@@ -1,3 +1,167 @@
-------------------------------------------------------------------
Thu May 23 19:36:32 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 15.3.6 (no releases between .1 and .6):
This release contains fixes for several high-severity security
issues, as well as numerous other bug fixes and improvements.
Security Fixes
* [High] Unrestricted redirect in SSO Authentication
Teleport didn’
This could allow an attacker to trick Teleport users into
performing an SSO authentication and redirect to an
attacker-controlled URL allowing them to steal the credentials.
#41834.
Warning: Teleport will now disallow non-localhost callback URLs
for SSO logins unless otherwise configured. Users of the tsh
login --callback feature should modify their auth connector
configuration as follows:
The allowed_https_hostnames field is an array containing
allowed hostnames, supporting glob matching and, if the string
begins and ends with ^ and $ respectively, full regular
expression syntax. Custom callback URLs are required to be
HTTPS on the standard port (443).
* [High] CockroachDB authorization bypass
When connecting to CockroachDB using Database Access, Teleport
did not properly consider the username case when running RBAC
checks. As such, it was possible to establish a connection
using an explicitly denied username when using a different
case. #41823.
* [High] Long-lived connection persistence issue with expired
certificates
Teleport did not terminate some long-running mTLS-authenticated
connections past the expiry of client certificates for users
with the disconnect_expired_cert option. This could allow such
users to perform some API actions after their certificate has
expired. #41827.
* [High] PagerDuty integration privilege escalation
When creating a role access request, Teleport would include
PagerDuty annotations from the entire user’
than a specific role being requested. For users who run
multiple PagerDuty access plugins with auto-approval, this
could result in a request for a different role being
inadvertently auto-approved than the one which corresponds to
the user’
* [High] SAML IdP session privilege escalation
When using Teleport as SAML IdP, authorization wasn’
enforced on the SAML IdP session creation. As such,
authenticated users could use an internal API to escalate their
own privileges by crafting a malicious program. #41846.
We strongly recommend all customers upgrade to the latest
releases of Teleport.
Other fixes and improvements
* Fixed access request annotations when annotations contain
globs, regular
* expressions, trait expansions, or claims_to_roles is used.
#41936.
* Added AWS Management Console as a guided flow using AWS OIDC
integration in
* the "Enroll New Resource" view in the web UI. #41864.
* Fixed spurious Windows Desktop sessions screen resize during an
MFA ceremony. #41856.
* Fixed session upload completion with large number of
simultaneous session
* uploads. #41854.
* Fixed MySQL databases version reporting on new connections.
#41819.
* Added read-only permissions for cluster maintenance config.
#41790.
* Stripped debug symbols from Windows builds, resulting in
smaller tsh and
* tctl binaries. #41787
* Fixed passkey deletion so that a user may now delete their last
passkey if
* the have a password and another MFA configured. #41771.
* Changed the default permissions for the Workload Identity Unix
socket to 0777
* rather than the default as applied by the umask. This will
allow the socket to
* be accessed by workloads running as users other than the user
that owns the
* tbot process. #41754
* Added ability for teleport-event-handler to skip certain events
type when
* forwarding to an upstream server. #41747.
* Added automatic GCP label importing. #41733.
* Fixed missing variable and script options in Default Agentless
Installer
* script. #41723.
* Removed invalid AWS Roles from Web UI picker. #41707.
* Added remote address to audit log events emitted when a Bot or
Instance join
* completes, successfully or otherwise. #41700.
* Simplified how Bots are shown on the Users list page. #41697.
* Added improved-performance implementation of ProxyCommand for
Machine ID and
* SSH. This will become the default in v16. You can adopt this
new mode early by
* setting TBOT_SSH_CONFIG_PROXY_COMMAND_MODE=new. #41694.
* Improved EC2 Auto Discovery by adding the SSM script output and
more explicit
* error messages. #41664.
* Added webauthn diagnostics commands to tctl. #41643.
* Upgraded application heartbeat service to support 1000+ dynamic
applications. #41626
* Fixed issue where Kubernetes watch requests are written out of
order. #41624.
* Fixed a race condition triggered by a reload during Teleport
startup. #41592.
* Updated discover wizard Install Script to support Ubuntu 24.04.
#41589.
* Fixed systemd unit to always restart Teleport on failure unless
explicitly stopped. #41581.
* Updated Teleport package installers to reload Teleport service
config after
* upgrades. #41547.
* Fixed file truncation bug in Desktop Directory Sharing. #41540.
* Fixed WebUI SSH connection leak when browser tab closed during
SSH connection
* establishment. #41518.
* Fixed AccessList reconciler comparison causing audit events
noise. #41517.
* Added tooling to create SCIM integrations in tctl. #41514.
* Fixed Windows Desktop error preventing rendering of the remote
session. #41498.
* Fixed issue in the PagerDuty, Opsgenie and ServiceNow access
plugins that
* causing duplicate calls on access requests containing duplicate
service names.
* Also increases the timeout so slow external API requests are
less likely to
* fail. #41488.
* Added basic Unix workload attestation to the tbot SPIFFE
workload API. You
* can now restrict the issuance of certain SVIDs to processes
running with a
* certain UID, GID or PID. #41450.
* Added "login failed" audit events for invalid passwords on
password+webauthn
* local authentication. #41432.
* Fixed Terraform provider issue causing the Provision Token
options to default
* to false instead of empty. #41429.
* Added support to automatically download CA for MongoDB Atlas
databases. #41338.
* Fixed broken "finish" web page for SSO Users on auto discover.
#41335.
* Allow setting Kubernetes Cluster name when using non-default
addresses. #41331.
* Added fallback on GetAccessList cache miss call. #41326.
* Fixed DiscoveryService panic when auto-enrolling EKS clusters.
#41320.
* Added validation for application URL extracted from the web
application launcher request route. #41304.
* Allow defining custom database names and users when selecting
wildcard during test connection when enrolling a database
through the web UI. #41301.
* Fixed broken link for alternative EC2 installation during EC2
discover flow. #41292
* Updated Go to v1.21.10. #41281.
* Updated user management to explicitly deny password resets and
local logins to
* SSO users. #41270.
* Fixed fetching suggested access lists with large IDs in
Telepor...
-------------------------------------------------------------------
Wed May 8 10:32:02 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
Git OBS Bridge