diff --git a/_service b/_service
index 16d821a..de686ac 100644
--- a/_service
+++ b/_service
@@ -4,7 +4,7 @@
git
disable
.git
- v15.3.1
+ v15.3.6
@PARENT_TAG@
disable
v(.*)
diff --git a/teleport-15.3.1.obscpio b/teleport-15.3.1.obscpio
deleted file mode 100644
index bf27198..0000000
--- a/teleport-15.3.1.obscpio
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:e814cc9cd92e4009002f962096b6732e3d80c279e0ad1532905ee13c2d203373
-size 254595598
diff --git a/teleport-15.3.6.obscpio b/teleport-15.3.6.obscpio
new file mode 100644
index 0000000..da99487
--- /dev/null
+++ b/teleport-15.3.6.obscpio
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1ba8aaafe8cc6ec931dd644be2d208a461bba6750e2139993dfd1b1fe960e577
+size 249617422
diff --git a/teleport.changes b/teleport.changes
index 7679153..115dfb9 100644
--- a/teleport.changes
+++ b/teleport.changes
@@ -1,3 +1,167 @@
+-------------------------------------------------------------------
+Thu May 23 19:36:32 UTC 2024 - Johannes Kastl
+
+- update to 15.3.6 (no releases between .1 and .6):
+ This release contains fixes for several high-severity security
+ issues, as well as numerous other bug fixes and improvements.
+ Security Fixes
+ * [High] Unrestricted redirect in SSO Authentication
+ Teleport didn’t sufficiently validate the client redirect URL.
+ This could allow an attacker to trick Teleport users into
+ performing an SSO authentication and redirect to an
+ attacker-controlled URL allowing them to steal the credentials.
+ #41834.
+ Warning: Teleport will now disallow non-localhost callback URLs
+ for SSO logins unless otherwise configured. Users of the tsh
+ login --callback feature should modify their auth connector
+ configuration as follows:
+ The allowed_https_hostnames field is an array containing
+ allowed hostnames, supporting glob matching and, if the string
+ begins and ends with ^ and $ respectively, full regular
+ expression syntax. Custom callback URLs are required to be
+ HTTPS on the standard port (443).
+ * [High] CockroachDB authorization bypass
+ When connecting to CockroachDB using Database Access, Teleport
+ did not properly consider the username case when running RBAC
+ checks. As such, it was possible to establish a connection
+ using an explicitly denied username when using a different
+ case. #41823.
+ * [High] Long-lived connection persistence issue with expired
+ certificates
+ Teleport did not terminate some long-running mTLS-authenticated
+ connections past the expiry of client certificates for users
+ with the disconnect_expired_cert option. This could allow such
+ users to perform some API actions after their certificate has
+ expired. #41827.
+ * [High] PagerDuty integration privilege escalation
+ When creating a role access request, Teleport would include
+ PagerDuty annotations from the entire user’s role set rather
+ than a specific role being requested. For users who run
+ multiple PagerDuty access plugins with auto-approval, this
+ could result in a request for a different role being
+ inadvertently auto-approved than the one which corresponds to
+ the user’s active on-call schedule. #41837.
+ * [High] SAML IdP session privilege escalation
+ When using Teleport as SAML IdP, authorization wasn’t properly
+ enforced on the SAML IdP session creation. As such,
+ authenticated users could use an internal API to escalate their
+ own privileges by crafting a malicious program. #41846.
+ We strongly recommend all customers upgrade to the latest
+ releases of Teleport.
+ Other fixes and improvements
+ * Fixed access request annotations when annotations contain
+ globs, regular
+ * expressions, trait expansions, or claims_to_roles is used.
+ #41936.
+ * Added AWS Management Console as a guided flow using AWS OIDC
+ integration in
+ * the "Enroll New Resource" view in the web UI. #41864.
+ * Fixed spurious Windows Desktop sessions screen resize during an
+ MFA ceremony. #41856.
+ * Fixed session upload completion with large number of
+ simultaneous session
+ * uploads. #41854.
+ * Fixed MySQL databases version reporting on new connections.
+ #41819.
+ * Added read-only permissions for cluster maintenance config.
+ #41790.
+ * Stripped debug symbols from Windows builds, resulting in
+ smaller tsh and
+ * tctl binaries. #41787
+ * Fixed passkey deletion so that a user may now delete their last
+ passkey if
+ * the have a password and another MFA configured. #41771.
+ * Changed the default permissions for the Workload Identity Unix
+ socket to 0777
+ * rather than the default as applied by the umask. This will
+ allow the socket to
+ * be accessed by workloads running as users other than the user
+ that owns the
+ * tbot process. #41754
+ * Added ability for teleport-event-handler to skip certain events
+ type when
+ * forwarding to an upstream server. #41747.
+ * Added automatic GCP label importing. #41733.
+ * Fixed missing variable and script options in Default Agentless
+ Installer
+ * script. #41723.
+ * Removed invalid AWS Roles from Web UI picker. #41707.
+ * Added remote address to audit log events emitted when a Bot or
+ Instance join
+ * completes, successfully or otherwise. #41700.
+ * Simplified how Bots are shown on the Users list page. #41697.
+ * Added improved-performance implementation of ProxyCommand for
+ Machine ID and
+ * SSH. This will become the default in v16. You can adopt this
+ new mode early by
+ * setting TBOT_SSH_CONFIG_PROXY_COMMAND_MODE=new. #41694.
+ * Improved EC2 Auto Discovery by adding the SSM script output and
+ more explicit
+ * error messages. #41664.
+ * Added webauthn diagnostics commands to tctl. #41643.
+ * Upgraded application heartbeat service to support 1000+ dynamic
+ applications. #41626
+ * Fixed issue where Kubernetes watch requests are written out of
+ order. #41624.
+ * Fixed a race condition triggered by a reload during Teleport
+ startup. #41592.
+ * Updated discover wizard Install Script to support Ubuntu 24.04.
+ #41589.
+ * Fixed systemd unit to always restart Teleport on failure unless
+ explicitly stopped. #41581.
+ * Updated Teleport package installers to reload Teleport service
+ config after
+ * upgrades. #41547.
+ * Fixed file truncation bug in Desktop Directory Sharing. #41540.
+ * Fixed WebUI SSH connection leak when browser tab closed during
+ SSH connection
+ * establishment. #41518.
+ * Fixed AccessList reconciler comparison causing audit events
+ noise. #41517.
+ * Added tooling to create SCIM integrations in tctl. #41514.
+ * Fixed Windows Desktop error preventing rendering of the remote
+ session. #41498.
+ * Fixed issue in the PagerDuty, Opsgenie and ServiceNow access
+ plugins that
+ * causing duplicate calls on access requests containing duplicate
+ service names.
+ * Also increases the timeout so slow external API requests are
+ less likely to
+ * fail. #41488.
+ * Added basic Unix workload attestation to the tbot SPIFFE
+ workload API. You
+ * can now restrict the issuance of certain SVIDs to processes
+ running with a
+ * certain UID, GID or PID. #41450.
+ * Added "login failed" audit events for invalid passwords on
+ password+webauthn
+ * local authentication. #41432.
+ * Fixed Terraform provider issue causing the Provision Token
+ options to default
+ * to false instead of empty. #41429.
+ * Added support to automatically download CA for MongoDB Atlas
+ databases. #41338.
+ * Fixed broken "finish" web page for SSO Users on auto discover.
+ #41335.
+ * Allow setting Kubernetes Cluster name when using non-default
+ addresses. #41331.
+ * Added fallback on GetAccessList cache miss call. #41326.
+ * Fixed DiscoveryService panic when auto-enrolling EKS clusters.
+ #41320.
+ * Added validation for application URL extracted from the web
+ application launcher request route. #41304.
+ * Allow defining custom database names and users when selecting
+ wildcard during test connection when enrolling a database
+ through the web UI. #41301.
+ * Fixed broken link for alternative EC2 installation during EC2
+ discover flow. #41292
+ * Updated Go to v1.21.10. #41281.
+ * Updated user management to explicitly deny password resets and
+ local logins to
+ * SSO users. #41270.
+ * Fixed fetching suggested access lists with large IDs in
+ Telepor...
+
-------------------------------------------------------------------
Wed May 8 10:32:02 UTC 2024 - Johannes Kastl
diff --git a/teleport.obsinfo b/teleport.obsinfo
index 3f90acf..69d88b5 100644
--- a/teleport.obsinfo
+++ b/teleport.obsinfo
@@ -1,4 +1,4 @@
name: teleport
-version: 15.3.1
-mtime: 1715102625
-commit: 1d048d0736fcb65b65bc513e328d7c98cbfe3d23
+version: 15.3.6
+mtime: 1716463822
+commit: 51cbf3516d3e8287c835fd130975e345023a0b67
diff --git a/teleport.spec b/teleport.spec
index 8a883b0..812414c 100644
--- a/teleport.spec
+++ b/teleport.spec
@@ -19,7 +19,7 @@
%define __arch_install_post export NO_BRP_STRIP_DEBUG=true
Name: teleport
-Version: 15.3.1
+Version: 15.3.6
Release: 0
Summary: Identity-aware, multi-protocol access proxy
License: Apache-2.0
diff --git a/vendor.tar.gz b/vendor.tar.gz
index c4ba43f..7caba45 100644
--- a/vendor.tar.gz
+++ b/vendor.tar.gz
@@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
-oid sha256:071908d927dc750188fbaa72449b14818421077e8cd076806323f4099001a2bc
-size 44979903
+oid sha256:d25db75467482225fcd91b410728c1295ee7dff72ad73c5c97b642a8730d4b34
+size 43831217