teleport

Description

This release of Teleport contains multiple fixes and improvements.

• Added active node inventory cleanup. #10134
• Fixed various issues related to k8s labels. #10188
• Added access request IDs to various audit events. #9758

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

This release of Teleport contains a new feature.

• Added support for X11 forwarding to Server Access. #9897

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

This release of Teleport contains a fix.

• Fixed an issue impacting clusters that upgraded to 8.1.3 that broke the Web UI and audit log search functionality. #10193

Note this release contains 8.1.3 and 8.1.4 which were pulled due to the above issues. Those releases included the following.

8.1.4

This release of Teleport contains a few improvements and fixes.

• Rolled back session.connect event. #10156
• Add new teleport_build_info Prometheus metric. #10135
• Improvements to dynamically resolving tunnel address in reverse tunnel agents. #10139

8.1.3

Kubernetes Access security fix

• Fixed issue where labels of the target Kubernetes Service were ignored when calculating kubernetes_users and kubernetes_groups. #9955

We recommend all Kubernetes Access users to upgrade their Proxies and Kubernetes Services.

Other improvements and fixes

• Added support for locking Access Requests. #9478
• Added support for jitter and backoff to prevent thundering herd situations. #9133
• Added support for nested groups with Google SSO. #9697
• Added support for pulling multiple domain groups from Google Workspace. #9697
• Added event session.connect which is emitted when connecting to a non-Teleport server. #9370
• Added Access Request information to audit events. #9758
• Added client certificate authentication support for GCP Cloud SQL #9991
• Added support for canned AWS S3 ACLs. #9042
• Improved ACME support to automatically renew certificates affected by the Let's Encrypt TLS-ALPN-01 issues. #9984
• Improved Desktop Access performance. #9817
• Improved network utilization by replacing cluster periodics with watchers. #9609
• Fixed reverse tunneling for Windows Desktop Connections. #9740
• Fixed issue where database auto-discovery could fail with databases created by CloudFormation. #9742
• Fixed issue with Application Access in High Availability (HA) configurations. #9288
• Fixed issue where Database Access could fail to connect to RDS instance in ca-central-1. #9890
• Fixed issue with auto-discovery and RDS or Aurora permissions. #9426
• Fixed issue with Desktop Access token type name inconsistencies. #9756
• Fixed issue where prefixing an application name with "kube" would make the proxy route it as a Kubernetes cluster. #9777
• Fixed issue where tsh db ls could show incorrect information. #9386
• Fixed issue where Database Access would not register Aurora reader instances. #9668
• Fixed issue with AWS credential brokering with federated accounts. #9792
• Fixed regression in Kubernetes Access performance introduced in Teleport 8.1.1. #10011
• Fixed an issue where OIDC UserInfo were not respected. #9951

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

This release of Teleport contains improvements, fixes and a security fix.

Kubernetes Access security fix

• Fixed issue where labels of the target Kubernetes Service were ignored when calculating kubernetes_users and kubernetes_groups. #9956

We recommend all Kubernetes Access users to upgrade their Proxies and Kubernetes Services.

Other improvements and fixes

• Added support for canned AWS S3 ACLs. #10006
• Improved ACME support to automatically renew certificates affected by the Let's Encrypt TLS-ALPN-01 issues. #10016
• Improved network utilization by replacing cluster periodics with watchers. #9999
• Gracefully handle 401 responses from OIDC UserInfo endpoints. #9951

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

This release of Teleport contains a feature and a fix.

• Added metrics for missing SSH tunnels. #8603
• Fixed an issue where logins denied by RBAC rules were no longer generating audit entries. #7796

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

This release of Teleport contains a feature, improvement, and fixes.

• Added the access_request.delete event to track deleted Access Requests. #9552
• Improved Kubernetes Access performance by forcing the use of http2. #9294
• Fixed an issue where tsh kube login would not respect TELEPORT_HOME. #9760
• Fixed an issue where EC2 node could fail if two nodes shared a nodename. #9722
• Fixed an issue where login would fail if the users home directory does not exist. #9413

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

This release of Teleport contains performance improvements.

• Add jitter and backoff to various operations to improve perf under high load. #9133

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

This release of Teleport contains features and fixes.

• Added RBAC for sessions. It is now possible to further limit access to shared sessions and session recordings. See the RBAC for sessions documentation for more details.
• Added ability to specify level of TLS verification for database connections. #9197
• Added --cluster and --diag_addr to tsh db and teleport respectively. #9220
• Fixed an issue with user specification with tsh db connect and MongoDB. #9196
• Fixed an issue when connecting to an auth server over a tunnel when running in proxy_listener_mode. #9498
• Fixed an issue with Access Requests where the request reason was not being escaped when using tctl. #9381
• Fixed an issue where Teleport would incorrectly log json: unsupported type: utils.Jitter. #9417
• Fixed an issue with incorrect session ID being emitted in session.leave events. #9651
• Update tctl lock to allow locking a Windows Desktop. #9543
• Removed the libatomic dependency: Teleport 8.1.0 will run on systems without libatomic, but note that Desktop Access will not be enabled in 32-bit ARM builds. #9667

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

This release of Teleport contains a feature and a bug fix.

• Updated tsh play -f json to support fetching session recordings from cluster. #9446
• Fixed an issue with incorrect session ID being emitted in session.leave events. #9650
• Fixed an issue with tsh ssh failing when user's home directory doesn't exist. #9413

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

This release of Teleport contains a bug fix.

• Fixed an issue with incorrect session ID being emitted in session.leave events. #9651

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

This release of Teleport contains features and fixes.

Description

• Added support for clearing the users terminal when a session ends. #8850
• Added jitter and backoff to prevent thundering herd situations when reconnecting to auth. #9393
• Fixed an issue with Access Requests where the request reason was not being escaped when using tctl. #9381
• Fixed an issue where Teleport would incorrectly log json: unsupported type: utils.Jitter. #9417
• Fixed an issue that would cause tsh login to hang indefinitely. #9193
• Fixed an issue where a null route could cause high latency when connecting to hosts. #9254
• Fixed an issue with Database Access where running show tables MySQL would result in an error. #9411

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

This release of Teleport contains a feature and multiple fixes.

• Added support for clearing the users terminal when a session ends. #8850
• Fixed an issue with Database Access where running show tables MySQL would result in an error. #9423
• Fixed an issue with Access Requests where the request reason was not being escaped when using tctl. #9381

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

This release of Teleport contains multiple features and bug fixes.

• Added support for a configurable event TTL in DynamoDB. #8840
• Added support for tsh play -f json <ID> #9319
• Added Helm chart enhancements. #8105 #8774 #9130 #9263 #9349 #9503
• Fixed an issue with TLS Routing that would cause Teleport to not respect NO_PROXY. #9287
• Fixed an issue with Database Access where running show tables MySQL would result in an error. #9411
• Fixed an issue with Server Access where a null route would cause high latency when connecting to hosts. #9254
• Fixed an issue with Database Access that would cause the Web UI to fail to list databases. #9096
• Fixed a goroutine leak in Application Access. #9332
• Fixed potentially short reads from the system random number generator. #9186
• Fixed RPM repository compatibility issues for CentOS 7 users. #9464
• Fixed issue with Kubernetes Access and CA rotation. #9418

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

This release of Teleport contains a feature and bug fixes.

• Added ability to run Postgres and MongoDB proxy on separate listener. #8323
• Fixed an issue that could cause search engine crawlers to break signup and login pages.
• Fixed issue that would cause tsh login to hang indefinitely. #9193

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

This release of Teleport contains a bug fix.

• Fixed issue with desktop access smart card authentication.

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Description

This release of Teleport contains multiple security fixes discovered as a part of a routine security audit.

Insufficient authorization check in self-hosted MySQL database access

Teleport MySQL proxy engine did not handle internal MySQL protocol command that allows to reauthenticate the active connection.

This could allow an attacker with a valid client certificate for a particular database user to reauthenticate as a different MySQL user created using require x509 clause.

Insufficient authorization check in MongoDB database access

Teleport MongoDB proxy engine did not implement processing for all possible MongoDB wire protocol messages.

This could allow an attacker with a valid client certificate to connect to the database in a way that would prevent Teleport from enforcing authorization check on the database names.

Authorization bypass in application access

When proxying a websocket connection, Teleport did not check for a successful connection upgrade response from the target application.

In scenarios where Teleport proxy is located behind a load balancer, this could result in the load balancer reusing the cached authenticated connection for future unauthenticated requests.

Actions

Users should backup the Teleport cluster, then follow the standard Teleport upgrade procedure:

• For Database Access users we recommend upgrading database agents that handle connections to self-hosted MySQL servers.
• For Application Access users we recommend upgrading application agents.

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

For Teleport Enterprise customers, 8.0.4 is identical to 8.0.3.

Description

This release of Teleport contains multiple security fixes discovered as a part of a routine security audit.

Insufficient authorization check in self-hosted MySQL database access

Teleport MySQL proxy engine did not handle internal MySQL protocol command that allows to reauthenticate the active connection.

This could allow an attacker with a valid client certificate for a particular database user to reauthenticate as a different MySQL user created using require x509 clause.

Insufficient authorization check in MongoDB database access

Teleport MongoDB proxy engine did not implement processing for all possible MongoDB wire protocol messages.

This could allow an attacker with a valid client certificate to connect to the database in a way that would prevent Teleport from enforcing authorization check on the database names.

Authorization bypass in application access

When proxying a websocket connection, Teleport did not check for a successful connection upgrade response from the target application.

In scenarios where Teleport proxy is located behind a load balancer, this could result in the load balancer reusing the cached authenticated connection for future unauthenticated requests.

Missing password confirmation on password change

Teleport did not check the old password if the cluster had "optional" second factor and user had no registered MFA devices.

This could allow an attacker with access to user's authenticated browser session to change their password.

Actions

Users should backup the Teleport cluster, then follow the standard Teleport upgrade procedure:

• For all Teleport users, we recommend upgrading auth servers.
• For Database Access users we recommend upgrading database agents that handle connections to self-hosted MySQL servers.
• For Application Access users we recommend upgrading application agents.

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

For Teleport Enterprise customers, 7.3.8 is identical to 7.3.7.

Description

This release of Teleport contains performance improvements.

• Various performance improvements related to handling large numbers of concurrent nodes.

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

For Teleport Enterprise customers, 6.2.23 is identical to 6.2.21.