chore(deps): update openbao to v2.5.3 #6115

renovate-bot · 2026-04-20T21:17:03Z

renovate-bot commented

2026-04-20 21:17:03 +00:00

This PR contains the following updates:

Package	Update	Change
openbao/openbao	patch	`2.5.2` → `2.5.3`
quay.io/openbao/openbao	patch	`2.5.2` → `2.5.3`

Release Notes

openbao/openbao (openbao/openbao)

`v2.5.3`

Compare Source

SECURITY

auth/cert: Prevent token renewal with different-but-valid certificate. GHSA-7ccv-rp6m-rffr / CVE-2026-39388. [GH-2932]
auth/token: Prevent cross-namespace token renewal, revocation by accessor. GHSA-p49j-v9wc-wg57 / CVE-2026-40264. [GH-2934]
core: Disallow sys/generate-root/* by default due to unauthenticated cancellation; use disable_unauthed_generate_root_endpoints=false to temporarily re-enable. Upstream HCSEC-2026-08 / CVE-2026-5807. [GH-2912]
core: Forbid request path traversal using . and .. segments by default. If required, set the unsafe_relative_paths. Upstream HCSEC-2026-05 / CVE-2026-3605. [GH-2910]
core/plugins: Validate and restrict downloaded plugin binary size from OCI images; set plugin_download_max_size to limit the size (defaults to 512MB). GHSA-r65v-xgwc-g56j / CVE-2026-39396. [GH-2941]
core/namespaces: Ensure lease revocation on namespace re-deletion. GHSA-vv66-6rp4-wr4f. [GH-2935]
database/postgresql: Correctly quote schema name in revoke statement. GHSA-6vgr-cp5c-ffx3 / CVE-2026-39946. [GH-2931]

BUG FIXES

command/server: Refuse repeated startup if self-initialization failed on initial run. [GH-2908]
core: Fix namespace invalidation on standby when disable_cache=true is set. [GH-2822]
core: Loosen overly strict check for view path check, strictly forbidding .. as a substring within path segments. [GH-2910]
secret/database, secret/openldap, secret/rabbitmq: Fix dynamic secret requests failing with an "Internal Server Error" on standby nodes [GH-2853]

What's Changed

Add note for direct install using the Arch Linux package manager (#2718) by @hashworks in #2719
fix: some dynamic secret engines did not forward the request to the primary (#2853) by @phil9909 in #2855
Fix namespace invalidation without caching (#2822) by @phil9909 in #2856
Make self-init failures fatal (#2908 & #2195) by @satoqz in #2924
v2.5.3 dependency bumps by @satoqz in #2907
Forbid path traversal by default (#2910) by @satoqz in #2929
Check certificate match during renewal (#2932) by @satoqz in #2937
Correctly quote schema name in PostgreSQL revoke (#2931) by @satoqz in #2938
Prevent cross-namespace token accessor use (#2934) by @satoqz in #2939
Additional v2.5.3 dependency bumps by @satoqz in #2930
Ensure lease revocation on namespace re-deletion (#2935) by @satoqz in #2943
Validate downloaded plugin binary size (#2941) by @satoqz in #2944
Forbid generate-root by default (#2912) by @cipherboy in #2945
Add release notes for v2.5.3 by @satoqz in #2946

Full Changelog: https://github.com/openbao/openbao/compare/v2.5.2...v2.5.3

Configuration

📅 Schedule: (in timezone America/Chicago)

Branch creation
- At any time (no schedule defined)
Automerge
- At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [openbao/openbao](https://github.com/openbao/openbao) | patch | `2.5.2` → `2.5.3` | | [quay.io/openbao/openbao](https://github.com/openbao/openbao) | patch | `2.5.2` → `2.5.3` | --- ### Release Notes <details> <summary>openbao/openbao (openbao/openbao)</summary> ### [`v2.5.3`](https://github.com/openbao/openbao/releases/tag/v2.5.3) [Compare Source](https://github.com/openbao/openbao/compare/v2.5.2...v2.5.3) #### SECURITY - auth/cert: Prevent token renewal with different-but-valid certificate. GHSA-7ccv-rp6m-rffr / CVE-2026-39388. \[[GH-2932](https://github.com/openbao/openbao/pull/2932)] - auth/token: Prevent cross-namespace token renewal, revocation by accessor. GHSA-p49j-v9wc-wg57 / CVE-2026-40264. \[[GH-2934](https://github.com/openbao/openbao/pull/2934)] - core: Disallow `sys/generate-root/*` by default due to unauthenticated cancellation; use `disable_unauthed_generate_root_endpoints=false` to temporarily re-enable. Upstream HCSEC-2026-08 / CVE-2026-5807. \[[GH-2912](https://github.com/openbao/openbao/pull/2912)] - core: Forbid request path traversal using `.` and `..` segments by default. If required, set the `unsafe_relative_paths`. Upstream HCSEC-2026-05 / CVE-2026-3605. \[[GH-2910](https://github.com/openbao/openbao/pull/2910)] - core/plugins: Validate and restrict downloaded plugin binary size from OCI images; set `plugin_download_max_size` to limit the size (defaults to 512MB). GHSA-r65v-xgwc-g56j / CVE-2026-39396. \[[GH-2941](https://github.com/openbao/openbao/pull/2941)] - core/namespaces: Ensure lease revocation on namespace re-deletion. GHSA-vv66-6rp4-wr4f. \[[GH-2935](https://github.com/openbao/openbao/pull/2935)] - database/postgresql: Correctly quote schema name in revoke statement. GHSA-6vgr-cp5c-ffx3 / CVE-2026-39946. \[[GH-2931](https://github.com/openbao/openbao/pull/2931)] #### BUG FIXES - command/server: Refuse repeated startup if self-initialization failed on initial run. \[[GH-2908](https://github.com/openbao/openbao/pull/2908)] - core: Fix namespace invalidation on standby when disable\_cache=true is set. \[[GH-2822](https://github.com/openbao/openbao/pull/2822)] - core: Loosen overly strict check for view path check, strictly forbidding `..` as a substring within path segments. \[[GH-2910](https://github.com/openbao/openbao/pull/2910)] - secret/database, secret/openldap, secret/rabbitmq: Fix dynamic secret requests failing with an "Internal Server Error" on standby nodes \[[GH-2853](https://github.com/openbao/openbao/pull/2853)] #### What's Changed - Add note for direct install using the Arch Linux package manager ([#2718](https://github.com/openbao/openbao/issues/2718)) by [@hashworks](https://github.com/hashworks) in [#2719](https://github.com/openbao/openbao/pull/2719) - fix: some dynamic secret engines did not forward the request to the primary ([#2853](https://github.com/openbao/openbao/issues/2853)) by [@phil9909](https://github.com/phil9909) in [#2855](https://github.com/openbao/openbao/pull/2855) - Fix namespace invalidation without caching ([#2822](https://github.com/openbao/openbao/issues/2822)) by [@phil9909](https://github.com/phil9909) in [#2856](https://github.com/openbao/openbao/pull/2856) - Make self-init failures fatal ([#2908](https://github.com/openbao/openbao/issues/2908) & [#2195](https://github.com/openbao/openbao/issues/2195)) by [@satoqz](https://github.com/satoqz) in [#2924](https://github.com/openbao/openbao/pull/2924) - v2.5.3 dependency bumps by [@satoqz](https://github.com/satoqz) in [#2907](https://github.com/openbao/openbao/pull/2907) - Forbid path traversal by default ([#2910](https://github.com/openbao/openbao/issues/2910)) by [@satoqz](https://github.com/satoqz) in [#2929](https://github.com/openbao/openbao/pull/2929) - Check certificate match during renewal ([#2932](https://github.com/openbao/openbao/issues/2932)) by [@satoqz](https://github.com/satoqz) in [#2937](https://github.com/openbao/openbao/pull/2937) - Correctly quote schema name in PostgreSQL revoke ([#2931](https://github.com/openbao/openbao/issues/2931)) by [@satoqz](https://github.com/satoqz) in [#2938](https://github.com/openbao/openbao/pull/2938) - Prevent cross-namespace token accessor use ([#2934](https://github.com/openbao/openbao/issues/2934)) by [@satoqz](https://github.com/satoqz) in [#2939](https://github.com/openbao/openbao/pull/2939) - Additional v2.5.3 dependency bumps by [@satoqz](https://github.com/satoqz) in [#2930](https://github.com/openbao/openbao/pull/2930) - Ensure lease revocation on namespace re-deletion ([#2935](https://github.com/openbao/openbao/issues/2935)) by [@satoqz](https://github.com/satoqz) in [#2943](https://github.com/openbao/openbao/pull/2943) - Validate downloaded plugin binary size ([#2941](https://github.com/openbao/openbao/issues/2941)) by [@satoqz](https://github.com/satoqz) in [#2944](https://github.com/openbao/openbao/pull/2944) - Forbid generate-root by default ([#2912](https://github.com/openbao/openbao/issues/2912)) by [@cipherboy](https://github.com/cipherboy) in [#2945](https://github.com/openbao/openbao/pull/2945) - Add release notes for v2.5.3 by [@satoqz](https://github.com/satoqz) in [#2946](https://github.com/openbao/openbao/pull/2946) **Full Changelog**: <https://github.com/openbao/openbao/compare/v2.5.2...v2.5.3> </details> --- ### Configuration 📅 **Schedule**: (in timezone America/Chicago) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).

renovate-bot added the automerge docker labels 2026-04-20 21:17:03 +00:00

renovate-bot added 1 commit 2026-04-20 21:17:05 +00:00

chore(deps): update openbao to v2.5.3

renovate/stability-days Updates have not met minimum release age requirement

Details

lint-test-helm / lint-helm (pull_request) Successful in 1m6s

Details

lint-test-helm / validate-kubeconform (pull_request) Successful in 42s

Details

render-manifests / render-manifests (pull_request) Successful in 1m53s

Details

80ae0d36d1

alexlebens merged commit db1139bb1f into main

2026-04-20 22:04:01 +00:00

alexlebens referenced this issue from a commit

2026-04-20 22:04:02 +00:00

Merge pull request 'chore(deps): update openbao to v2.5.3' (#6115) from renovate/unified-openbao into main

alexlebens deleted branch renovate/unified-openbao

2026-04-20 22:04:05 +00:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: alexlebens/infrastructure#6115