chore(deps): bump github.com/hashicorp/vault from 1.17.6 to 1.18.1

[dependabot]

Bumps github.com/hashicorp/vault from 1.17.6 to 1.18.1.

Release notes

Sourced from github.com/hashicorp/vault's releases.

v1.18.1

No release notes provided.

v1.18.0

CHANGES:

• activity (enterprise): filter all fields in client count responses by the request namespace [GH-27790]
• activity (enterprise): remove deprecated fields distinct_entities and non_entity_tokens [GH-27830]
• activity log: Deprecated the field "default_report_months". Instead, the billing start time will be used to determine the start time when querying the activity log endpoints. [GH-27350]
• activity log: Deprecates the current_billing_period field for /sys/internal/counters/activity. The default start time will automatically be set the billing period start date. [GH-27426]
• activity: The activity export API now requires the sudo ACL capability. [GH-27846]
• activity: The activity export API now responds with a status of 204 instead 400 when no data exists within the time range specified by start_time and end_time. [GH-28064]
• activity: The startTime will be set to the start of the current billing period by default. The endTime will be set to the end of the current month. This applies to /sys/internal/counters/activity, /sys/internal/counters/activity/export, and the vault operator usage command that utilizes /sys/internal/counters/activity. [GH-27379]
• api: Update backoff/v3 to backoff/v4.3.0 [GH-26868]
• auth/alicloud: Update plugin to v0.19.0 [GH-28263]
• auth/azure: Update plugin to v0.19.0 [GH-28294]
• auth/cf: Update plugin to v0.18.0 [GH-27724]
• auth/cf: Update plugin to v0.19.0 [GH-28266]
• auth/gcp: Update plugin to v0.19.0 [GH-28366]
• auth/jwt: Update plugin to v0.21.0 [GH-27498]
• auth/jwt: Update plugin to v0.22.0 [GH-28349]
• auth/kerberos: Update plugin to v0.13.0 [GH-28264]
• auth/kubernetes: Update plugin to v0.20.0 [GH-28289]
• auth/oci: Update plugin to v0.17.0 [GH-28307]
• cli: The undocumented -dev-three-node and -dev-four-cluster CLI options have been removed. [GH-27578]
• consul-template: updated to version 0.39.1 [GH-27799]
• core(enterprise): Updated the following two control group related errors responses to respond with response code 400 instead of 500: control group: could not find token, and control group: token is not a valid control group token.
• core: Bump Go version to 1.22.7
• database/couchbase: Update plugin to v0.12.0 [GH-28327]
• database/elasticsearch: Update plugin to v0.16.0 [GH-28277]
• database/mongodbatlas: Update plugin to v0.13.0 [GH-28268]
• database/redis-elasticache: Update plugin to v0.5.0 [GH-28293]
• database/redis: Update plugin to v0.4.0 [GH-28404]
• database/snowflake: Update plugin to v0.12.0 [GH-28275]
• sdk: Upgrade to go-secure-stdlib/plugincontainer@v0.4.0, which also bumps github.com/docker/docker to v26.1.5+incompatible [GH-28269]
• secrets/ad: Update plugin to v0.19.0 [GH-28361]
• secrets/alicloud: Update plugin to v0.18.0 [GH-28271]
• secrets/azure: Update plugin to v0.19.2 [GH-27652]
• secrets/azure: Update plugin to v0.20.0 [GH-28267]
• secrets/gcp: Update plugin to v0.20.0 [GH-28324]
• secrets/gcpkms: Update plugin to v0.18.0 [GH-28300]
• secrets/gcpkms: Update plugin to v0.19.0 [GH-28360]
• secrets/kubernetes: Update plugin to v0.9.0 [GH-28287]
• secrets/kv: Update plugin to v0.20.0 [GH-28334]
• secrets/mongodbatlas: Update plugin to v0.13.0 [GH-28348]
• secrets/openldap: Update plugin to v0.14.0 [GH-28325]

... (truncated)

Changelog

Sourced from github.com/hashicorp/vault's changelog.

1.18.1

October 30, 2024

SECURITY:

• core/raft: Add raft join limits [GH-28790, HCSEC-2024-26]

CHANGES:

• auth/azure: Update plugin to v0.19.1 [GH-28712]
• secrets/azure: Update plugin to v0.20.1 [GH-28699]
• secrets/openldap: Update plugin to v0.14.1 [GH-28479]
• secrets/openldap: Update plugin to v0.14.2 [GH-28704]
• secrets/openldap: Update plugin to v0.14.3 [GH-28780]

IMPROVEMENTS:

• core: Add a mount tuneable that trims trailing slashes of request paths during POST. Needed to support CMPv2 in PKI. [GH-28752]
• raft/snapshotagent (enterprise): upgrade raft-snapshotagent to v0.0.0-20241003195753-88fef418d705
• ui: Add button to copy secret path in kv v1 and v2 secrets engines [GH-28629]
• ui: Adds copy button to identity entity, alias and mfa method IDs [GH-28742]

BUG FIXES:

• agent: Fix chown error running agent on Windows with an auto-auth file sinks. [GH-28748]
• audit: Prevent users from enabling multiple audit devices of file type with the same file_path to write to. [GH-28751]
• cli: Fixed a CLI precedence issue where -agent-address didn't override VAULT_AGENT_ADDR as it should [GH-28574]
• core/seal (enterprise): Fix bug that caused seal generation information to be replicated, which prevented disaster recovery and performance replication clusters from using their own seal high-availability configuration.
• core/seal: Fix an issue that could cause reading from sys/seal-backend-status to return stale information. [GH-28631]
• core: Fixed panic seen when performing help requests without /v1/ in the URL. [GH-28669]
• kmip (enterprise): Use the default KMIP port for IPv6 addresses missing a port, for the listen_addrs configuration field, in order to match the existing IPv4 behavior
• namespaces (enterprise): Fix issue where namespace patch requests to a performance secondary would not patch the namespace's metadata.
• proxy: Fix chown error running proxy on Windows with an auto-auth file sink. [GH-28748]
• secrets/pki: Address issue with ACME HTTP-01 challenges failing for IPv6 IPs due to improperly formatted URLs [GH-28718]
• ui: No longer running decodeURIComponent on KVv2 list view allowing percent encoded data-octets in path name. [GH-28698]

1.18.0

October 9, 2024

SECURITY:

• secrets/identity: A privileged Vault operator with write permissions to the root namespace's identity endpoint could escalate their privileges to Vault's root policy (CVE-2024-9180) HCSEC-2024-21

CHANGES:

• activity (enterprise): filter all fields in client count responses by the request namespace [GH-27790]
• activity (enterprise): remove deprecated fields distinct_entities and non_entity_tokens [GH-27830]
• activity log: Deprecated the field "default_report_months". Instead, the billing start time will be used to determine the start time when querying the activity log endpoints. [GH-27350]
• activity log: Deprecates the current_billing_period field for /sys/internal/counters/activity. The default start time will automatically be set the billing period start date. [GH-27426]

... (truncated)

Commits

• f479e5c [VAULT-32181] This is an automated pull request to build all artifacts for a ...
• d92fac4 backport of commit 195dfca433028887973f5bd82d173d91fe9dab4a (#28791)
• 328fbc2 backport of commit 2eaae5e87bc926d61a02554425f3e815ff5ee3ab (#28787)
• 72c3a8e backport of commit 4688583754ef1e6cc6533ee9677a92b4651a1673 (#28785)
• e8c74b6 backport of commit c62d24dfc76dde52710b5645ed9318decc7943e6 (#28784)
• 2e9cc4d backport of commit a384eac192d362692d6600b5021239b36b799b53 (#28783)
• d45d044 backport of commit cccad7d53f8901aee84f4cac23f46384bff5d8ac (#28777)
• 24d1f9f backport of commit f439a1eece9e27d787ebc1ae187c0ca19de8800d (#28776)
• 337b222 backport of commit dec3bcc1aafec8c355f5435e5bc4953ce794eeb7 (#28774)
• 1ca2e01 backport of commit b4c332626f8d67cc970db5b8990b5ce9b1e1d5c9 (#28768)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.