@@ -1,3 +1,156 @@
-------------------------------------------------------------------
Thu Jun 5 05:14:08 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 17.5.1 (release 17.5.0 was yanked):
Rerelease of 17.5.0 due to some build issues.
* Azure Console via SAML IdP
Teleport SAML IdP now supports Azure web console as a service
provider.
* Desktop Access in Teleport Connect
Teleport Connect now allows users to connect to Windows
desktops directly from the Teleport Connect application without
needing to use a browser.
* Desktop Access latency detector
Teleport's web UI now shows latency measurements during remote
desktop sessions which indicate both the latency between the
user and the Teleport proxy as well as the latency between the
Teleport proxy and the target host.
* Machine & Workload Identity - Sigstore attestation
Machine & Workload Identity now supports attesting Sigstore
signatures of workloads running on Docker, Podman and
Kubernetes. This allows the issuance of credentials to be
restricted to workloads with container images produced by
legitimate CI/CD systems.
* Azure DevOps joining
Teleport now supports secretless authentication for Bots
running within Azure DevOps pipelines.
* Security fixes
This release also includes fixes for the following security
issues.
These issues are present in previous v17 releases.
Impacted users are recommended to upgrade their auth and proxy
servers to the latest version.
- [High] Unauthorized deletion in AWS IAM Identity Center
integration
- Fixed an issue that allowed unauthenticated access to
delete resources created by Identity Center integration.
#55400
This vulnerability affects all AWS IAM Identity Center
integration users. You can check whether you have AWS
Identity Center integration installed either in the Teleport
web UI under Zero Trust Access / Integrations or by running
“tctl get plugins/aws-identity-center” CLI command.
- [High] Short to long term access escalation in Okta
integration
- Enterprise fix: Verify required Okta OAuth scopes during
plugin creation/update.
In Okta integration configurations with enabled access lists
sync, a user with an approved just-in-time access request to
an Okta application could be unintentionally promoted to an
access list granting access to the same application. This
would result in the access to the Okta app/group persisting
after the access request expiration.
This vulnerability affects Okta integration users who have
access lists sync enabled. You can check whether you have an
Okta integration installed with access lists sync enabled
either in the Teleport web UI under Zero Trust Access /
Integrations page or by running “tctl get plugins/okta” CLI
command and looking at the
“spec.settings.okta.sync_settings.sync_access_lists” flag.
- [High] Credential theft via GitHub SSO authentication flow
- Fix improper redirect URL validation for SSO login which
could be taken advantage of in a phishing attack. #55399
This vulnerability affects GitHub SSO users. You can check
whether you’
Access / Auth Connectors page in Teleport web UI or by
running “tctl get connectors” CLI command against your
cluster.
* Other fixes and improvements
- Allow the ssh_service.listen_addr to forcibly be enabled when
operating in reverse tunnel mode to provide an optional
direct access path to hosts. #54215
- View details for a bot instance. #55347
- Prevent unknown resource kinds from rendering errors in the
web UI. #55208
- View and explore "active" bot instances. #55201
- UI: Access Request reason prompts configured in
Role.spec.options.request_prompt are now displayed in the
reason text box, if such a role is assigned to the user.
#55173
- Okta: Fixed RBAC sync and Access Requests when only App and
Group sync is enabled (no Access Lists sync). #55169
- Fixed tctl rendering of timestamps in BotInstance resource
YAML. #55163
- Fix the impact of malicious --db-user values on PKINIT flow.
#55142
- Fix an issue with Hardware Key Support on Windows where a
command would fail if the PIN prompt was not answered within
5 seconds. #55110
- Fix an issue "Allowed Users" from "tsh db ls" may include
irrelevant entities. #55068
- Updated Web UI, tsh and Connect SSO login to support SAML
http-post binding authentication method. The feature can be
enabled from the SSO connector configuration by adding a new
field as preferred_request_binding: http-post. #55065
- Fix an issue database discovery fails when there are more
than 5 OpenSearch domains. #55058
- Fixed an issue with Device Trust web authentication
redirection that lost the original encoding of SAML
authentication data during service provider initiated SAML
login. #55048
- Fix configured X509 CA override chain not being used by AWS
Roles Anywhere exchange. #54947
- Disabled the "another session is active" prompt when
per-session MFA is enabled, since MFA already enforces user
confirmation when starting a desktop session. #54928
- Added support for desktop access in Teleport Connect. #54926
- Added workload_identity_x509_issuer_override kind to editor
preset role. #54913
- Hardware Key Agent validates known keys by checking active or
expired login session. #54907
- Expose the Teleport service cache health via prometheus
metrics. #54902
- Updated Go to 1.23.9. #54896
- Okta: Fix creating Access Requests for Okta-originated
resources in the legacy okta_service setup. #54876
- Introduced the azure_devops join method to support Bot
joining from the Azure Devops CI/CD platform. #54875
- Add support for exclude filter for AWS IC account and groups
filters. #54835
- Terraform: Fixed Access List resource import. #54802
- Fixed Proxy cache initialization errors in clusters with
large amounts of open web sessions. #54781
- Prevent restrictive validation of cluster auth preferences
from causing non-auth instances to become healthy. #54761
- Improved performance of joining & improved audit log entries
for failed joins. #54747
- Resolved an issue that could cause Teleport Connect to crash
after downgrading from a newer version. #54740
- Reverted the default behavior of the teleport-cluster Helm
chart to use authentication.secondFactor rather than
authentication.secondFactors to avoid incompatibility during
upgrades. #54735
- Workload ID: Added binary_path and binary_hash to the Unix
workload attestor's attributes. #54716
- Includes the attributes used in templating and rule
evaluation within the audit log event for a workload identity
credential issuance. #54714
- Fix an issue with PIV PIN caching where a PIN that is
incorrect would be cached. #54697
- Fix a bug causing a malformed user to break Teleport web UI's
"Users" page. #54681
- Machine ID: Allow --no-oneshot and similar flags to override
config file values. #54651
- Fixed major version check for stateless environment. #54639
- Teleport-update: full support for FIPS agent installations.
#54609
- Added support for SSO MFA as a headless MFA method. #54599
- Fixed an issue preventing connections due to missing client
IPs when using class E address space with GKE or CloudFlare
pseudo IPv4 forward headers. #54597
- Create and edit GitHub join tokens from the Join Tokens page.
#54477
-------------------------------------------------------------------
Wed May 7 04:31:54 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
Git OBS Bridge