teleport

Description

• Fixed issue that could cause app and desktop session recording events to be written to the audit log. #35183
• Fixed a possible panic when downgrading Teleport roles to older versions. #35236
• Fixed a regression issue where tsh db connect to Redis 7 fails with an error on REDIS_REPLY_STATUS. #35162
• Allow Teleport to complete abandoned uploads faster in HA deployments. #35102
• Fixed error when installing a v13 node with the default installer from a v14 cluster. #35058
• Fixed issue with the absence of membership expiry circumventing membership requirements check. #35057
• Added read verb to suggested role spec when enrolling new resources. #35053
• Added more new "Enroll Integration" tiles for Machine ID guides. #35050
• Fixed default installer yum error on RHEL and Amazon Linux. #35021
• External Audit Storage enables Cloud customers to store Audit Logs and Session Recordings in their own AWS account. #35008
• Fixed IP propagation for nodes/bots joining the cluster and add LoginIP to bot certificates. #34958
• Fixed an issue tsh db connect <mongodb> does not give reason on connection errors. #34910
• Updated distroless images to use Debian 12. #34878
• Added new email-based UI for inviting new local users on Teleport Cloud clusters. #34869
• Fix an issue "Allowed Users" in "tsh db ls" shows wrong user for databases with Automatic User Provisioning enabled. #34850
• Fixed issue with application access requests and web UI large file downloads timing out after 30 seconds. #34849
• Added default database support for PostgreSQL auto-user provisioning. #34840
• Machine ID: handle kernel version check failing more gracefully. #34828

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

• Device trust data is now collected concurrently on Windows #34838
• Fixed crash when writing kubeconfig with tctl auth sign --tar #34822
• Multiple resource filters can now be selected in the search bar in Teleport Connect #34544

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Security Fixes

[Medium] Arbitrary code execution with LD_PRELOAD and SFTP

Teleport implements SFTP using a subcommand. Prior to this release it was
possible to inject environment variables into the execution of this
subcommand, via shell init scripts or via the SSH environment request.

This is addressed by preventing LD_PRELOAD and other dangerous environment
variables from being forwarded during re-exec.

#34276

[Medium] Outbound SSH from Proxy can lead to IP spoofing

If the Teleport auth or proxy services are configured to accept PROXY
protocol headers, a malicious actor can use this to spoof their IP address.

This is addressed by requiring that the first bytes of any SSH connection are
the SSH protocol prefix, denying a malicious actor the opportunity to send their
own proxy headers.

#33731

Third-party Security Fixes

• Updated go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc dependency
  • otelgrpc DoS vulnerability due to unbound cardinality metrics: CVE-2023-47108

Other Fixes & Improvements

• Increased the maximum width of the console tabs in the web UI. #34649
• Prevented .tsh/environment values from overriding prior set values. #34624
• Fixed incorrect permissions when opening X11 listener. #34615
• Fixed access requests to respect explicit deny rules. #34599
• Improved the error message when attempting to enroll a hardware key that cannot support passwordless. #34591
• Added post-review state of Access Request in audit log description #34215
• Updated Operator Reconciliation to skip Teleport Operator on status updates #34197
• Updated Server Auto-Discovery installer script to use bash instead of sh #34150
• Fixed Azure Identity federated Application ID #33958
• Fixed issue where Kubernetes Audit Events reported incorrect information in the exec audit #33950
• Fixed issue where tsh aws ecs execute-command would always fail #33831
• Fixed formatting errors on empty result sets in tsh #33725
• Teleport Operator now caches and re-uses Teleport connections where possible 34451
• Improved PostgreSQL Statement Bind audit log events by encoding binary params in base64 #34451
• Fixed cleanup of unused GCP KMS keys #34470

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

labels: security-patch=yes

Description

New Features

Advanced Okta Integration (Enterprise Edition only)

Teleport will be able to automatically create SSO connector and sync users when configuring Okta integration.

Connect my Computer support in Web UI

The Teleport web UI will provide a guided flow for joining your computer to the Teleport cluster using Teleport Connect.

Dynamic credential reloading for plugins

Teleport plugins will support dynamic credential reloading, allowing them to take advantage of short-lived (and frequently rotated) credentials generated by Machine ID.

Fixes and Improvements

• Access list review reminders will now be sent via Slack #34663
• Improve the error message when attempting to enroll a hardware key that cannot support passwordless #34589
• Allow selecting multiple resource filters in the search bar in Connect #34543
• Added a guided flow for joining your computer to the Teleport cluster using Teleport Connect; find it in the Web UI under Enroll New Resource -> Connect My Computer (available only for local users, with prerequisites) #33688

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

• Increased the maximum width of the console tabs in the web UI. #34648
• Fixed accessing dedicated Proxy Kubernetes port when TLS routing is enabled. #34645
• Fixed tsh --piv-slot custom PIV slot setting for Hardware Key Support. #34592
• Disabled AWS IMDSv1 fallback and enforced use of FIPS endpoints in FIPS mode. #34433
• Fixed incorrect permissions when opening X11 listener. #34617
• Prevented .tsh/environment values from overriding prior set values. #34626
• Changed access lists to respect user locking. #34620
• Fixed access requests to respect explicit deny rules. #34600
• Added Teleport Access Graph integration. #34569
• Fixed cleanup of unused GCP KMS keys. #34468
• Added list view option to the unified resources page. #34466
• Fixed duplicate entries in resources view when updating nodename #34236 #34453
• Allow configuring cluster_networking_config and cluster_auth_preference via --bootstrap. #34445
• Fixed tsh logout with broken key directory. #34435
• Added binary formatted parameters as base64 encoded strings to PostgreSQL Statement Bind audit log events. #34432
• Reduced CPU & memory usage, and logging in the operator, by reusing connections to Teleport. #34425
• Updated the code signing certificate for Windows artifacts. #34377
• Added IAM Authentication support for Amazon MemoryDB Access. #34348
• Split large desktop recordings into multiple files during export. #34319
• Allow setting server labels from tctl. #34137

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

• Increased the maximum width of the console tabs in the web UI. #34650
• Prevented .tsh/environment values from overriding prior set values. #34625
• Fixed incorrect permissions when opening X11 listener. #34616
• Changed access lists to respect user locking. #34619
• Fixed access requests to respect explicit deny rules. #34603
• Improved the error message when attempting to enroll a hardware key that cannot support passwordless. #34590
• Fixed cleanup of unused GCP KMS keys. #34469
• Added binary formatted parameters as base64 encoded strings to PostgreSQL Statement Bind audit log events. #34434
• Reduced CPU & memory usage, and logging in the operator, by reusing connections to Teleport. #34431
• Updated the code signing certificate for Windows artifacts. #34378
• Added IAM Authentication support for Amazon MemoryDB Access. #34357
• Split large desktop recordings into multiple files during export. #34320

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

This release contains two security fixes, plus numerous other fixes and improvements.

Security Fixes

[Medium] Arbitrary code execution with LD_PRELOAD and SFTP

Teleport implements SFTP using a subcommand. Prior to this release it was
possible to inject environment variables into the execution of this
subcommand, via shell init scripts or via the SSH environment request.

This is addressed by preventing LD_PRELOAD and other dangerous environment
variables from being forwarded during re-exec.

#34275

[Medium] Outbound SSH from Proxy can lead to IP spoofing

If the Teleport auth or proxy services are configured to accept PROXY
protocol headers, a malicious actor can use this to spoof their IP address.

This is addressed by requiring that the first bytes of any SSH connection are
the SSH protocol prefix, denying a malicious actor the opportunity to send their
own proxy headers.

#33730

Other Fixes & Improvements

• Updated Operator Reconciliation to skip Teleport Operator on status updates #34196
• Updated Kube Agent Auto-Discovery to install the Teleport version provided by Automatic Upgrades #34158
• Updated Server Auto-Discovery installer script to use bash instead of sh #34143
• When a promotable Access Request targets a resource that belongs to an Access List, owners of that list will now automatically be added as reviewers. #34130
• Fixed issue where an auto-provisioned PostgreSQL user may keep old roles indefinitely #34120
• Fixed incorrectly set file mode for Windows TPM files #34114
• Fixed Azure Identity federated Application ID #33959
• Fixed issue where Kubernetes Audit Events reported incorrect information in the exec audit #33951
• Added support for formatting hostname as host:port to tsh puttyconfig #33884
• Fixed various Access List bookkeeping issues #33835
• Fixed issue where tsh aws ecs execute-command would always fail #33832

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

labels: security-patch=yes

Description

This release contains two security fixes, plus numerous other fixes and improvements.

Security Fixes

[Medium] Arbitrary code execution with LD_PRELOAD and SFTP

Teleport implements SFTP using a subcommand. Prior to this release it was
possible to inject environment variables into the execution of this
subcommand, via shell init scripts or via the SSH environment request.

This is addressed by preventing LD_PRELOAD and other dangerous environment
variables from being forwarded during re-exec.

#3274

[Medium] Outbound SSH from Proxy can lead to IP spoofing

If the Teleport auth or proxy services are configured to accept PROXY
protocol headers, a malicious actor can use this to spoof their IP address.

This is addressed by requiring that the first bytes of any SSH connection are
the SSH protocol prefix, denying a malicious actor the opportunity to send their
own proxy headers.

#33729

Other Fixes & Improvements

• Fixed issue where tbot would select the wrong address for Kubernetes Access when in ports separate mode #34283
• Added post-review state of Access Request in audit log description #34213
• Updated Operator Reconciliation to skip Teleport Operator on status updates #34194
• Updated Kube Agent Auto-Discovery to install the Teleport version provided by Automatic Upgrades #34157
• Updated Server Auto-Discovery installer script to use bash instead of sh #34144
• When a promotable Access Request targets a resource that belongs to an Access List, owners of that list will now automatically be added as reviewers. #34131
• Added Database Automatic User Provisioning support for Redshift #34126
• Added teleport_auth_type config parameter to the AWS Terraform examples #34124
• Fixed issue where an auto-provisioned PostgreSQL user may keep old roles indefinitely #34121
• Fixed incorrectly set file mode for Windows TPM files #34113
• Added dynamic credential reloading for access plugins #34079
• Fixed Azure Identity federated Application ID #33960
• Fixed issue where Kubernetes Audit Events reported incorrect information in the exec audit #33950
• Added support for formatting hostname as host:port to tsh puttyconfig #33883
• Added support for --set-context-name to tsh proxy kube
• Fixed various Access List bookkeeping issues #33834
• Fixed issue where tsh aws ecs execute-command would always fail #33833
• Updated UI to automatically redirect to login page on missing session cookie #33806
• Added Dynamic Discovery matching for Databases #33693
• Fixed formatting errors on empty result sets in tsh #33633
• Added Database Automatic User Provisioning support for MariaDB #34256
• Fixed issue where MySQL auto-user deletion fails on usernames with quotes #34304

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

labels: security-patch=yes

Description

• Fixed the top bar breaking layout when the window is narrow in Connect #33822
• Web UI will now redirect to login upon missing session cookie #33807
• Limited Snowflake decompressed request size to 10MB #33763
• Added URL and SAML connector name in entity descriptor URL errors #33668
• Updated tsh to accept --proxy values with https:// prefixes #33647

Enhanced PuTTY/WinSCP Support

tsh on Windows now supports the tsh puttyconfig command, which can easily configure saved sessions inside the well-known PuTTY and WinSCP clients to connect to Teleport SSH services.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

• Fixed the top bar breaking layout when the window is narrow in Connect #33821
• Limited Snowflake decompressed request to 10MB #33764
• Added MySQL auto-user deletion #33710
• Configured Connect to intercept deep link clicks #33684
• Added URL and SAML connector name in entity descriptor URL errors #33667
• Added the ability to run a specific tool to Assist. #33640
• Added PostgreSQL auto-user deletion #33570
• Added DiscoveryConfig CRUD operations #33380

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Security fixes

• Updated golang.org/x/net dependency. #33448
  • swift-nio-http2 vulnerable to HTTP/2 Stream Cancellation Attack: CVE-2023-44487
• Updated google.golang.org/grpc to v1.57.1. #33487
  • swift-nio-http2 vulnerable to HTTP/2 Stream Cancellation Attack: CVE-2023-44487
• Updated Go library dependencies. #33544
  • crewjam/saml vulnerable to Denial Of Service Via Deflate Decompression Bomb: CVE-2023-28119
  • Snowflake Golang Driver vulnerable to Command Injection: CVE-2023-34231
  • Docker Swarm encrypted overlay network may be unauthenticated: CVE-2023-28840
  • Docker Swarm encrypted overlay network traffic may be unencrypted: CVE-2023-28841
  • Docker Swarm encrypted overlay network with a single endpoint is unauthenticated: CVE-2023-28842
• Updated OpenTelemetry dependency. #33552
• OpenTelemetry-Go Contrib vulnerable to denial of service in otelhttp due to unbound cardinality metrics: CVE-2023-45142
• Updated JS dependencies. #33426 #33467
  • Regular Expression Denial of Service in trim: CVE-2020-7753
  • semver vulnerable to Regular Expression Denial of Service: CVE-2022-25883
  • word-wrap vulnerable to Regular Expression Denial of Service: CVE-2023-26115
  • xmldom allows multiple root nodes in a DOM: CVE-2022-39353
  • loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS): CVE-2022-37599
  • Prototype pollution in webpack loader-utils: CVE-2022-37601
  • loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable: CVE-2022-37603
  • Prototype pollution in Plist before 3.0.5 can cause denial of service: CVE-2022-22912
  • decode-uri-component vulnerable to Denial of Service (DoS): CVE-2022-38900
  • Cross-realm object access in Webpack 5: CVE-2023-28154
  • Prototype Pollution in JSON5 via Parse Method: CVE-2022-46175
  • http-cache-semantics vulnerable to Regular Expression Denial of Service: CVE-2022-25881
  • Exposure of sensitive information in follow-redirects: CVE-2022-0155
  • node-fetch forwards secure headers to untrusted sites: CVE-2022-0235
  • Exposure of Sensitive Information to an Unauthorized Actor in nanoid: CVE-2021-23566
  • Terser insecure use of regular expressions leads to ReDoS: CVE-2022-25858
• Updated babel/core to 7.3.2. #33445
  • Arbitrary code execution when compiling specifically crafted malicious code: CVE-2023-45133

Other fixes and improvements

• Fixed failure to connect to OpenSSH nodes when tracing is enabled. #33594
• Web SSH sessions are terminated right away when a user closes the tab. #33535
• Added support for Windows AD root domain for PKI operations. #33395

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

labels: security-patch=yes

New features

• Teleport Connect 14.1 introduces Connect My Computer which makes it possible to add your personal machine to a Teleport cluster in just a couple of clicks. Whether you're exploring capabilities of Teleport or want to make your computer available in your private cluster, Connect My Computer lets you do that without having to use the terminal to get the job done. Docs: https://goteleport.com/docs/connect-your-client/teleport-connect/#connect-my-computer
• Resource pinning allows you to pin your most frequently accessed resources to a separate page for easy access.
• Access Monitoring provides a view of risky accounts access and access anti-patterns in clusters using Athena as the audit log backend.
• Users can connect to EC2 instances via AWS EC2 Instance Connect endpoints without needing to install Teleport agents.
• Access list owners will be able to perform regular periodic reviews of the access list members.

Security fixes

• Updated golang.org/x/net dependency. #33420
  • swift-nio-http2 vulnerable to HTTP/2 Stream Cancellation Attack: CVE-2023-44487
• Updated google.golang.org/grpc to v1.57.1. #33487
  • swift-nio-http2 vulnerable to HTTP/2 Stream Cancellation Attack: CVE-2023-44487
• Updated OpenTelemetry dependency. #33523 #33550
  • OpenTelemetry-Go Contrib vulnerable to denial of service in otelhttp due to unbound cardinality metrics: CVE-2023-45142
• Updated babel/core to 7.3.2. #33441
  • Arbitrary code execution when compiling specifically crafted malicious code: CVE-2023-45133

Other fixes and improvements

• Web SSH sessions are terminated right away when a user closes the tab. #33529
• Added the ability for bots to submit access request reviews. #33509
• Added access review notifications when logging in via tsh or running tsh status. #33468
• Added database automatic user provisioning support for MySQL. #33379
• Added job to update the Teleport version for deployments in Amazon ECS used during RDS Enrollment. #33313
• Fixed Teleport Assist SQL view names. #33581
• Fixed hardware key support for sso web login. #33548
• Fixed access lists to allow them to affect access request permissions. #33350
• Prevented remote proxies from impersonating users from different clusters. #33539
• Added link to access request in ServiceNow incidents. #33593
• Added new "Identity Governance & Security" navigation section in web UI. #33423
• Fixed tsh connection issue when Proxy is in separate mode and Web port is TLS-terminated by a load balancer. #32531 #33406
• Fixed panic when trying to register resources from older Kubernetes clusters with extensions/v1beta1 group/version. #33402
• Fixed access list audit log messages to properly include user names. #33383
• Added notification icon to Web UI to show Access List review notifications. #33381
• Fixed creation of @teleport-access-approver role to v6 to support downgrades to Teleport 13. #33354
• Added ability to specify PIV slot for hardware key supoprt. #33352 #33353
• Extended timeout when waiting for hardware key touch/PIN. #33348
• Added support for Windows AD root domain for PKI operations. #33275
• Added resources to Slack notification of Access Requests. #33264
• Fixed provision tokens to make system roles case-insensitive. #33260

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

labels: security-patch=yes

Description

• Prevented remote proxies from impersonating users from different clusters. #33540
• Web SSH sessions are terminated right away when a user closes the tab. #33532
• Added the ability for bots to submit access request reviews. #33510
• Added access review notifications when logging in via tsh or running tsh status. #33469
• Added optional security group selection in AWS RDS Discovery flow. #33454
• Added new "Identity Governance & Security" navigation section in web UI. #33425
• Fixed access list audit log messages to properly include user names. #33384
• Added notification icon to Web UI to show Access List review notifications. #33382
• Fixed access lists to allow them to affect access request permissions. #33351
• Added job to update the Teleport version for deployments in Amazon ECS used during RDS Enrollment. #33311
• Added support for Windows AD root domain for PKI operations. #33276

Security fixes

• Updated golang.org/x/net dependency. #33447
  • CVE-2023-44487: swift-nio-http2 vulnerable to HTTP/2 Stream Cancellation Attack
• Updated google.golang.org/grpc to v1.57.1. #33488
  • CVE-2023-44487: swift-nio-http2 vulnerable to HTTP/2 Stream Cancellation Attack
• Updated OpenTelemetry dependency. #33551
• CVE-2023-45142: OpenTelemetry-Go Contrib vulnerable to denial of service in otelhttp due to unbound cardinality metrics
• Updated Go library dependencies. #33527
  • CVE-2022-28948: gopkg.in/yaml.v3 Denial of Service
  • CVE-2023-33199: malformed proposed intoto entries can cause a panic
  • CVE-2023-30551: Rekor's compressed archives can result in OOM conditions
  • CVE-2023-28119: crewjam/saml vulnerable to Denial Of Service Via Deflate Decompression Bomb
• Updated JS library dependencies. #33452
  • CVE-2022-25883: semver vulnerable to Regular Expression Denial of Service
  • CVE-2023-26115: word-wrap vulnerable to Regular Expression Denial of Service
• Updated babel/core to 7.3.2. #33442
  • CVE-2023-45133: Arbitrary code execution when compiling specifically crafted malicious code

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

labels: security-patch=yes

Description

This release of Teleport contains one security fix, and various other updates.

Security Fixes

[Critical] Privilege escalation through RecursiveChown

When using automatic Linux user creation, an attacker could exploit a race condition in the user creation functionality to chown arbitrary files on the system.

Users who aren't using automatic Linux host user creation aren’t affected by this vulnerability.

#33248

Other Fixes

• Fixed spurious timeouts in Database Access Sessions #32720
• Azure VM auto-discovery can now find VMs with multiple managed identities #32800
• Fixed improperly set Kubernetes impersonation headers #32848
• tsh puttyconfig now uses Validity format for WinSCP compatibility #32856
• Teleport client now uses gRPC when connecting to the root cluster #32662
• Teleport client now uses gRPC when creating tracing client #32663
• Fixed panic on tsh device enroll --current-device #32756
• The Teleport etcd backend will now start if some nodes are unreachable #32779
• Fixed certificate verification issues when using kubectl exec #32768
• Added Discover flow for enrolling EC2 Instances with EICE #32760
• Added connection information to multiplexer logs #32738
• Fixed issue causing keys to be incorrectly removed in tsh and Teleport Connect on Windows #32963
• Improved Unified Resource Cache performance #33027
• Adds Audit Review recurrence presets #32960
• Fixed multiple discovery install attempts on Azure & GCP VMs #32569
• Fixed a corner case of privilege tokens where MFA devices disabled by cluster settings were still counted against the user #32430
• Fixed Access List caching & eventing issues #32649
• Fixed user session tracking across trusted clusters #32967
• Added cost optimized pagination search for athena #33007
• Teleport now reports initial command to session moderators #33112
• OneOff install script now installs enterprise Teleport when generated by an enterprise cluster #33148
• Fixed issue when playing back a session recorded on a leaf cluster #33102
• Fixed self-signed certificate issue on macOS #33156
• Discovery EC2 instance listing now shows instance name #33179
• Fixed HTTP connection hijack issue when using tsh proxy kube #33172
• Improved error messaging in tsh kube credentials when root cluster roles don't allow Kube access #33210

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

This release of Teleport contains one security fix, and various other updates

Security Fixes

[Critical] Privilege escalation through RecursiveChown

When using automatic Linux user creation, an attacker could exploit a race condition in the user creation functionality to chown arbitrary files on the system.

Users who aren't using automatic Linux host user creation aren’t affected by this vulnerability.

#33247

Other Fixes

• Fixed multiple discovery install attempts on Azure & GCP VMs #32570
• Fixed Access List caching & eventing issues #32651
• Teleport client now uses gRPC when creating tracing client #32664
• Fixed a corner case of privilege tokens where MFA devices disabled by cluster settings were still counted against the user #32668
• Fixed spurious timeouts in Database Access Sessions Fixed spurious timeouts in Database Access Sessions
• Added connection information to multiplexer logs #32739
• Fixed panic on tsh device enroll --current-device #32757
• Added Discover flow for enrolling EC2 Instances with Instance Connect Endpoint #32766
• The Teleport etcd backend will now start if some nodes are unreachable #32778
• Adds Audit Review recurrence presets #32961
• Fixed issue causing keys to be incorrectly removed in tsh and Teleport Connect on Windows #32964
• Added cost optimized pagination search for athena #33006
• Allow "auth unreachable" error message to be configurable #33037
• Fixed user session tracking across trusted clusters #32996
• Fixed issue when playing back a session recorded on a leaf cluster #33104
• Teleport now reports initial command to session moderators #33113
• OneOff install script now installs enterprise Teleport when generated by an enterprise cluster #33147
• Fixed self-signed certificate issue on macOS #33157
• Discovery EC2 instance listing now shows instance name #33178
• Improved error messaging in tsh kube credentials when root cluster roles don't allow Kube access #33211

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

This release of Teleport contains a security fix.

Security fixes

[Critical] Privilege escalation through RecursiveChown

When using automatic Linux user creation, an attacker could exploit a race condition in the user creation functionality to chown arbitrary files on the system.

Users who aren't using automatic Linux host user creation aren’t affected by this vulnerability.

#33245

Other fixes and improvements

None

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

labels: security-patch=yes

Description

This release of Teleport contains one security fix and various other updates

Security Fixes

[Critical] Privilege escalation through RecursiveChown

When using automatic Linux user creation, an attacker could exploit a race condition in the user creation functionality to chown arbitrary files on the system.

Users who aren't using automatic Linux host user creation aren’t affected by this vulnerability.

#33246

Other fixes

• Improved error messaging in tsh kube credentials when root cluster roles don't allow Kube access #33227
• Fixed self-signed certificate issue on macOS #33158
• Allow "auth unreachable" error message to be configurable #33039
• Fixed user session tracking across trusted clusters #33019
• Fixed issue causing keys to be incorrectly removed in tsh and Teleport Connect on Windows #32965
• Added connection information to multiplexer logs #32740
• Fixed spurious timeouts in Database Access Sessions #32726
• Fixed a corner case of privilege tokens where MFA devices disabled by cluster settings were still counted against the user #32669
• Fixed multiple discovery install attempts on Azure & GCP VMs #32571

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

• Fixed issue where Teleport Connect Kube terminal throws an internal server error #32612
• Fixed create_host_user_mode issue with TeleportRole in the Teleport Operator CRDs #32557
• Fixed issue that allowed for duplicate Access List owners #32481
• Removed unnecessary permission requirement from PostgreSQL backend #32474
• Added feature allowing for managing host sudoers without also creating users #32400
• Fixed dynamic labels not being present on server access audit events #32382
• Added PostHog events for discovered Kubernetes Apps #32379
• Fixed issue where changing the cluster name leads to cluster being unaccessible #32352
• Added additional logging for when the Teleport process file is not accessible due to a permission issue upon startup #32348
• Fixed issue where the teleport-kube-agent Helm chart would created the same ServiceAccount multiple times #32338
• Fixed GCP VM auto-discovery bugs #32316
• Added Access List usage events #32297
• Allowed for including only traits when doing a JWT rewrite for web application access #32291
• Added IneligibleStatus fields for access list members and owners #32278
• Fixed issue where the auth server was listed twice in the inventory of connected resources #32270
• Added three second shutdown delay on on SIGINT/SIGTERM #32189
• Add initial ServiceNow plugin #32131

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

• Fixed create_host_user_mode issue with TeleportRole in the Teleport Operator CRDs #32556
• Fixed issue that allowed for duplicate Access List owners. #32480
• Added feature allowing for managing host sudoers without also creating users #32404
• Fixed dynamic labels not being present on server access audit events #32383
• Added additional logging for when the Teleport process file is not accessible due to a permission issue upon startup #32349
• Fixed issue where the teleport-kube-agent Helm chart would created the same ServiceAccount multiple times #32337
• Added Access List usage events #32298
• Allowed for including only traits when doing a JWT rewrite for web application access #32290
• Added IneligibleStatus fields for access list members and owners (#31857) #32279
• Fixed issue where the auth server was listed twice in the inventory of connected resources #32269
• Added support for AWS EC2 IMDSv2 on installer script and when gathering inventory metadata #31134

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Description

• Added support for AWS EC2 IMDSv2 on installer script and when gathering inventory metadata #32446
• Added additional logging for when the Teleport process file is not accessible due to a permission issue upon startup #32350

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.