Accepting request 1176537 from home:ojkastl_buildservice:Branch_devel_kubic

update to 15.3.6

OBS-URL: https://build.opensuse.org/request/show/1176537
OBS-URL: https://build.opensuse.org/package/show/devel:kubic/teleport?expand=0&rev=212

_service

@@ -4,7 +4,7 @@
     <param name="scm">git</param>
     <param name="submodules">disable</param>
     <param name="exclude">.git</param>
-    <param name="revision">v15.3.1</param>
+    <param name="revision">v15.3.6</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="changesgenerate">disable</param>
     <param name="versionrewrite-pattern">v(.*)</param>

teleport-15.3.1.obscpio

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:e814cc9cd92e4009002f962096b6732e3d80c279e0ad1532905ee13c2d203373
-size 254595598

teleport-15.3.6.obscpio

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1ba8aaafe8cc6ec931dd644be2d208a461bba6750e2139993dfd1b1fe960e577
+size 249617422

teleport.changes

@@ -1,3 +1,167 @@
+-------------------------------------------------------------------
+Thu May 23 19:36:32 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
+
+- update to 15.3.6 (no releases between .1 and .6):
+  This release contains fixes for several high-severity security
+  issues, as well as numerous other bug fixes and improvements.
+  Security Fixes
+  * [High] Unrestricted redirect in SSO Authentication
+    Teleport didn’t sufficiently validate the client redirect URL.
+    This could allow an attacker to trick Teleport users into
+    performing an SSO authentication and redirect to an
+    attacker-controlled URL allowing them to steal the credentials.
+    #41834.
+    Warning: Teleport will now disallow non-localhost callback URLs
+    for SSO logins unless otherwise configured. Users of the tsh
+    login --callback feature should modify their auth connector
+    configuration as follows:
+    The allowed_https_hostnames field is an array containing
+    allowed hostnames, supporting glob matching and, if the string
+    begins and ends with ^ and $ respectively, full regular
+    expression syntax. Custom callback URLs are required to be
+    HTTPS on the standard port (443).
+  * [High] CockroachDB authorization bypass
+    When connecting to CockroachDB using Database Access, Teleport
+    did not properly consider the username case when running RBAC
+    checks. As such, it was possible to establish a connection
+    using an explicitly denied username when using a different
+    case. #41823.
+  * [High] Long-lived connection persistence issue with expired
+    certificates
+    Teleport did not terminate some long-running mTLS-authenticated
+    connections past the expiry of client certificates for users
+    with the disconnect_expired_cert option. This could allow such
+    users to perform some API actions after their certificate has
+    expired. #41827.
+  * [High] PagerDuty integration privilege escalation
+    When creating a role access request, Teleport would include
+    PagerDuty annotations from the entire user’s role set rather
+    than a specific role being requested. For users who run
+    multiple PagerDuty access plugins with auto-approval, this
+    could result in a request for a different role being
+    inadvertently auto-approved than the one which corresponds to
+    the user’s active on-call schedule. #41837.
+  * [High] SAML IdP session privilege escalation
+    When using Teleport as SAML IdP, authorization wasn’t properly
+    enforced on the SAML IdP session creation. As such,
+    authenticated users could use an internal API to escalate their
+    own privileges by crafting a malicious program. #41846.
+    We strongly recommend all customers upgrade to the latest
+    releases of Teleport.
+  Other fixes and improvements
+  * Fixed access request annotations when annotations contain
+    globs, regular
+  * expressions, trait expansions, or claims_to_roles is used.
+    #41936.
+  * Added AWS Management Console as a guided flow using AWS OIDC
+    integration in
+  * the "Enroll New Resource" view in the web UI. #41864.
+  * Fixed spurious Windows Desktop sessions screen resize during an
+    MFA ceremony. #41856.
+  * Fixed session upload completion with large number of
+    simultaneous session
+  * uploads. #41854.
+  * Fixed MySQL databases version reporting on new connections.
+    #41819.
+  * Added read-only permissions for cluster maintenance config.
+    #41790.
+  * Stripped debug symbols from Windows builds, resulting in
+    smaller tsh and
+  * tctl binaries. #41787
+  * Fixed passkey deletion so that a user may now delete their last
+    passkey if
+  * the have a password and another MFA configured. #41771.
+  * Changed the default permissions for the Workload Identity Unix
+    socket to 0777
+  * rather than the default as applied by the umask. This will
+    allow the socket to
+  * be accessed by workloads running as users other than the user
+    that owns the
+  * tbot process. #41754
+  * Added ability for teleport-event-handler to skip certain events
+    type when
+  * forwarding to an upstream server. #41747.
+  * Added automatic GCP label importing. #41733.
+  * Fixed missing variable and script options in Default Agentless
+    Installer
+  * script. #41723.
+  * Removed invalid AWS Roles from Web UI picker. #41707.
+  * Added remote address to audit log events emitted when a Bot or
+    Instance join
+  * completes, successfully or otherwise. #41700.
+  * Simplified how Bots are shown on the Users list page. #41697.
+  * Added improved-performance implementation of ProxyCommand for
+    Machine ID and
+  * SSH. This will become the default in v16. You can adopt this
+    new mode early by
+  * setting TBOT_SSH_CONFIG_PROXY_COMMAND_MODE=new. #41694.
+  * Improved EC2 Auto Discovery by adding the SSM script output and
+    more explicit
+  * error messages. #41664.
+  * Added webauthn diagnostics commands to tctl. #41643.
+  * Upgraded application heartbeat service to support 1000+ dynamic
+    applications. #41626
+  * Fixed issue where Kubernetes watch requests are written out of
+    order. #41624.
+  * Fixed a race condition triggered by a reload during Teleport
+    startup. #41592.
+  * Updated discover wizard Install Script to support Ubuntu 24.04.
+    #41589.
+  * Fixed systemd unit to always restart Teleport on failure unless
+    explicitly stopped. #41581.
+  * Updated Teleport package installers to reload Teleport service
+    config after
+  * upgrades. #41547.
+  * Fixed file truncation bug in Desktop Directory Sharing. #41540.
+  * Fixed WebUI SSH connection leak when browser tab closed during
+    SSH connection
+  * establishment. #41518.
+  * Fixed AccessList reconciler comparison causing audit events
+    noise. #41517.
+  * Added tooling to create SCIM integrations in tctl. #41514.
+  * Fixed Windows Desktop error preventing rendering of the remote
+    session. #41498.
+  * Fixed issue in the PagerDuty, Opsgenie and ServiceNow access
+    plugins that
+  * causing duplicate calls on access requests containing duplicate
+    service names.
+  * Also increases the timeout so slow external API requests are
+    less likely to
+  * fail. #41488.
+  * Added basic Unix workload attestation to the tbot SPIFFE
+    workload API. You
+  * can now restrict the issuance of certain SVIDs to processes
+    running with a
+  * certain UID, GID or PID. #41450.
+  * Added "login failed" audit events for invalid passwords on
+    password+webauthn
+  * local authentication. #41432.
+  * Fixed Terraform provider issue causing the Provision Token
+    options to default
+  * to false instead of empty. #41429.
+  * Added support to automatically download CA for MongoDB Atlas
+    databases. #41338.
+  * Fixed broken "finish" web page for SSO Users on auto discover.
+    #41335.
+  * Allow setting Kubernetes Cluster name when using non-default
+    addresses. #41331.
+  * Added fallback on GetAccessList cache miss call. #41326.
+  * Fixed DiscoveryService panic when auto-enrolling EKS clusters.
+    #41320.
+  * Added validation for application URL extracted from the web
+    application launcher request route. #41304.
+  * Allow defining custom database names and users when selecting
+    wildcard during test connection when enrolling a database
+    through the web UI. #41301.
+  * Fixed broken link for alternative EC2 installation during EC2
+    discover flow. #41292
+  * Updated Go to v1.21.10. #41281.
+  * Updated user management to explicitly deny password resets and
+    local logins to
+  * SSO users. #41270.
+  * Fixed fetching suggested access lists with large IDs in
+    Telepor...
+
 -------------------------------------------------------------------
 Wed May  8 10:32:02 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
 

teleport.obsinfo

@@ -1,4 +1,4 @@
 name: teleport
-version: 15.3.1
+version: 15.3.6
-mtime: 1715102625
+mtime: 1716463822
-commit: 1d048d0736fcb65b65bc513e328d7c98cbfe3d23
+commit: 51cbf3516d3e8287c835fd130975e345023a0b67

teleport.spec

@@ -19,7 +19,7 @@
 %define __arch_install_post export NO_BRP_STRIP_DEBUG=true
 
 Name:           teleport
-Version:        15.3.1
+Version:        15.3.6
 Release:        0
 Summary:        Identity-aware, multi-protocol access proxy
 License:        Apache-2.0

vendor.tar.gz

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:071908d927dc750188fbaa72449b14818421077e8cd076806323f4099001a2bc
+oid sha256:d25db75467482225fcd91b410728c1295ee7dff72ad73c5c97b642a8730d4b34
-size 44979903
+size 43831217