Accepting request 1217972 from devel:kubic

OBS-URL: https://build.opensuse.org/request/show/1217972
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/teleport?expand=0&rev=119
This commit is contained in:
Ana Guerrero 2024-10-24 13:44:26 +00:00 committed by Git OBS Bridge
commit 7d36582289
8 changed files with 90 additions and 14 deletions

View File

@ -4,7 +4,7 @@
<param name="scm">git</param>
<param name="submodules">disable</param>
<param name="exclude">.git</param>
<param name="revision">v16.4.3</param>
<param name="revision">v16.4.6</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="changesgenerate">disable</param>
<param name="versionrewrite-pattern">v(.*)</param>

View File

@ -1,4 +0,0 @@
<servicedata>
<service name="tar_scm">
<param name="url">https://github.com/gravitational/teleport</param>
<param name="changesrevision">f1ce28f6f67aa2e9f14400785f7a43ec247da995</param></service></servicedata>

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:f9003dbd95143e457e013439e5c4b3d0ca95dff2b210fe3e9ba5bf60e2fb93f7
size 280437262

3
teleport-16.4.6.obscpio Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:d04f6e750e15fc695b13560b589b3662409c3d57d6413caf682920e6c25f5f31
size 280200206

View File

@ -1,3 +1,83 @@
-------------------------------------------------------------------
Wed Oct 23 19:59:26 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 16.4.6 (16.4.4 and 16.4.5 do not exist):
* Security Fix - [High] Privilege persistence in Okta SCIM-only
integration
When Okta SCIM-only integration is enabled, in certain cases
Teleport could calculate the effective set of permission based
on SSO user's stale traits. This could allow a user who was
unassigned from an Okta group to log into a Teleport cluster
once with a role granted by the unassigned group being present
in their effective role set.
Note: This issue only affects Teleport clusters that have
installed a SCIM-only Okta integration as described in this
guide. If you have an Okta integration with user sync enabled
or only using Okta SSO auth connector to log into your Teleport
cluster without SCIM integration configured, you're unaffected.
To verify your configuration:
- Use tctl get plugins/okta --format=json | jq
&#34;.[].spec.Settings.okta.sync_settings.sync_users&#34;
command to check if you have Okta integration with user sync
enabled. If it outputs null or false, you may be affected and
should upgrade.
- Check SCIM provisioning settings for the Okta application you
created or updated while following the SCIM-only setup guide.
If SCIM provisioning is enabled, you may be affected and
should upgrade.
We strongly recommend customers who use Okta SCIM integration
to upgrade their auth servers to version 16.3.0 or later.
Teleport services other than auth (proxy, SSH, Kubernetes,
desktop, application, database and discovery) are not impacted
and do not need to be updated.
* Other improvements and fixes
- Added a new teleport_roles_total metric that exposes the
number of roles which exist in a cluster. #47812
- Teleport's Windows Desktop Service now filters domain-joined
Linux hosts out during LDAP discovery. #47773
- The join_token.create audit event has been enriched with
additional metadata. #47765
- Propagate resources configured in teleport-kube-agent chart
values to post-install and post-delete hooks. #47743
- Add support for the Datadog Incident Management plugin helm
chart. #47727
- Automatic device enrollment may be locally disabled using the
TELEPORT_DEVICE_AUTO_ENROLL_DISABLED=1 environment variable.
#47720
- Fixed the Machine ID and GitHub Actions wizard. #47708
- Added migration to update the old import_all_objects database
object import rule to the new preset. #47707
- Alter ServiceAccounts in the teleport-cluster Helm chart to
automatically disable mounting of service account tokens on
newer Kubernetes distributions, helping satisfy security
linters. #47703
- Avoid tsh auto-enroll escalation in machines without a TPM.
#47695
- Fixed a bug that prevented users from canceling tsh scan keys
executions. #47658
- Postgres database session start events now include the
Postgres backend PID for the session. #47643
- Reworked the teleport-event-handler integration to
significantly improve performance, especially when running
with larger --concurrency values. #47633
- Fixes a bug where Let's Encrypt certificate renewal failed in
AMI and HA deployments due to insufficient disk space caused
by syncing audit logs. #47622
- Adds support for custom SQS consumer lock name and disabling
a consumer. #47614
- Fixed an issue that prevented RDS Aurora discovery
configuration in the AWS OIDC enrollment wizard when any
cluster existed without member instances. #47605
- Extend the Datadog plugin to support automatic approvals.
#47602
- Allow using a custom database for Firestore backends. #47583
- Include host name instead of host uuid in error messages when
SSH connections are prevented due to an invalid login. #47578
- Fix the example Terraform code to support the new larger
Teleport Enterprise licenses and updates output of web
address to use fqdn when ACM is disabled. #47512
- Add new tctl subcommands to manage bot instances. #47225
-------------------------------------------------------------------
Fri Oct 18 06:50:44 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>

View File

@ -1,4 +1,4 @@
name: teleport
version: 16.4.3
mtime: 1729078070
commit: d506b628c2d6bc3b3bd257350261713cb4b0df3e
version: 16.4.6
mtime: 1729696164
commit: 3104d1ac1ceac0d0405f6a675110f258a67dbb2a

View File

@ -19,7 +19,7 @@
%define __arch_install_post export NO_BRP_STRIP_DEBUG=true
Name: teleport
Version: 16.4.3
Version: 16.4.6
Release: 0
Summary: Identity-aware, multi-protocol access proxy
License: AGPL-3.0-only

View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:79a18db8daa78cf72b6aba9d80e8421c1f334a3883a97b8f8100ca1322b7f7ae
size 46790012
oid sha256:39424da30baf398391dc12e436f37d83947ace81a023f6e2fc251b4b690770e4
size 46776161