alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 2 Actions Activity

chore(deps): update quay.io/openbao/openbao docker tag to v2.5.4 #7188

Merged
renovate-bot merged 1 commits from renovate/unified-openbao into main 2026-05-20 17:04:41 +00:00
Conversation 0 Commits 1 Files Changed 1
+2 -2
renovate-bot commented 2026-05-20 17:04:29 +00:00
Collaborator
Copy Link
Copy Source

This PR contains the following updates:

Package Update Change
quay.io/openbao/openbao patch 2.5.32.5.4

Release Notes

openbao/openbao (quay.io/openbao/openbao)

v2.5.4

Compare Source

SECURITY
  • core/auth: Fix audit logs dropping custom headers when using inline auth. GHSA-q8cj-789h-vg24 / CVE-2026-46358. [GH-3076]
  • core: Prevent hidden default token issuance from auth plugin endpoints returning both a logical.Auth{} response object and an error. GHSA-7j6w-vvw2-5f9c / CVE-2026-46405. [GH-3150]
  • core: Remove legacy lease endpoints (sys/revoke, sys/renew, sys/revoke-prefix, and sys/revoke-force) due to cross-namespace lease modification. GHSA-v8v8-cm84-m686 / CVE-2026-45808. [GH-3152]

IMPROVEMENTS:

  • storage/postgresql: Set constraint name to table+"_pkey" and ha_table+"_pkey" and index to table+"_idx" for uniqueness when reusing the same database partition for multiple OpenBao instances. [GH-2876]
BUG FIXES
  • auth/kerberos: Do not return logical.Auth{} response during initial negotiation at the same time as an error. [GH-3150]
  • core/mfa: Handle invalidation for login MFA, ensuring standby nodes respond appropriately on writes. [GH-3083]
  • core/policies: Fix list_scan_response_keys_filter_path incorrectly erring on empty list responses. [GH-3063]
  • core/quotas: Correctly handle default rate limit exempt paths on quota configuration invalidation. [GH-2953]
  • core: Disallow logical secret engines from creating authentication tokens. [GH-3087]
  • core: Forward generate-root, step-down and rekey requests to active node to resolve inconsistent standby behavior. [GH-3006]
  • storage/raft: Wait for autopilot shutdown to avoid panic when racing to retrieve known servers. [GH-3054]
  • storage/postgresql: Revert accidental rename of ha_table option to haTable. Both spellings are now supported to retain compatibility, though ha_table takes precedence. [GH-2876]
What's Changed

Full Changelog: https://github.com/openbao/openbao/compare/v2.5.3...v2.5.4

Configuration

📅 Schedule: (in timezone America/Chicago)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [quay.io/openbao/openbao](https://github.com/openbao/openbao) | patch | `2.5.3` → `2.5.4` | --- ### Release Notes <details> <summary>openbao/openbao (quay.io/openbao/openbao)</summary> ### [`v2.5.4`](https://github.com/openbao/openbao/releases/tag/v2.5.4) [Compare Source](https://github.com/openbao/openbao/compare/v2.5.3...v2.5.4) ##### SECURITY - core/auth: Fix audit logs dropping custom headers when using inline auth. GHSA-q8cj-789h-vg24 / CVE-2026-46358. \[[GH-3076](https://github.com/openbao/openbao/pull/3076)] - core: Prevent hidden default token issuance from auth plugin endpoints returning both a `logical.Auth{}` response object and an error. GHSA-7j6w-vvw2-5f9c / CVE-2026-46405. \[[GH-3150](https://github.com/openbao/openbao/pull/3150)] - core: Remove legacy lease endpoints (`sys/revoke`, `sys/renew`, `sys/revoke-prefix`, and `sys/revoke-force`) due to cross-namespace lease modification. GHSA-v8v8-cm84-m686 / CVE-2026-45808. \[[GH-3152](https://github.com/openbao/openbao/pull/3152)] IMPROVEMENTS: - storage/postgresql: Set constraint name to `table+"_pkey"` and `ha_table+"_pkey"` and index to `table+"_idx"` for uniqueness when reusing the same database partition for multiple OpenBao instances. \[[GH-2876](https://github.com/openbao/openbao/pull/2876)] ##### BUG FIXES - auth/kerberos: Do not return `logical.Auth{}` response during initial negotiation at the same time as an error. \[[GH-3150](https://github.com/openbao/openbao/pull/3150)] - core/mfa: Handle invalidation for login MFA, ensuring standby nodes respond appropriately on writes. \[[GH-3083](https://github.com/openbao/openbao/pull/3083)] - core/policies: Fix `list_scan_response_keys_filter_path` incorrectly erring on empty list responses. \[[GH-3063](https://github.com/openbao/openbao/pull/3063)] - core/quotas: Correctly handle default rate limit exempt paths on quota configuration invalidation. \[[GH-2953](https://github.com/openbao/openbao/pull/2953)] - core: Disallow logical secret engines from creating authentication tokens. \[[GH-3087](https://github.com/openbao/openbao/pull/3087)] - core: Forward generate-root, step-down and rekey requests to active node to resolve inconsistent standby behavior. \[[GH-3006](https://github.com/openbao/openbao/pull/3006)] - storage/raft: Wait for autopilot shutdown to avoid panic when racing to retrieve known servers. \[[GH-3054](https://github.com/openbao/openbao/pull/3054)] - storage/postgresql: Revert accidental rename of `ha_table` option to `haTable`. Both spellings are now supported to retain compatibility, though `ha_table` takes precedence. \[[GH-2876](https://github.com/openbao/openbao/pull/2876)] ##### What's Changed - Remove 2.5.x community docs by [@&#8203;cipherboy](https://github.com/cipherboy) in [#&#8203;3071](https://github.com/openbao/openbao/pull/3071) - Disallow non-auth plugins from creating tokens ([#&#8203;3087](https://github.com/openbao/openbao/issues/3087) by [@&#8203;cipherboy](https://github.com/cipherboy)) backported by [@&#8203;phil9909](https://github.com/phil9909) in [#&#8203;3112](https://github.com/openbao/openbao/pull/3112) - Handle invalidation of LoginMFA keys ([#&#8203;3083](https://github.com/openbao/openbao/issues/3083) by [@&#8203;cipherboy](https://github.com/cipherboy)) backported by [@&#8203;phil9909](https://github.com/phil9909) in [#&#8203;3113](https://github.com/openbao/openbao/pull/3113) - Fix audit logs dropping custom headers when using inline auth ([#&#8203;3076](https://github.com/openbao/openbao/issues/3076) by [@&#8203;jackyliao123](https://github.com/jackyliao123)) backported by [@&#8203;phil9909](https://github.com/phil9909) in [#&#8203;3114](https://github.com/openbao/openbao/pull/3114) - fix: nil-guard d.autopilot before calling GetState ([#&#8203;3054](https://github.com/openbao/openbao/issues/3054) by [@&#8203;mpldr](https://github.com/mpldr)) backported by [@&#8203;phil9909](https://github.com/phil9909) in [#&#8203;3115](https://github.com/openbao/openbao/pull/3115) - fix: Fix request handling filtering for the no data case ([#&#8203;3063](https://github.com/openbao/openbao/issues/3063) by [@&#8203;eklatzer](https://github.com/eklatzer)) backported by [@&#8203;phil9909](https://github.com/phil9909) in [#&#8203;3116](https://github.com/openbao/openbao/pull/3116) - Update vulnerable deps before 2.5.4 by [@&#8203;cipherboy](https://github.com/cipherboy) in [#&#8203;3121](https://github.com/openbao/openbao/pull/3121) - Fix cache invalidation memory leak ([#&#8203;3105](https://github.com/openbao/openbao/issues/3105) by [@&#8203;cipherboy](https://github.com/cipherboy)) backported by [@&#8203;phil9909](https://github.com/phil9909) in [#&#8203;3131](https://github.com/openbao/openbao/pull/3131) - Use unique constraints, indices in PostgreSQL storage ([#&#8203;2876](https://github.com/openbao/openbao/issues/2876) by [@&#8203;cipherboy](https://github.com/cipherboy)) backported by [@&#8203;phil9909](https://github.com/phil9909) in [#&#8203;3132](https://github.com/openbao/openbao/pull/3132) - Correctly handle default\_rate\_limit\_exempt\_paths\_toggle invalidation ([#&#8203;2953](https://github.com/openbao/openbao/issues/2953) by [@&#8203;cipherboy](https://github.com/cipherboy)) backported by [@&#8203;phil9909](https://github.com/phil9909) in [#&#8203;3134](https://github.com/openbao/openbao/pull/3134) - Fix `/v1/sys/` forwarding regressions for standby instances ([#&#8203;3006](https://github.com/openbao/openbao/issues/3006) by [@&#8203;tsaarni](https://github.com/tsaarni)) backported by [@&#8203;phil9909](https://github.com/phil9909) in [#&#8203;3133](https://github.com/openbao/openbao/pull/3133) - Remove legacy cross-namespace lease endpoints ([#&#8203;3152](https://github.com/openbao/openbao/issues/3152) by [@&#8203;cipherboy](https://github.com/cipherboy)) backported by [@&#8203;cipherboy](https://github.com/cipherboy) in [#&#8203;3153](https://github.com/openbao/openbao/pull/3153) - Prevent errors from creating orphaned tokens ([#&#8203;3150](https://github.com/openbao/openbao/issues/3150) by [@&#8203;cipherboy](https://github.com/cipherboy)) backported by [@&#8203;cipherboy](https://github.com/cipherboy) in [#&#8203;3151](https://github.com/openbao/openbao/pull/3151) - Add release notes for v2.5.4 by [@&#8203;satoqz](https://github.com/satoqz) in [#&#8203;3154](https://github.com/openbao/openbao/pull/3154) **Full Changelog**: <https://github.com/openbao/openbao/compare/v2.5.3...v2.5.4> </details> --- ### Configuration 📅 **Schedule**: (in timezone America/Chicago) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xODguMCIsInVwZGF0ZWRJblZlciI6IjQzLjE4OC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJhdXRvbWVyZ2UiLCJkb2NrZXIiLCJkb2NrZXIiXX0=-->
renovate-bot added the automergedocker labels 2026-05-20 17:04:29 +00:00
renovate-bot added 1 commit 2026-05-20 17:04:30 +00:00
chore(deps): update quay.io/openbao/openbao docker tag to v2.5.4
lint-test-helm / lint-helm (pull_request) Successful in 32s
Details
lint-test-helm / validate-kubeconform (pull_request) Successful in 26s
Details
render-manifests / render-manifests (pull_request) Successful in 1m4s
Details
be1f1a4664
renovate-bot scheduled this pull request to auto merge when all checks succeed 2026-05-20 17:04:32 +00:00
renovate-bot merged commit 74c330334d into main 2026-05-20 17:04:41 +00:00
renovate-bot deleted branch renovate/unified-openbao 2026-05-20 17:04:43 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
Renovate
Issue generated by Renovate.
 automerge
This PR will be automerged by Renovate.
 chart
Chart update generated by Renovate.
 docker
Docker update generated by Renovate.
github-actions
Github Action update generated by Renovate.
github-releases
Github Release generated by Renovate
 helm
Helm update generated by Renovate.
image
Image update generated by Renovate.
 stale
PR or Issue that has not been updated recently.
No Label automerge docker
Milestone
No items
No Milestone
Assignees
Clear assignees
gitea-bot (Gitea) renovate-bot (Renovate Bot) alexlebens (Alex Lebens)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: alexlebens/infrastructure#7188
Delete Branch "renovate/unified-openbao"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?