Accepting request 1245815 from devel:kubic

OBS-URL: https://build.opensuse.org/request/show/1245815
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/teleport?expand=0&rev=134

_service

@@ -4,7 +4,7 @@
     <param name="scm">git</param>
     <param name="submodules">disable</param>
     <param name="exclude">.git</param>
-    <param name="revision">v17.2.1</param>
+    <param name="revision">v17.2.7</param>
     <param name="match-tag">v*</param>
     <param name="versionformat">@PARENT_TAG@</param>
     <param name="versionrewrite-pattern">v(.*)</param>

teleport-17.2.1.obscpio

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:2104b2a6d9809d65fa0ca61775ea848af27c1e5cb4574a855c27844d74c6cf41
-size 267328526

teleport-17.2.7.obscpio

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e476bfea5ee17a45bca6f269013709ed4b9d11df05028ac20266e7de17e75d6a
+size 270554126

teleport.changes

@@ -1,3 +1,103 @@
+-------------------------------------------------------------------
+Fri Feb 14 07:16:38 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
+
+- update to 17.2.7 (there are no releases between 17.2.1 and this):
+  * Security Fixes
+    - Fixed security issue with arbitrary file reads on SSH nodes.
+      #52136
+    - Verify that cluster name of TLS peer certs matches the
+      cluster name of the CA that issued it to prevent Auth
+      bypasses. #52130
+    - Reject authentication attempts from remote identities in the
+      git forwarder. #52126
+  * Other fixes and improvements
+    - Added an escape hatch to allow non-FIPS AWS endpoints on FIPS
+      binaries (TELEPORT_UNSTABLE_DISABLE_AWS_FIPS=yes). #52069
+    - Fixed Postgres database access control privileges
+      auto-provisioning to grant USAGE on schemas as needed for
+      table privileges and fixed an issue that prevented user
+      privileges from being revoked at the end of their session in
+      some cases. #52047
+    - Updated OpenSSL to 3.0.16. #52037
+    - Added ability to disable path-style S3 access for third-party
+      endpoints. #52009
+    - Fixed displaying Access List form when request reason is
+      required. #51998
+    - Fixed a bug in the WebUI where file transfers would always
+      prompt for MFA, even when not required. #51962
+    - Reduced CPU consumption required to map roles between
+      clusters and perform trait to role resolution. #51935
+    - Client tools managed updates require a base URL for the
+      open-source build type. #51931
+    - Fixed an issue leaf AWS console app shows "not found" error
+      when root cluster has an app of the same name. #51928
+    - Added securityContext value to the tbot Helm chart. #51907
+    - Fixed an issue where required apps wouldn't be authenticated
+      when launching an application from outside the Teleport Web
+      UI. #51873
+    - Prevent Teleport proxy failing to initialize when listener
+      address's host component is empty. #51864
+    - Fixed connecting to Apps in a leaf cluster when Per-session
+      MFA is enabled. #51853
+    - Updated Go to 1.23.6. #51835
+    - Fixed bug where role max_duration is not respected unless
+      request max_duration is set. #51821
+    - Improved instance.join event error messaging. #51779
+    - Teleport agents always create the debug.sock UNIX socket. The
+      configuration field debug_service.enabled now controls if the
+      debug and metrics endpoints are available via the UNIX
+      socket. #51771
+    - Backport new Azure integration functionality to v17, which
+      allows the Discovery Service to fetch Azure resources and
+      send them to the Access Graph. #51725
+    - Added support for caching Microsoft Remote Desktop Services
+      licenses. #51684
+    - Added Audit Log statistics to tctl top. #51655
+    - Redesigned the profile switcher in Teleport Connect for a
+      more intuitive experience. Clusters now have distinct colors
+      for easier identification, and readability is improved by
+      preventing truncation of long user and cluster names. #51654
+    - Fixed a regression that caused the Kubernetes Service to
+      reuse expired tokens when accessing EKS, GKE and AKS clusters
+      using dynamic credentials. #51652
+    - Fixes issue where the Postgres backend would drop App Access
+      events. #51643
+    - Fixed a rare crash that can happen with malformed SAML
+      connector. #51634
+    - Fixed occasional Web UI session renewal issues (reverts
+      "Avoid tight renewals for sessions with short TTL"). #51601
+    - Introduced tsh workload-identity issue-x509 as the
+      replacement to tsh svid issue and which is compatible with
+      the new WorkloadIdentity resource. #51597
+    - Machine ID's new kubernetes/v2 service supports access to
+      multiple Kubernetes clusters by name or label without needing
+      to issue new identities. #51535
+    - Quoted the KUBECONFIG environment variable output by the tsh
+      proxy kube command. #51523
+    - Fixed a bug where performing an admin action in the WebUI
+      would hang indefinitely instead of getting an actionable
+      error if the user has no MFA devices registered. #51513
+    - Added support for continuous profile collection with
+      Pyroscope. #51477
+    - Added support for customizing the base URL for downloading
+      Teleport packages used in client tools managed updates.
+      #51476
+    - Improved handling of client session termination during
+      Kubernetes Exec sessions. The disconnection reason is now
+      accurately returned for cases such as certificate expiration,
+      forced lock activation, or idle timeout. #51454
+    - Fixed an issue that prevented IPs provided in the
+      X-Forwarded-For header from being honored in some scenarios
+      when TrustXForwardedFor is enabled. #51416
+    - Added support for multiple active CAs in the /auth/export
+      endpoint. #51415
+    - Fixed integrations status page in WebUI. #51404
+    - Fixed a bug in GKE auto-discovery where the process failed to
+      discover any clusters if the identity lacked permissions for
+      one or more detected GCP project IDs. #51399
+    - Introduced the new workload_identity resource for configuring
+      Teleport Workload Identity. #51288
+
 -------------------------------------------------------------------
 Mon Jan 27 16:41:22 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
 

teleport.obsinfo

@@ -1,4 +1,4 @@
 name: teleport
-version: 17.2.1
+version: 17.2.7
-mtime: 1737590419
+mtime: 1739488591
-commit: 1d267b0f953085ca36f8379a2be90bdf9f51fbdb
+commit: 0f26fcd238c6d5a969ae5c8e7fa1de9aadbc0fff

teleport.spec

@@ -17,7 +17,7 @@
 
 
 Name:           teleport
-Version:        17.2.1
+Version:        17.2.7
 Release:        0
 Summary:        Identity-aware, multi-protocol access proxy
 License:        AGPL-3.0-only

vendor.tar.gz

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:ff8574dd745c55507dcd71047d3cf0cf6b705689205ce7d457189bd163ed2c4f
+oid sha256:a41a92bf291c01076b59ed5120c799a14971c857c35ea14178ad819042ca4532
-size 52610033
+size 52739970

vendor.tar.zst

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:425413c90e880cfeb5bc2aa2dc398cdd587feeb8236bc83c9f0b1301a568f26e
+oid sha256:849c43cb38ad0e8fd3eee4c05ea6e320e4fb3a3dc96484ef84c4024501b8180c
-size 730414
+size 732674