Changelog

edit this page on GitHub ✏️

Recent Updates

TBD

[v0.22.1] - 2024-01-11

Added

• Added expiration and “invalid before” dates to secrets.
• Implemented a basic CI automation that runs test whenever there is a change in the main branch. The automation runs unit and integration tests and send status updates upon failure.
• Upgraded SPIRE and SPIFFE CSI Driver to the latest versions.
• Minor fixes and documentation updates.

[v0.22.0] - 2024-01-08

Added

• Documentation updated, especially around production usage and security.
• Added a make commit helper for a better-commits workflow.
• Added a PR template.
• Achieved great progress towards Open SSF Best Practices compliance; reaching 93% of the requirements.
• Added ability to generate random secrets based on a pattern.
• Added ability to export encrypted secrets.

Changed

• BREAKING: Certain environment variables are renamed to be more consistent with the rest of the project. The old variables are not supported anymore. check out the configuration section of the documentation for more details.
• Updated SPIRE, SPIRE Controller Manager, and SPIFFE CSI Driver to the latest versions.
• Moved older versions of the manifests to a k8s branch, and older snapshots of documentation to a docs branch to keep the main branch clean.

Fixed

• Fixes on workflow scripts to have a more streamlined build process and development experience.
• Minor bugfixes and code enhancements.

[v0.21.5] - 2023-12-18

Changed

• BREAKING: Environment variables related to SPIFFEID are renamed from i.e. VSECM_SENTINEL_SVID_PREFIX to VSECM_SENTINEL_SPIFFEID_PREFIX.

Added

• Documentation updates on security, production installation recommendations, and kind cluster usage for development.
• Minor code enhancements.

Security

• Fixed CVE-2023-48795 Russh vulnerable to Prefix Truncation Attack against ChaCha20-Poly1305 and Encrypt-then-MAC

[v0.21.4] - 2023-11-30

This patch release includes one security update, a minor refactoring, and documentation updates.

Security

• This is a patch release to address GHSA-2c7c-3mj9-8fqh Decryption of malicious PBES2 JWE objects can consume unbounded system resources

[v0.21.3] - 2023-11-03

Added

• Started experimental work on multi-cluster secret federation.
• Various Documentation updates.
• Automated Kubernetes manifest creation from Helm charts.

Security

• Fixed GHSA-m425-mq94-257g gRPC-Go HTTP/2 Rapid Reset vulnerability

[v0.21.2] - 2023-10-18

This is a purely security-focused release that fixes several vulnerabilities and also hardens the AES encryption flow against time-based attacks.

Security

• Fixed CVE-2023-3978 Improper rendering of text nodes in golang.org/x/net/html
• Fixed CVE-2023-39325 HTTP/2 rapid reset can cause excessive work in net/http
• Fixed CVE-2023-44487 swift-nio-http2 vulnerable to HTTP/2 Stream Cancellation Attack
• Fixed an issue with possible memory overflow when doing a cryptographic size computation.
• Added a configurable throttle to AES IV computation to make it harder to perform time-based attacks.
• The computed AES IV is zeroed out after use for additional security.

[v0.21.1] - 2023-10-11

Added

• Fixed spire-controller-manager’s version. The older setup was fixed on nightly which was causing ad-hoc issues.

Changed

• Performance update: VSecM Sentinel now honors SIGTERM and SIGINT signals and gracefully shuts down when the pod is killed.
• Performance update: VSecM Safe is now leveraging several goroutines to speed up some of the blocking code paths during bootstrapping and initialization.
• Minor updates to the documentation.

Security

• VSecM Safe has stricter validation routines for its identity.
• Added VSecM Keygen: a utility application that generates VSecM Safe’s bootstrapping keys if you want an extra level of security and control the creation of the root key.

[v0.21.0] - 2023-09-08

Added

• Documentation updates to make the project align with the current status of VSecM.
• Migrate existing Aegis documentation to the new VMware Secrets Manager documentation site.
• Updated contributing guidelines to make it easier for first-time contributors.
• Published a formal project governance model.
• Added a blog section to the website.
• Decided to add a new helm chart per each release.
• Added instructional video content to the showcase section.

Fixed

• Minor bugfixes after migration; ensuring feature and behavior parity with Aegis.
• Implemented stricter matchers for VSecM Sentinel and VSecM Safe’s Identity.yamls.

Security

• Updated the security policy, clarifying our ideal response time for security vulnerabilities.
• Fixed a minor vulnerability in activesupport dependency: (CVE-2023-38037). fix; dependabot. The vulnerability affects only the website build process, not the VSecM codebase itself. It is not exploitable in our case, but we still wanted to fix it.

[v0.20.0] - 2023-07-27

Added

• Migrated the source code from https://github.com/shieldworks/aegis to https://github.com/vmware-tanzu/secrets-manager
• Did necessary changes for the project to run build and pass tests.
• Created new container image repositories at https://hub.docker.com/u/vsecm.

Changed

• Minor changes to build and deployment scripts.
• BREAKING: The binary that vsecm-sentinel uses is called safe right now (formerly it was aegis).