diff --git a/_service b/_service
index ab81ce9..36f9b43 100644
--- a/_service
+++ b/_service
@@ -4,7 +4,7 @@
     <param name="scm">git</param>
     <param name="submodules">disable</param>
     <param name="exclude">.git</param>
-    <param name="revision">v16.4.3</param>
+    <param name="revision">v16.4.6</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="changesgenerate">disable</param>
     <param name="versionrewrite-pattern">v(.*)</param>
diff --git a/_servicedata b/_servicedata
deleted file mode 100644
index 39090a4..0000000
--- a/_servicedata
+++ /dev/null
@@ -1,4 +0,0 @@
-<servicedata>
-<service name="tar_scm">
-                <param name="url">https://github.com/gravitational/teleport</param>
-              <param name="changesrevision">f1ce28f6f67aa2e9f14400785f7a43ec247da995</param></service></servicedata>
\ No newline at end of file
diff --git a/teleport-16.4.3.obscpio b/teleport-16.4.3.obscpio
deleted file mode 100644
index 64c6f00..0000000
--- a/teleport-16.4.3.obscpio
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:f9003dbd95143e457e013439e5c4b3d0ca95dff2b210fe3e9ba5bf60e2fb93f7
-size 280437262
diff --git a/teleport-16.4.6.obscpio b/teleport-16.4.6.obscpio
new file mode 100644
index 0000000..1c87d45
--- /dev/null
+++ b/teleport-16.4.6.obscpio
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d04f6e750e15fc695b13560b589b3662409c3d57d6413caf682920e6c25f5f31
+size 280200206
diff --git a/teleport.changes b/teleport.changes
index f6eff7b..30eb590 100644
--- a/teleport.changes
+++ b/teleport.changes
@@ -1,3 +1,83 @@
+-------------------------------------------------------------------
+Wed Oct 23 19:59:26 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
+
+- update to 16.4.6 (16.4.4 and 16.4.5 do not exist):
+  * Security Fix - [High] Privilege persistence in Okta SCIM-only
+    integration
+    When Okta SCIM-only integration is enabled, in certain cases
+    Teleport could calculate the effective set of permission based
+    on SSO user's stale traits. This could allow a user who was
+    unassigned from an Okta group to log into a Teleport cluster
+    once with a role granted by the unassigned group being present
+    in their effective role set.
+    Note: This issue only affects Teleport clusters that have
+    installed a SCIM-only Okta integration as described in this
+    guide. If you have an Okta integration with user sync enabled
+    or only using Okta SSO auth connector to log into your Teleport
+    cluster without SCIM integration configured, you're unaffected.
+    To verify your configuration:
+    - Use tctl get plugins/okta --format=json | jq
+      &#34;.[].spec.Settings.okta.sync_settings.sync_users&#34;
+      command to check if you have Okta integration with user sync
+      enabled. If it outputs null or false, you may be affected and
+      should upgrade.
+    - Check SCIM provisioning settings for the Okta application you
+      created or updated while following the SCIM-only setup guide.
+      If SCIM provisioning is enabled, you may be affected and
+      should upgrade.
+    We strongly recommend customers who use Okta SCIM integration
+    to upgrade their auth servers to version 16.3.0 or later.
+    Teleport services other than auth (proxy, SSH, Kubernetes,
+    desktop, application, database and discovery) are not impacted
+    and do not need to be updated.
+  * Other improvements and fixes
+    - Added a new teleport_roles_total metric that exposes the
+      number of roles which exist in a cluster. #47812
+    - Teleport's Windows Desktop Service now filters domain-joined
+      Linux hosts out during LDAP discovery. #47773
+    - The join_token.create audit event has been enriched with
+      additional metadata. #47765
+    - Propagate resources configured in teleport-kube-agent chart
+      values to post-install and post-delete hooks. #47743
+    - Add support for the Datadog Incident Management plugin helm
+      chart. #47727
+    - Automatic device enrollment may be locally disabled using the
+      TELEPORT_DEVICE_AUTO_ENROLL_DISABLED=1 environment variable.
+      #47720
+    - Fixed the Machine ID and GitHub Actions wizard. #47708
+    - Added migration to update the old import_all_objects database
+      object import rule to the new preset. #47707
+    - Alter ServiceAccounts in the teleport-cluster Helm chart to
+      automatically disable mounting of service account tokens on
+      newer Kubernetes distributions, helping satisfy security
+      linters. #47703
+    - Avoid tsh auto-enroll escalation in machines without a TPM.
+      #47695
+    - Fixed a bug that prevented users from canceling tsh scan keys
+      executions. #47658
+    - Postgres database session start events now include the
+      Postgres backend PID for the session. #47643
+    - Reworked the teleport-event-handler integration to
+      significantly improve performance, especially when running
+      with larger --concurrency values. #47633
+    - Fixes a bug where Let's Encrypt certificate renewal failed in
+      AMI and HA deployments due to insufficient disk space caused
+      by syncing audit logs. #47622
+    - Adds support for custom SQS consumer lock name and disabling
+      a consumer. #47614
+    - Fixed an issue that prevented RDS Aurora discovery
+      configuration in the AWS OIDC enrollment wizard when any
+      cluster existed without member instances. #47605
+    - Extend the Datadog plugin to support automatic approvals.
+      #47602
+    - Allow using a custom database for Firestore backends. #47583
+    - Include host name instead of host uuid in error messages when
+      SSH connections are prevented due to an invalid login. #47578
+    - Fix the example Terraform code to support the new larger
+      Teleport Enterprise licenses and updates output of web
+      address to use fqdn when ACM is disabled. #47512
+    - Add new tctl subcommands to manage bot instances. #47225
+
 -------------------------------------------------------------------
 Fri Oct 18 06:50:44 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
 
diff --git a/teleport.obsinfo b/teleport.obsinfo
index a556818..782f249 100644
--- a/teleport.obsinfo
+++ b/teleport.obsinfo
@@ -1,4 +1,4 @@
 name: teleport
-version: 16.4.3
-mtime: 1729078070
-commit: d506b628c2d6bc3b3bd257350261713cb4b0df3e
+version: 16.4.6
+mtime: 1729696164
+commit: 3104d1ac1ceac0d0405f6a675110f258a67dbb2a
diff --git a/teleport.spec b/teleport.spec
index eb678d4..c384ea0 100644
--- a/teleport.spec
+++ b/teleport.spec
@@ -19,7 +19,7 @@
 %define __arch_install_post export NO_BRP_STRIP_DEBUG=true
 
 Name:           teleport
-Version:        16.4.3
+Version:        16.4.6
 Release:        0
 Summary:        Identity-aware, multi-protocol access proxy
 License:        AGPL-3.0-only
diff --git a/vendor.tar.gz b/vendor.tar.gz
index b40e34c..f308924 100644
--- a/vendor.tar.gz
+++ b/vendor.tar.gz
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:79a18db8daa78cf72b6aba9d80e8421c1f334a3883a97b8f8100ca1322b7f7ae
-size 46790012
+oid sha256:39424da30baf398391dc12e436f37d83947ace81a023f6e2fc251b4b690770e4
+size 46776161
