Skip to content

Bump github.com/openbao/openbao/api/v2 from 2.3.0 to 2.3.1#22

Closed
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/main/github.com/openbao/openbao/api/v2-2.3.1
Closed

Bump github.com/openbao/openbao/api/v2 from 2.3.0 to 2.3.1#22
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/main/github.com/openbao/openbao/api/v2-2.3.1

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github Jun 26, 2025
edited
Loading

Bumps github.com/openbao/openbao/api/v2 from 2.3.0 to 2.3.1.

Release notes

Sourced from github.com/openbao/openbao/api/v2's releases.

v2.3.1

[!NOTE] OpenBao v2.3.0 is unreleased due to a bug in Illumos builds. Illumos has been removed from v2.3.1 as a result, per policy.

SECURITY

  • core/sys: Add listener parameter (disable_unauthed_rekey_endpoints, default: false) to optionally disable unauthenticated rekey operations (to sys/rekey/* and sys/rekey-recovery-key/*) for a listener. This will be set to true in a future release; see the deprecation notice for more information. Auditing is now enabled for these endpoints as well. CVE-2025-52894. Upstream HCSEC-2025-11 / CVE-2025-4656.
  • sdk/framework: prevent additional information disclosure on invalid request. CVE-2025-52893. [GH-1495]

CHANGES

  • packaging/systemd: Do not set LimitNOFILE, allowing Go to automatically manage this value on behalf of the server. See also golang/go#46279. [GH-1179]
  • storage/postgresql: Support empty connection URLs to use standard component-wise variables [GH-1297]
  • packaging: Support for Illumos removed due to broken builds [GH-1503]

FEATURES

  • KMIP Auto-Unseal: Add support for automatic unsealing of OpenBao using a KMIP protocol. [GH-1144]
  • Namespaces UI Support: Added namespace UI support, including namespace picker and namespace management pages. [GH-1406]
  • Namespaces: Support for tenant isolation using namespaces, application API compatible with upstream's implementation.
    • Create, read, update, delete a hierarchical directory of namespaces
    • Manage isolated per-namespace secrets engines, auth methods, tokens, policies and more
    • Migrate (remount) secrets engines and auth methods between namespaces
    • Lock and unlock namespaces
    • Route requests to namespaces via path (/my-namespace/secrets) or X-Vault-Namespace header (or both!)
    • CLI support via the bao namespace family of commands and the -namespace flag. [GH-1165]
  • Add ARM64 HSM builds and Alpine-based HSM container images [GH-1427]
  • Support Common Expression Language (CEL) in PKI. CEL allows role authors to create flexible, dynamic certificate policies with complex, custom validation support and arbitrary control over the final certificate object. [GH-794]
  • auth/jwt: Add support for Common Expression Language (CEL) login roles. CEL allows role authors to create flexible, dynamic policies with complex, custom claim validation support and arbitrary templating of logical.Auth data. [GH-869]
  • ssh: Support multiple certificate issuers in SSH secret engine mounts, enabling safer rotation of SSH CA key material [GH-880]

IMPROVEMENTS

  • When using auto-unseal via KMS, KMS-specific configuration information (non-sensitive) is now logged at server startup. [GH-1346]
  • approle: Use transactions for read + write operations [GH-992]
  • auth/jwt: Support lazy resolution of oidc_discovery_url or jwks_url when skip_jwks_validation=true is specified on auth/jwt/config; OIDC status is now reported on reading the configuration. [GH-1306]
  • core/identity: add unsafe_cross_namespace_identity to give compatibility with Vault Enterprise's cross-namespace group membership. [GH-1432]
  • core/policies: Add check-and-set support for modifying policies, allowing for protection against concurrent modifications. [GH-1162]
  • core/policies: Add endpoint to allow detailed listing of policies [GH-1224]
  • core/policies: Allow setting expiration on policies and component paths, removing policies or preventing usage of path rules after expiration. [GH-1142]
  • core: Support pagination and transactions in ClearView, CollectKeys, and ScanView, improving secret disable memory consumption and request consistency. [GH-1102]
  • database/valkey: Revive Redis plugin as Valkey, the OSI-licensed fork of Redis [GH-1019]
  • database: Use transactions for read-then-write methods in the database package [GH-995]
  • pki: add not_after_bound and not_before_bound role parameters to safely limit issuance duration [GH-1172]
  • ssh: Use transactions for read-then-write or multiple write methods in the ssh package [GH-989]
  • storage/postgresql: support retrying database connection on startup to gracefully handle service ordering issues [GH-1280]

DEPRECATIONS

... (truncated)

Changelog

Sourced from github.com/openbao/openbao/api/v2's changelog.

2.3.1

June 25, 2025

SECURITY:

  • core/sys: Add listener parameter (disable_unauthed_rekey_endpoints, default: false) to optionally disable unauthenticated rekey operations (to sys/rekey/* and sys/rekey-recovery-key/*) for a listener. This will be set to true in a future release; see the deprecation notice for more information. Auditing is now enabled for these endpoints as well. CVE-2025-52894. Upstream HCSEC-2025-11 / CVE-2025-4656.
  • sdk/framework: prevent additional information disclosure on invalid request. CVE-2025-52893. [GH-1495]

CHANGES:

  • packaging/systemd: Do not set LimitNOFILE, allowing Go to automatically manage this value on behalf of the server. See also golang/go#46279. [GH-1179]
  • storage/postgresql: Support empty connection URLs to use standard component-wise variables [GH-1297]
  • packaging: Support for Illumos removed due to broken builds [GH-1503]

FEATURES:

  • KMIP Auto-Unseal: Add support for automatic unsealing of OpenBao using a KMIP protocol. [GH-1144]
  • Namespaces UI Support: Added namespace UI support, including namespace picker and namespace management pages. [GH-1406]
  • Namespaces: Support for tenant isolation using namespaces, application API compatible with upstream's implementation.
    • Create, read, update, delete a hierarchical directory of namespaces
    • Manage isolated per-namespace secrets engines, auth methods, tokens, policies and more
    • Migrate (remount) secrets engines and auth methods between namespaces
    • Lock and unlock namespaces
    • Route requests to namespaces via path (/my-namespace/secrets) or X-Vault-Namespace header (or both!)
    • CLI support via the bao namespace family of commands and the -namespace flag. [GH-1165]
  • Add ARM64 HSM builds and Alpine-based HSM container images [GH-1427]
  • Support Common Expression Language (CEL) in PKI. CEL allows role authors to create flexible, dynamic certificate policies with complex, custom validation support and arbitrary control over the final certificate object. [GH-794]
  • auth/jwt: Add support for Common Expression Language (CEL) login roles. CEL allows role authors to create flexible, dynamic policies with complex, custom claim validation support and arbitrary templating of logical.Auth data. [GH-869]
  • ssh: Support multiple certificate issuers in SSH secret engine mounts, enabling safer rotation of SSH CA key material [GH-880]

IMPROVEMENTS:

  • When using auto-unseal via KMS, KMS-specific configuration information (non-sensitive) is now logged at server startup. [GH-1346]
  • approle: Use transactions for read + write operations [GH-992]
  • auth/jwt: Support lazy resolution of oidc_discovery_url or jwks_url when skip_jwks_validation=true is specified on auth/jwt/config; OIDC status is now reported on reading the configuration. [GH-1306]
  • core/identity: add unsafe_cross_namespace_identity to give compatibility with Vault Enterprise's cross-namespace group membership. [GH-1432]
  • core/policies: Add check-and-set support for modifying policies, allowing for protection against concurrent modifications. [GH-1162]
  • core/policies: Add endpoint to allow detailed listing of policies [GH-1224]
  • core/policies: Allow setting expiration on policies and component paths, removing policies or preventing usage of path rules after expiration. [GH-1142]
  • core: Support pagination and transactions in ClearView, CollectKeys, and ScanView, improving secret disable memory consumption and request consistency. [GH-1102]
  • database/valkey: Revive Redis plugin as Valkey, the OSI-licensed fork of Redis [GH-1019]
  • database: Use transactions for read-then-write methods in the database package [GH-995]
  • pki: add not_after_bound and not_before_bound role parameters to safely limit issuance duration [GH-1172]
  • ssh: Use transactions for read-then-write or multiple write methods in the ssh package [GH-989]
  • storage/postgresql: support retrying database connection on startup to gracefully handle service ordering issues [GH-1280]

DEPRECATIONS:

  • Configuration of PKCS#11 auto-unseal using the duplicate and undocumented module, token and key options is now deprecated. Use the documented alternative options lib, token_label and key_label instead, respectively. (More details) [GH-1385]

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump github.com/openbao/openbao/api/v2 from 2.3.0 to 2.3.1
9153f90 
Bumps [github.com/openbao/openbao/api/v2](https://github.com/openbao/openbao) from 2.3.0 to 2.3.1.
- [Release notes](https://github.com/openbao/openbao/releases)
- [Changelog](https://github.com/openbao/openbao/blob/main/CHANGELOG.md)
- [Commits](openbao/openbao@v2.3.0...v2.3.1)

---
updated-dependencies:
- dependency-name: github.com/openbao/openbao/api/v2
  dependency-version: 2.3.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Jun 26, 2025
@dependabot @github
Copy link
Copy Markdown
Author

dependabot Bot commented on behalf of github Jun 26, 2025

Looks like github.com/openbao/openbao/api/v2 is up-to-date now, so this is no longer needed.

@dependabot dependabot Bot closed this Jun 26, 2025
@dependabot dependabot Bot deleted the dependabot/go_modules/main/github.com/openbao/openbao/api/v2-2.3.1 branch June 26, 2025 21:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants