror of https://github.com/openbao/openbao.git synced 2026-06-01 18:57:37 +02:00
Code Issues Actions 8 Packages Projects Releases Wiki Activity

Add release notes for v2.5.4 (#3156)

Browse Source 
Signed-off-by: Jonas Köhnen <jonas.koehnen@sap.com>
This commit is contained in:
Jonas Köhnen
2026-05-21 09:16:09 +02:00
committed by GitHub
parent a0647b2e7b
commit d0f581d80f
4 changed files with 54 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
CHANGELOG.md
+24
View File
@@ -1,3 +1,27 @@
## 2.5.4
## May 20, 2026
SECURITY:
* core/auth: Fix audit logs dropping custom headers when using inline auth. GHSA-q8cj-789h-vg24 / CVE-2026-46358. [[GH-3076](https://github.com/openbao/openbao/pull/3076)]
* core: Prevent hidden default token issuance from auth plugin endpoints returning both a `logical.Auth{}` response object and an error. GHSA-7j6w-vvw2-5f9c / CVE-2026-46405. [[GH-3150](https://github.com/openbao/openbao/pull/3150)]
* core: Remove legacy lease endpoints (`sys/revoke`, `sys/renew`, `sys/revoke-prefix`, and `sys/revoke-force`) due to cross-namespace lease modification. GHSA-v8v8-cm84-m686 / CVE-2026-45808. [[GH-3152](https://github.com/openbao/openbao/pull/3152)]
IMPROVEMENTS:
* storage/postgresql: Set constraint name to `table+"_pkey"` and `ha_table+"_pkey"` and index to `table+"_idx"` for uniqueness when reusing the same database partition for multiple OpenBao instances. [[GH-2876](https://github.com/openbao/openbao/pull/2876)]
BUG FIXES:
* auth/kerberos: Do not return `logical.Auth{}` response during initial negotiation at the same time as an error. [[GH-3150](https://github.com/openbao/openbao/pull/3150)]
* core/mfa: Handle invalidation for login MFA, ensuring standby nodes respond appropriately on writes. [[GH-3083](https://github.com/openbao/openbao/pull/3083)]
* core/policies: Fix `list_scan_response_keys_filter_path` incorrectly erring on empty list responses. [[GH-3063](https://github.com/openbao/openbao/pull/3063)]
* core/quotas: Correctly handle default rate limit exempt paths on quota configuration invalidation. [[GH-2953](https://github.com/openbao/openbao/pull/2953)]
* core: Disallow logical secret engines from creating authentication tokens. [[GH-3087](https://github.com/openbao/openbao/pull/3087)]
* core: Forward generate-root, step-down and rekey requests to active node to resolve inconsistent standby behavior. [[GH-3006](https://github.com/openbao/openbao/pull/3006)]
* storage/raft: Wait for autopilot shutdown to avoid panic when racing to retrieve known servers. [[GH-3054](https://github.com/openbao/openbao/pull/3054)]
* storage/postgresql: Revert accidental rename of `ha_table` option to `haTable`. Both spellings are now supported to retain compatibility, though `ha_table` takes precedence. [[GH-2876](https://github.com/openbao/openbao/pull/2876)]
## 2.5.3
## April 20, 2026
changelog/3054.txt
+1 -1
View File
@@ -1,3 +1,3 @@
```release-note:bug
physical/raft: wait for shutdown to avoid panic
physical/raft: Wait for autopilot shutdown to avoid panic when racing to retrieve known servers.
```
changelog/3076.txt
+2 -2
View File
@@ -1,3 +1,3 @@
```release-note:bug
core/auth: fix audit logs dropping custom headers when using inline auth
```release-note:security
core/auth: Fix audit logs dropping custom headers when using inline auth. GHSA-q8cj-789h-vg24 / CVE-2026-46358.
```
website/content/community/release-notes/2-5-0.mdx
+27 -2
View File
@@ -5,11 +5,36 @@ description: Release notes for OpenBao 2.5.x
# OpenBao 2.5.x release notes
## v2.5.4
**Release date:** May 20, 2026
### SECURITY
* core/auth: Fix audit logs dropping custom headers when using inline auth. GHSA-q8cj-789h-vg24 / CVE-2026-46358. [[GH-3076](https://github.com/openbao/openbao/pull/3076)]
* core: Prevent hidden default token issuance from auth plugin endpoints returning both a `logical.Auth{}` response object and an error. GHSA-7j6w-vvw2-5f9c / CVE-2026-46405. [[GH-3150](https://github.com/openbao/openbao/pull/3150)]
* core: Remove legacy lease endpoints (`sys/revoke`, `sys/renew`, `sys/revoke-prefix`, and `sys/revoke-force`) due to cross-namespace lease modification. GHSA-v8v8-cm84-m686 / CVE-2026-45808. [[GH-3152](https://github.com/openbao/openbao/pull/3152)]
### IMPROVEMENTS
* storage/postgresql: Set constraint name to `table+"_pkey"` and `ha_table+"_pkey"` and index to `table+"_idx"` for uniqueness when reusing the same database partition for multiple OpenBao instances. [[GH-2876](https://github.com/openbao/openbao/pull/2876)]
### BUG FIXES
* auth/kerberos: Do not return `logical.Auth{}` response during initial negotiation at the same time as an error. [[GH-3150](https://github.com/openbao/openbao/pull/3150)]
* core/mfa: Handle invalidation for login MFA, ensuring standby nodes respond appropriately on writes. [[GH-3083](https://github.com/openbao/openbao/pull/3083)]
* core/policies: Fix `list_scan_response_keys_filter_path` incorrectly erring on empty list responses. [[GH-3063](https://github.com/openbao/openbao/pull/3063)]
* core/quotas: Correctly handle default rate limit exempt paths on quota configuration invalidation. [[GH-2953](https://github.com/openbao/openbao/pull/2953)]
* core: Disallow logical secret engines from creating authentication tokens. [[GH-3087](https://github.com/openbao/openbao/pull/3087)]
* core: Forward generate-root, step-down and rekey requests to active node to resolve inconsistent standby behavior. [[GH-3006](https://github.com/openbao/openbao/pull/3006)]
* storage/raft: Wait for autopilot shutdown to avoid panic when racing to retrieve known servers. [[GH-3054](https://github.com/openbao/openbao/pull/3054)]
* storage/postgresql: Revert accidental rename of `ha_table` option to `haTable`. Both spellings are now supported to retain compatibility, though `ha_table` takes precedence. [[GH-2876](https://github.com/openbao/openbao/pull/2876)]
## v2.5.3
**Release date:** April 20, 2026
## SECURITY
### SECURITY
* auth/cert: Prevent token renewal with different-but-valid certificate. GHSA-7ccv-rp6m-rffr / CVE-2026-39388. [[GH-2932](https://github.com/openbao/openbao/pull/2932)]
* auth/token: Prevent cross-namespace token renewal, revocation by accessor. GHSA-p49j-v9wc-wg57 / CVE-2026-40264. [[GH-2934](https://github.com/openbao/openbao/pull/2934)]
@@ -19,7 +44,7 @@ description: Release notes for OpenBao 2.5.x
* core/namespaces: Ensure lease revocation on namespace re-deletion. GHSA-vv66-6rp4-wr4f. [[GH-2935](https://github.com/openbao/openbao/pull/2935)]
* database/postgresql: Correctly quote schema name in revoke statement. GHSA-6vgr-cp5c-ffx3 / CVE-2026-39946. [[GH-2931](https://github.com/openbao/openbao/pull/2931)]
## BUG FIXES
### BUG FIXES
* command/server: Refuse repeated startup if self-initialization failed on initial run. [[GH-2908](https://github.com/openbao/openbao/pull/2908)]
* core: Fix namespace invalidation on standby when disable_cache=true is set. [[GH-2822](https://github.com/openbao/openbao/pull/2822)]