teleport

Description

• Fixed a potential panic in the tsh status command. #38305
• Fixed SSO user locking in the setup access step of the RDS auto discover flow in the web UI. #38283
• Optionally permit the auth server to terminate client connections from unsupported versions. #38182
• Fixed Assist obstructing the user dropdown menu when in docked mode. #38156
• Improved the stability of Teleport during graceful upgrades. #38145
• Added the ability to view and manage Machine ID bots from the UI. #38122
• Fixed a bug that prevented desktop clipboard sharing from working when large amounts of text are placed on the clipboard. #38120
• Added option to validate hardware key serial numbers with hardware key support. #38068
• Removed access tokens from URL parameters, preventing them from being leaked to intermediary systems that may log them in plaintext. #38032
• Forced agents to terminate Auth connections if joining fails. #38005
• Added a tsh sessions ls command to list active sessions. #37969
• Improved error handling when idle desktop connections are terminated. #37955
• Updated Go to 1.21.7. #37846
• Discover flow now starts two instances of DatabaseServices when setting up access to Amazon RDS. #37805

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

• Fixed incorrect resizing of CLI apps in Teleport Connect on Windows. #37800
• Fixed memory leak in tbot caused by never closing reverse tunnel address resolvers. #37723
• Correctly handle non-registered U2F keys. #37721
• Fixed usage data submission becoming stuck sending too many reports at once (Teleport Enterprise only). #37689
• Fixed cache init issue with access list members/reviews. #37675
• Skip tsh AppID pre-flight check whenever possible. #37644
• Updated Go to 1.21.6. #37561
• Updated OpenSSL to 3.0.13. #37553
• tsh FIDO2 backend re-written for improved responsiveness and reliability. #37539
• Do not add alphabetically first Kube cluster's name to a user certificate on login. #37503
• Allow to replicate proxy pods when using an ingress in the teleport-cluster Helm chart. #37481
• tbot now correctly uses the last good persisted identity if --join-token has not been specified. #37448
• Prevent backend throttling caused by a large number of app sessions. #37392
• Fixed querying of large audit events with Athena backend and added prometheus metrics for audit event sizes. #37350
• Fixed CA key generation when two auth servers share a single YubiHSM2. #37301
• Fixed an issue selecting MySQL database is not reflected in the audit logs. #37258
• Fixed missing proxy address in GCP and Azure VM auto-discovery. #37216
• Reduced logging level for services that reconcile resources. #37141
• Fixed webUI if automatic upgrades are misconfigured. #37131
• Improved styling of the login form in Connect and Web UI. #37004
• Fixed tsh trying to relogin on fatal errors. #36925
• Ensure that moderated sessions do not get stuck in the event of an unexpected drop in the moderator's connection. #36918
• The web terminal now properly displays underscores on Linux. #36891
• Ensure that any opened app session is always closed on completion. #36887
• Fixed tsh panic on Windows if WebAuthn.dll is missing. #36869
• Fixed a potential crash in Teleport Connect after downgrading the app from v15+. #36798
• Ensure connect_to_node_attempts_total is always incremented when dialing hosts. #36738
• Added missing create/update messages for some tctl create commands. #36702
• Prevent a goroutine leak caused by app sessions not cleaning up resources properly. #36669
• Fixed an issue where valid saml entity descriptors could be rejected. #36659
• Verify MFA device locks during user authentication. #36627
• Teleport updater now reloads systems units after an upgrade. #3228

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

Note: This is expected to be the last release in the v12 line. Users are encouraged to upgrade to a supported version.

• Fixed usage data submission becoming stuck sending too many reports at once (Teleport Enterprise only). #37690
• Update OpenSSL to 3.0.13. #37554
• Fixed CA key generation when two auth servers share a single YubiHSM2. #37305
• Fixed an issue selecting MySQL database is not reflected in the audit logs. #37259
• Ensure that moderated sessions do not get stuck in the event of an unexpected drop in the moderator's connection. #36919
• Ensure that any opened app session is always closed on completion. #36888
• Fixed tsh panic on Windows if WebAuthn.dll is missing. #36870
• Ensure connect_to_node_attempts_total is always incremented when dialing hosts. #36737
• Prevent a goroutine leak caused by app sessions not cleaning up resources properly. #36670
• Verify MFA device locks during user authentication. #36629
• Fixed goroutine leak per ssh session. #36513

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

• Correctly handle non-registered U2F keys. #37720
• Fixed memory leak in tbot caused by never closing reverse tunnel address resolvers. #37718
• Fixed conditional user modifications (used by certain Teleport subsystems such as Device Trust) on users that have previously been locked out due to repeated recovery attempts. #37703
• Added SCIM support in Okta integration (cloud only). #3341
• Added okta integration SCIM support for web UI. #37697
• Fixed usage data submission becoming stuck sending too many reports at once (Teleport Enterprise only). #37687
• Fixed cache init issue with access list members/reviews. #37673
• Fixed "failed to close stream" log messages. #37662
• Skip tsh AppID pre-flight check whenever possible. #37642

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

• Skip tsh AppID pre-flight check whenever possible. #37643
• Update OpenSSL to 3.0.13. #37552
• tsh FIDO2 backend re-written for improved responsiveness and reliability. #37538
• Do not add alphabetically first Kube cluster's name to a user certificate on login. #37501
• Allow to replicate proxy pods when using an ingress in the teleport-cluster Helm chart. #37480
• Fix an issue tsh uses wrong default username for auto-user provisioning enabled databases in remote clusters #37418
• Prevent backend throttling caused by a large number of app sessions. #37391
• Emit audit events when SFTP or SCP commands are blocked. #37385
• Fix goroutine leak on PostgreSQL access. #37342
• Fixed incompatibility between leaf clusters and ProxyJump. #37319
• Fixed a potential crash when setting up the Connect My Computer role in Teleport Connect. #37314
• Fixed CA key generation when two auth servers share a single YubiHSM2. #37296
• Add support for cancelling CockroachDB requests. #37282
• Fix Terraform provider creating AccessLists with next audit date set to Epoch. #37262
• Fix an issue selecting MySQL database is not reflected in the audit logs. #37257
• The login screen will no longer be rendered for authenticated users. #37230
• Fixed missing proxy address in GCP and Azure VM auto-discovery. #37215
• Teleport namespace label prefixes are now sorted toward the end of the labels list in the web UI. #37191
• Adds tbot proxy kube to support connecting to Kubernetes clusters using Machine ID when the Proxy is behind a L7 LB. #37157
• Fix a bug that was breaking web UI if automatic upgrades are misconfigured. #37130
• Fix an issue AWS Redshift auto-provisioned user not deleted in drop mode. #37036
• Fix an issue database auto-user provisioning fails to connect a second session on MariaDB older than 10.7. #37028
• Improved styling of the login form in Connect and Web UI. #37003
• Ensure that moderated sessions do not get stuck in the event of an unexpected drop in the moderator's connection. #36917
• The web terminal now properly displays underscores on Linux. #36890
• Fix tsh panic on Windows if WebAuthn.dll is missing. #36868
• Increased timeout when waiting for response from Jira API and webhook to reconcile. #36818
• Ensure connect_to_node_attempts_total is always incremented when dialing hosts. #36739
• Fixed a potential crash in Teleport Connect after downgrading the app from v15+. #36730
• Prevent a goroutine leak caused by app sessions not cleaning up resources properly. #36668
• Added tctl idp saml test-attribute-mapping command to test SAML IdP attribute mapping. #36662
• Fixed an issue where valid SAML entity descriptors could be rejected. #36485
• Updated SAML IdP UI to display entity ID, SSO URL and X.509 certificate. #3322
• Updated access request creation dialog to pre-select suggested reviewers. #3325

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Teleport 15 brings the following new major features and improvements:

• Desktop access performance improvements
• Enhanced Device Trust support
• SSH connection resumption
• RDS auto-discovery in Access Management UI
• EKS Integration for Teleport
• MFA for Administrative Actions
• Improved SAML IdP configuration flow
• Improved provisioning for Okta
• Support for AWS KMS
• Teleport Connect improvements
• Session playback improvements
• Standalone Kubernetes Operator
• Roles v6 and v7 support for Kubernetes Operator
• Enhanced ARM64 builds

In addition, this release includes several changes that affect existing functionality listed in the “Breaking changes” section below. Users are advised to review them before upgrading.

Description

Desktop access performance improvements

Teleport 15 leverages a new, more performant RDP engine, resulting in a smoother desktop access experience.

Device Trust for Linux support

Teleport Device Trust now supports TPM joining on Linux devices.

Additionally, tsh proxy app can now solve device challenges, allowing users to enforce the use of a trusted device to access applications.

SSH connection resumption

Teleport v15 introduces automatic SSH connection resumption if the network path between the client and the Teleport node is interrupted due to connectivity issues, and transparent connection migration if the control plane is gracefully upgraded.

The feature is active by default when a v15 client (tsh, OpenSSH or PuTTY configured by tsh config, or Teleport Connect) connects to a v15 Teleport node.

RDS auto-discovery in Access Management UI

Users going through the Access Management UI flow to enroll RDS databases are now able to set up auto-discovery.

EKS Integration for Teleport

Teleport now allows users to enroll EKS clusters via the Access Management UI.

Improved SAML IdP configuration flow

When adding a SAML application via Access Management UI, users are now able to configure attribute mapping and have Teleport fetch service provider's entity descriptor automatically.

Improved provisioning for Okta

Teleport 15 improves performance of receiving user/group updates from Okta byleveraging System for Cross-domain Identity Management (SCIM).

Note: This feature will come out in a later 15.0 patch release.

Support for AWS KMS

Teleport 15 supports the use of AWS Key Management Service (KMS) to store and handle the CA private key material used to sign all Teleport-issued certificates. When enabled, private key material never leaves AWS KMS.

To migrate existing clusters to AWS KMS, you must perform a CA rotation.

MFA for administrative actions

When Teleport is configured to require webauthn (second_factor: webauthn), administrative actions performed via tctl or the web UI will require an additional MFA tap.

Examples of administrative actions include, but are not limited to:

• Resetting or recovering user accounts
• Inviting new users
• Updating cluster configuration resources
• Creating and approving access requests
• Generating new join tokens

Note: when MFA for administrative actions is enabled, user certificates produced with tctl auth sign will no longer be suitable for automation due to the additional MFA checks, unless run directly on a local Auth server (legacy setup). We recommend using Machine ID to issue certificates for automated workflows, which uses role impersonation that is not subject to MFA checks.

Teleport Connect improvements

Teleport Connect will now prompt for an MFA tap prior to accessing Kubernetes clusters when per-session MFA is enabled.

Additionally, Teleport Connect includes support for TCP and web applications, and can also launch AWS and SAML apps in a web browser.

Session playback improvements

Prior to Teleport 15, tsh play and the web UI would download the entire session recording before starting playback. As a result, playback of large recordings could be slow to start, and may fail to play at all in the browser.

In Teleport 15, session recordings are streamed from the auth server, allowing playback to start before the entire session is downloaded and unpacked.

Additionally, tsh play now supports a --speed flag for adjusting the playback speed, and desktop session playback now supports seeking to arbitrary positions in the recording.

Web UI improvements

Prior to Teleport 15, there was a dropdown in the sidebar between “Resources” and “Management,” and in the Resources mode, there were tabs in the sidebar for Access Requests and Active Sessions. In Teleport 15, all of the above have moved to tabs in a top navbar, and the Resources view is fully responsive across viewport widths. A side navbar still exists in the “Access Management” tab.

Prior to Teleport 15, Passkeys and MFA devices were shown in a single list on the “Account Settings” screen, without a clear distinction between them. In Teleport 15, these have been split into distinct lists so it is clearer which type of authentication you are adding to your account.

Standalone Kubernetes Operator

Prior to Teleport 15, the Teleport Kubernetes Operator had to run as a sidecar of the Teleport auth. It was not possible to use the operator in Teleport Cloud or against a Teleport cluster not deployed with the teleport-cluster Helm chart.

In Teleport 15, the Teleport Operator can reconcile resources in any Teleport cluster. Teleport Cloud users can now use the operator to manage their resources.

When deployed with the teleport-cluster chart, the operator now runs in a separate pod. This ensures that Teleport's availability won't be impacted if the operator becomes unready.

See the Standalone Operator guide for installation instructions.

Roles v6 and v7 support for Kubernetes Operator

Starting with Teleport 15, newly supported kinds will contain the resource version. For example: TeleportRoleV6 and TeleportRoleV7 kinds will allow users to create Teleport Roles v6 and v7.

Existing kinds will remain unchanged in Teleport 15, but will be renamed in Teleport 16 for consistency.

To migrate an existing Custom Resource (CR) TeleportRole to a TeleportRoleV7, you must:

• upgrade Teleport and the operator to v15
• annotate the exiting TeleportRole CR with teleport.dev/keep: "true"
• delete the TeleportRole CR (it won't delete the role in Teleport thanks to
  the annotation)
• create a new TeleportRoleV7 CR with the same name

Enhanced ARM64 builds

Teleport 15 now provides FIPS-compliant Linux builds on ARM64. Users will now be able to run Teleport in FedRAMP/FIPS mode on ARM64.

Additionally, Teleport 15 includes hardened AWS AMIs for ARM64.

Breaking changes and deprecations

RDP engine requires RemoteFX

Teleport 15 includes a new RDP engine that leverages the RemoteFX codec for improved performance. Additional configuration may be required to enable RemoteFX on your Windows hosts.

If you are using our authentication package for local users, the v15 installer will automatically enable RemoteFX for you.

Alternatively, you can enable RemoteFX by updating the registry:

Set-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services' -Name 'ColorDepth' -Type DWORD -Value 5
Set-ItemProperty -Path 'HKLM:\Software\Policies\Microsoft\Windows NT\Terminal Services' -Name 'fEnableVirtualizedGraphics' -Type DWORD -Value 1

If you are using Teleport with Windows hosts that are part of an Active Directory environment, you should enable RemoteFX via group policy.

Under Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host, enable:

1. Remote Session Environment > RemoteFX for Windows Server 2008 R2 > Configure RemoteFX
2. Remote Session Environment > Enable RemoteFX encoding for RemoteFX clients designed for Windows Server 2008 R2 SP1
3. Remote Session Environment > Limit maximum color depth

Detailed instructions are available in the setup guide. A reboot may be required for these changes to take effect.

tsh ssh

When running a command on multiple nodes with tsh ssh, each line of output is now labeled with the hostname of the node it was written by. Users that rely on parsing the output from multiple nodes should pass the --log-dir flag to tsh ssh, which will create a directory where the separated output of each node will be written.

drop host user creation mode

The drop host user creation mode has been removed in Teleport 15. It is replaced by insecure-drop, which still creates temporary users but does not create a home directory. Users who need home directory creation should either wrap useradd/userdel or use PAM.

Remove restricted sessions for SSH

The restricted session feature for SSH has been deprecated since Teleport 14 and has been removed in Teleport 15. We recommend implementing network restrictions outside of Teleport (iptables, security groups, etc).

Packages no longer published to legacy Debian and RPM repos

deb.releases.teleport.dev and rpm.releases.teleport.dev were deprecated in Teleport 11. Beginning in Teleport 15, Debian and RPM packages will no longer be published to these repos. Teleport 14 and prior packages will continue to be published to these repos for the remainder of those releases' lifecycle.

All users are recommended to switch to apt.releases.teleport.dev and yum.releases.teleport.dev repositories as described in installation instructions.

The legacy package repos will be shut off in mid 2025 after Teleport 14 has been out of support for many months.

Container images

Teleport 15 contains several breaking changes to improve the default security and usability of Teleport-provided container images.

"Heavy" container images are discontinued

In order to increase default security in 15+, Teleport will no longer publish container images containing a shell and rich command line
environment to Elastic Container Registry's
gravitational/teleport image repo. Instead, all users should use the distroless images introduced in Teleport 12. These images can be found at:

• https://gallery.ecr.aws/gravitational/teleport-distroless
• https://gallery.ecr.aws/gravitational/teleport-ent-distroless

For users who need a shell in a Teleport container, a "debug" image is available which contains BusyBox, including a shell and many CLI tools. Find the debug images at:

• https://gallery.ecr.aws/gravitational/teleport-distroless-debug
• https://gallery.ecr.aws/gravitational/teleport-ent-distroless-debug

Do not run debug container images in production environments.

Heavy container images will continue to be published for Teleport 13 and 14 throughout the remainder of these releases' lifecycle.

Multi-architecture Teleport Operator images

Teleport Operator container images will no longer be published with architecture suffixes in their tags (for example: 14.2.1-amd64 and 14.2.1-arm). Instead, only a single tag will be published with multi-platform support (e.g., 15.0.0). If you use Teleport Operator images with an architecture suffix, remove the suffix and your client should automatically pull the platform-appropriate image. Individual architectures may be pulled with docker pull --platform <arch>.

Quay.io registry

The quay.io container registry was deprecated and Teleport 12 is the last version to publish images to quay.io. With Teleport 15's release, v12 is no longer supported and no new container images will be published to quay.io.

For Teleport 8+, replacement container images can be found in Teleport's public ECR registry.

Users who wish to continue to use unsupported container images prior to Teleport 8 will need to download any quay.io images they depend on and mirror them elsewhere before July 2024. Following brownouts in May and June, Teleport will disable pulls from all Teleport quay.io repositories on Wednesday July 3, 2024.

Amazon AMIs

Teleport 15 contains several breaking changes to improve the default security and usability of Teleport-provided Amazon AMIs.

Hardened AMIs

Teleport-provided Amazon Linux 2023 previously only supported x86_64/amd64. Starting with Teleport 15, arm64-based AMIs will be produced. However, the naming scheme for these AMIs has been changed to include the architecture.

• Previous naming scheme: teleport-oss-14.0.0-$TIMESTAMP
• New naming scheme: teleport-oss-15.0.0-x86_64-$TIMESTAMP

Legacy Amazon Linux 2 AMIs

Teleport-provided Amazon Linux 2 AMIs were deprecated, and Teleport 14 is the last version to produce such legacy AMIs. With Teleport 15's release, only the newer hardened Amazon Linux 2023 AMIs will be produced.

The legacy AMIs will continue to be published for Teleport 13 and 14 throughout the remainder of these releases' lifecycle.

windows_desktop_service no longer writes to the NTAuth store

In Teleport 15, the process that periodically publishes Teleport's user CA to the Windows NTAuth store has been removed. It is not necessary for Teleport to perform this step since it must be done by an administrator at installation time. As a result, Teleport's service account can use more restrictive permissions.

Example AWS cluster deployments updated

The AWS terraform examples for Teleport clusters have been updated to use the newer hardened Amazon Linux 2023 AMIs. Additionally, the default architecture and instance type has been changed to ARM64/Graviton.

As a result of this modernization, the legacy monitoring stack configuration used with the legacy AMIs has been removed.

teleport-cluster Helm chart changes

Due to the new separate operator deployment, the operator is deployed by a subchart. This causes the following breaking changes:

• installCRDs has been replaced by operator.installCRDs
• teleportVersionOverride does not set the operator version anymore, you must use operator.teleportVersionOverride to override the operator version.

Note: version overrides are dangerous and not recommended. Each chart version isdesigned to run a specific Teleport and operator version. If you want to deploy a specific Teleport version, use Helm's --version X.Y.Z instead.

The operator now joins using a Kubernetes ServiceAccount token. To validate the token, the Teleport Auth Service must have access to the TokenReview API. The chart configures this for you since v12, unless you disabled rbac creation.

Resource version is now mandatory and immutable in the Terraform provider

Starting with Teleport 15, each Terraform resource must have its version specified. Before version 15, Terraform was picking the latest version available on resource creation. This caused inconsistencies as new resources creates with the same manifest as old resources were not exhibiting the same behavior.

Resource version is now immutable. Changing a resource version will cause Terraform to delete and re-create the resource. This ensures the correct defaults are set.

Existing resources will continue to work as Terraform already imported their version. However, new resources will require an explicit version.

Other changes

Increased password length

The minimum password length for local users has been increased from 6 to 12 characters.

Increased account lockout interval

The account lockout interval has been increased from 20 to 30 minutes.

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Warning

Pre-releases are not production ready, use at your own risk!

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

• Fixed routing to nodes by their public addresses. #36624
• Enhanced Kubernetes app discovery functionality to provide the ability to disable specific Service imports and configure the TLS Skip Verify option using an annotation. #36611
• Added client remote IP address to some administrative audit events. #36567

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

• Fixed routing to nodes by their public address. #36591
• Verify MFA device locks during user authentication. #36589
• Fixed tctl get access_list and support creating Access Lists without a next audit date. #36572

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

• Added support to select database roles from tsh. #36528
• Fixed goroutine leak per ssh session. #36511
• Fixed user invites preventing listing tokens. #36492
• Updated Go to v1.21.6. #36478
• Fixed refresh_identity = true preventing Access Plugins connecting to Teleport using TLS routing with a L7 LB. #36469
• Added --callback flag to tsh login. #36468
• Added auto-enrolling capabilities to RDS discover flow in the web UI. #36434
• Fixed an issue where bad cache state could cause spurious access denied errors during app access. #36432
• Resources named . and .. are no longer allowed. Please review the resources in your Teleport instance and rename any resources with these names before upgrading. #36404
• Ensured that the login time is populated for app sessions. #36373
• Fixed incorrect report of user's IP address in Kubernetes Audit Logs. #36346
• Access lists and associated resources are now cached, which should significantly reduce the impact of access list calculation. #36331
• Added new certificate extensions and usage reporting flags to explicitly identify Machine ID bots and their cluster activity. #36313
• Fixed potential panic after backend watcher failure. #36301
• Prevent deleted users from using account reset links created prior to the user being deleted. #36271
• Make Unified Resources page in Web UI responsive. #36265
• Added "Database Roles" column to tsh db ls -v. #36246
• Safeguard against the disruption of cluster access caused by incorrect Kubernetes APIService configurations. #36227
• Support running a version server in the proxy for automatic agent upgrades. #36220
• The user login state generator now uses the cache, which should reduce the number of calls to the backend. #36196
• Added the --insecure-no-resolve-image flag to the teleport-kube-agent-updater to disable image tag resolution if it cannot pull the image. #36097
• Added future assume time to access requests. #35726

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

• Fixed goroutine leak per ssh session. #36512
• Access lists now support granting roles and traits to owners. #36481
• Updated Go to 1.20.13. #36479
• Fixes refresh_identity = true preventing Access Plugins connecting to Teleport using TLS routing with a L7 LB. #36470
• Fixed an issue where bad cache state could cause spurious access denied errors during app access. #36431
• Resources named . and .. are no longer allowed. Please review the resources in your Teleport instance and rename any resources with these names before upgrading. #36403
• Ensured that the login time is populated for app sessions. #36374
• Added new certificate extensions and usage reporting flags to explicitly identify Machine ID bots and their cluster activity. #36366
• Fixed incorrect report of user's IP address in Kubernetes Audit Logs. #36345
• Access lists and associated resources are now cached, which should significantly reduce the impact of access list calculation. #36334
• Support running a version server in the proxy for automatic agent upgrades. #36315
• Prevent deleted users from using account reset links created prior to the user being deleted. #36275
• The user login state generator now uses the cache, which should reduce the number of calls to the backend. #36195
• Added the --insecure-no-resolve-image flag to the teleport-kube-agent-updater to disable image tag resolution if it cannot pull the image. #36098

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

• Updated Go to 1.20.13. #36480
• Resources named . and .. are no longer allowed. Please review the resources in your Teleport instance and rename any resources with these names before upgrading. #36402
• Ensure that the login time is populated for app sessions. #36375
• Prevent deleted users from using account reset links created prior to the user being deleted. #36276

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

This release of Teleport contains multiple security fixes, improvements and bug fixes.

Security fixes

• Teleport Proxy now restricts SFTP for normal users as described under Advisory https://github.com/gravitational/teleport/security/advisories/GHSA-c9v7-wmwj-vf6x #36139
• Fixed an issue that would allow for SSRF via Teleport's reverse tunnel subsystem. Documented under the advisory
  https://github.com/gravitational/teleport/security/advisories/GHSA-hw4x-mcx5-9q36 #36131
• On macOS, Teleport filters the environment to prevent code execution via DYLD_ variables. Documented under https://github.com/gravitational/teleport/security/advisories/GHSA-vfxf-76hv-v4w4 #36135

Other Fixes & Improvements

• Fixed an issue that would prevent websocket upgrades from completing #36090
• Added support for the IAM join method in ca-west-1 #36051
• Update jose2go to version 1.5.1-0.20231206184617-48ba0b76bc88 #35984
• Changed the minimal supported macOS version of Teleport Connect to 10.15 (Catalina) #35889
• Bump golang.org/x/crypto to v0.17.0, which addresses the Terrapin vulnerability (CVE-2023-48795) #35877
• Include the lock expiration time in lock.create audit events #35876
• Include the lock expiration time in lock.create audit events #35864
• Prevent users from deleting their last passwordless device #35857
• Ensure expiration of Webauthn sessions #35790
• Fixed session upload audit events sometimes containing an incorrect URL for the session recording #35779
• Return the correct errors to users when an MFA ceremony fails #35752
• Prevent attempts to join a nonexistent SSH session from hanging forever #35745

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

labels: security-patch=yes, security-patch-alts=v12.4.31

Description

This release of Teleport contains multiple security fixes, improvements and bug fixes.

Security fixes

• Teleport Proxy now restricts SFTP for normal users as described under Advisory https://github.com/gravitational/teleport/security/advisories/GHSA-c9v7-wmwj-vf6x #36139
• Fixed an issue that would allow for SSRF via Teleport's reverse tunnel subsystem. Documented under the advisory
  https://github.com/gravitational/teleport/security/advisories/GHSA-hw4x-mcx5-9q36 #36131
• On macOS, Teleport filters the environment to prevent code execution via DYLD_ variables. Documented under https://github.com/gravitational/teleport/security/advisories/GHSA-vfxf-76hv-v4w4 #36135
• A fix was applied to Access Lists to prevent possible privilege escalation of list owners. Documented under https://github.com/gravitational/teleport/security/advisories/GHSA-76cc-p55w-63g3

Other Fixes & Improvements

• Added the ability to promote an access request to an access list in Teleport Connect
• Fixed an issue that would prevent websocket upgrades from completing. #36088
• Enhanced the audit events related to Teleport's SAML IdP #36087
• Added support for STS session tags in the database configuration for granular DynamoDB access. #36064
• Added support for the IAM join method in ca-west-1. #36049
• Improved the formatting of access list notifications in tsh. #36046
• Fixed downgrade logic of KubernetesResources to Role v6 #36009
• Fixed potential panic during early phases of SSH service lifetime #35923
• Added a tsh latency command to monitor ssh connection latency in realtime #35916
• Support GitHub joining from Enterprise accounts with include_enterprise_slug enabled. #35900
• Added vpc-id as a label to auto-discovered RDS databases #35890
• Improved teleport agent performance when handling a large number of TCP forwarding requests. #35887
• Bump golang.org/x/crypto to v0.17.0, which addresses the Terrapin vulnerability (CVE-2023-48795) #35879
• Include the lock expiration time in lock.create audit events #35874
• Add custom attribute mapping to the saml_idp_service_provider spec. #35873
• Fixed PIV not being available on Windows tsh binaries #35866
• Restored direct dial SSH server compatibility with certain SSH tools such as ssh-keyscan (#35647) #35859
• Prevent users from deleting their last passwordless device #35855
• the teleport-kube-agent chart now supports passing extra arguments to the updater. #35831
• New access lists with an unspecified NextAuditDate now pick a new date instead of being rejected #35830
• Changed the minimal supported macOS version of Teleport Connect to 10.15 (Catalina) #35819
• Add non-AD desktops to Enroll New Resource #35797
• Fixed a bug in teleport-kube-agent chart when using both appResources and the discovery role. #35783
• Fixed session upload audit events sometimes containing an incorrect URL for the session recording. #35777
• Prevent tsh from re-authenticating if the MFA ceremony fails during tsh ssh #35750
• Prevent attempts to join a nonexistent SSH session from hanging forever #35743
• Improved Windows hosts registration with a new static_hosts configuration field #35742
• Fixed the sorting of name and description columns for user groups when creating an access request #35729

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

labels: security-patch=yes, security-patch-alts=v14.2.4

Description

This release of Teleport contains multiple security fixes, improvements and bug fixes.

Security fixes

• Teleport Proxy now restricts SFTP for normal users as described under Advisory https://github.com/gravitational/teleport/security/advisories/GHSA-c9v7-wmwj-vf6x #36139
• Fixed an issue that would allow for SSRF via Teleport's reverse tunnel subsystem. Documented under the advisory
  https://github.com/gravitational/teleport/security/advisories/GHSA-hw4x-mcx5-9q36 #36131
• On macOS, Teleport filters the environment to prevent code execution via DYLD_ variables. Documented under https://github.com/gravitational/teleport/security/advisories/GHSA-vfxf-76hv-v4w4 #36135
• A fix was applied to Access Lists to prevent possible privilege escalation of list owners. Documented under https://github.com/gravitational/teleport/security/advisories/GHSA-76cc-p55w-63g3

Other Fixes & Improvements

• Fixed an issue that would prevent websocket upgrades from completing #36089
• Added support for the IAM join method in ca-west-1 #36050
• Improved the formatting of access list notifications in tsh #36045
• Update jose2go to version 1.5.1-0.20231206184617-48ba0b76bc88 #35985
• Fix data race in HeartbeatV2 around .Spec.CloudMetadata (#35912) #35924
• Changed the minimal supported macOS version of Teleport Connect to 10.15 (Catalina) #35888
• Improved teleport agent performance when handling a large number of TCP forwarding requests #35886
• Bump golang.org/x/crypto to v0.17.0, which addresses the Terrapin vulnerability (CVE-2023-48795) #35878
• Include the lock expiration time in lock.create audit events #35875
• Fixed PIV not being available on Windows tsh binaries #35865
• Re-add PIV to amd64 centos7 release builds #35853
• Stop users from deleting their last passwordless device #35856
• The teleport-kube-agent chart now supports passing extra arguments to the updater #35832
• Ensure expiration of Webauthn sessions #35789
• Fixed session upload audit events sometimes containing an incorrect URL for the session recording #35778
• Return the correct errors to users when an MFA ceremony fails #35751
• Prevent attempts to join a nonexistent SSH session from hanging forever #35744

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

labels: security-patch=yes, security-patch-alts=v13.4.13

Description

• Prevent Cloud tenants from being a leaf cluster. #35687
• Added "Show All Labels" button in the unified resources list view. #35666
• Added auto approval flow to servicenow plugin. #35658
• Added guided SAML entity descriptor creation when entity descriptor XML is not yet available. #35657
• Added a connection test when enrolling a new Connect My Computer resource in Web UI. #35649
• Fixed regression of Kubernetes Server Address when Teleport runs in multiplex mode. #35633
• When using the Slack plugin, users will now be notified directly of access requests and their approvals or denials. #35577
• Fixed bug where configuration errors with an individual SSO connector impacted other connectors. #35576
• Fixed client IP propagation from the Proxy to the Auth during IdP initiated SSO. #35545

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

• Prevent Cloud tenants from being a leaf cluster. #35688
• Fixed regression of Kubernetes Server Address when Teleport runs in multiplex mode. #35634
• Fixed bug where configuration errors with an individual SSO connector impacted other connectors. #35575
• Fixed GCP VM auto-discovery not using instances' internal IP address. #35522
• Fixed bot being unable to view or approve access requests issue. #35511
• Fixed panic on potential nil value when requesting /webapi/presetroles. #35462
• Properly identify the Teleport user responsible for modifying user resources. #35450
• Added insecure-drop host user creation mode. #35404
• Updated Go to 1.20.12. #35372
• Desktop connections default to RDP port 3389 if not otherwise specified. #35344
• Added cluster_auth_preferences to the shortcuts for cluster_auth_preference. #35328
• Prevent EKS fetcher not having correct IAM permissions from stopping whole Discovery service start up. #35323
• Added email-based credential reset UI for Cloud users. #35239
• Fixed a possible panic when downgrading Teleport Roles to older versions. #35237
• OSS Teleport packages will now be published to OS package repos when private releases are cut. #35224
• Improved streaming event handling for Kubernetes API by flushing response after each event, ensuring complete, well-formed chunks. #35196
• Updated Teleport distroless OCI images to Debian 12. #35111
• Fixed FIPS distroless OCI image to run with the --fips flag. #35111
• Allow Teleport to complete abandoned uploads faster in HA deployments. #35103
• Added new email-based UI for inviting new local users on Teleport Cloud clusters. #35076
• Fixed issue with the absence of membership expiry circumventing membership requirements check. #35056
• Added read verb to suggested role spec when enrolling new resources. #35052
• Fixed tsh db connect <mongodb> to give reason on connection errors. #34909
• Fixed an issue "Allowed Users" in "tsh db ls" shows wrong user for databases with Automatic User Provisioning enabled. #34851
• Override the version of tsh kubectl with the upstream kubectl version used. #34826

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

• Prevent Cloud tenants from being a leaf cluster. #35689
• Fixed bug where configuration errors with an individual SSO connector impacted other connectors. #35574
• Properly identify the Teleport user responsible for modifying user resources. #35451
• Added insecure-drop host user creation mode. #35405
• Updated Go to 1.20.12. #35373
• Desktop connections default to RDP port 3389 if not otherwise specified. #35345
• Added cluster_auth_preferences to the shortcuts for cluster_auth_preference. #35327
• OSS Teleport packages will now be published to OS package repos when private releases are cut. #35225
• Improved streaming event handling for Kubernetes API by flushing response after each event, ensuring complete, well-formed chunks. #35197
• Updated Teleport distroless OCI images to Debian 12. #35110
• Fixed FIPS distroless OCI image to run with the --fips flag. #35110
• Allow Teleport to complete abandoned uploads faster in HA deployments. #35104
• Fixed tsh db connect <mongodb> to give reason on connection errors. #34908
• The desktop name is used instead of the address in the audit log view. #34836

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

• Prevent panic when dialing a deleted Application Server. #35525
• Fixed regression issue with arm32 binaries in 14.2.1 having higher glibc requirements. #35539
• Fixed GCP VM auto-discovery not using instances' internal IP address. #35521
• Calculate latency of Web SSH sessions and report it to users. #35516
• Fix bot's unable to view or approve access requests issue. #35512
• Fix querying of large audit events with Athena backend. #35483
• Fix panic on potential nil value when requesting /webapi/presetroles. #35463
• Add insecure-drop host user creation mode. #35403
• IAM permissions for rds:DescribeDBProxyTargets are no longer required for RDS Proxy discovery. #35389
• Update Go to 1.21.5. #35371
• Desktop connections default to RDP port 3389 if not otherwise specified. #35343
• Add cluster_auth_preferences to the shortcuts for cluster_auth_preference. #35329
• Make the podSecurityPolicy configurable in the teleport-kube-agent chart. #35320
• Prevent EKS fetcher not having correct IAM permissions from stopping whole Discovery service start up. #35319
• Add database automatic user provisioning support for self-hosted MongoDB. #35317
• Improve the resilience of tbot to misconfiguration of auth connectors when generating a Kubernetes output. #35309
• Fix crash when writing kubeconfig with tctl auth sign --tar. #34874

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.