Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update module github.com/gravitational/teleport/api to v14 #24

Merged

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Oct 23, 2023

Mend Renovate

This PR contains the following updates:

Package Type Update Change
github.com/gravitational/teleport/api require major v0.0.0-20230607072028-2f3f42ef14ad -> v14.2.3

Release Notes

gravitational/teleport (github.com/gravitational/teleport/api)

v14.2.3: Teleport 14.2.3

Compare Source

Description

  • Prevent Cloud tenants from being a leaf cluster. #​35687
  • Added "Show All Labels" button in the unified resources list view. #​35666
  • Added auto approval flow to servicenow plugin. #​35658
  • Added guided SAML entity descriptor creation when entity descriptor XML is not yet available. #​35657
  • Added a connection test when enrolling a new Connect My Computer resource in Web UI. #​35649
  • Fixed regression of Kubernetes Server Address when Teleport runs in multiplex mode. #​35633
  • When using the Slack plugin, users will now be notified directly of access requests and their approvals or denials. #​35577
  • Fixed bug where configuration errors with an individual SSO connector impacted other connectors. #​35576
  • Fixed client IP propagation from the Proxy to the Auth during IdP initiated SSO. #​35545

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

v14.2.2: Teleport 14.2.2

Compare Source

Description

  • Prevent panic when dialing a deleted Application Server. #​35525
  • Fixed regression issue with arm32 binaries in 14.2.1 having higher glibc requirements. #​35539
  • Fixed GCP VM auto-discovery not using instances' internal IP address. #​35521
  • Calculate latency of Web SSH sessions and report it to users. #​35516
  • Fix bot's unable to view or approve access requests issue. #​35512
  • Fix querying of large audit events with Athena backend. #​35483
  • Fix panic on potential nil value when requesting /webapi/presetroles. #​35463
  • Add insecure-drop host user creation mode. #​35403
  • IAM permissions for rds:DescribeDBProxyTargets are no longer required for RDS Proxy discovery. #​35389
  • Update Go to 1.21.5. #​35371
  • Desktop connections default to RDP port 3389 if not otherwise specified. #​35343
  • Add cluster_auth_preferences to the shortcuts for cluster_auth_preference. #​35329
  • Make the podSecurityPolicy configurable in the teleport-kube-agent chart. #​35320
  • Prevent EKS fetcher not having correct IAM permissions from stopping whole Discovery service start up. #​35319
  • Add database automatic user provisioning support for self-hosted MongoDB. #​35317
  • Improve the resilience of tbot to misconfiguration of auth connectors when generating a Kubernetes output. #​35309
  • Fix crash when writing kubeconfig with tctl auth sign --tar. #​34874

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

v14.2.1: Teleport 14.2.1

Compare Source

Description

  • Fixed issue that could cause app and desktop session recording events to be written to the audit log. #​35183
  • Fixed a possible panic when downgrading Teleport roles to older versions. #​35236
  • Fixed a regression issue where tsh db connect to Redis 7 fails with an error on REDIS_REPLY_STATUS. #​35162
  • Allow Teleport to complete abandoned uploads faster in HA deployments. #​35102
  • Fixed error when installing a v13 node with the default installer from a v14 cluster. #​35058
  • Fixed issue with the absence of membership expiry circumventing membership requirements check. #​35057
  • Added read verb to suggested role spec when enrolling new resources. #​35053
  • Added more new "Enroll Integration" tiles for Machine ID guides. #​35050
  • Fixed default installer yum error on RHEL and Amazon Linux. #​35021
  • External Audit Storage enables Cloud customers to store Audit Logs and Session Recordings in their own AWS account. #​35008
  • Fixed IP propagation for nodes/bots joining the cluster and add LoginIP to bot certificates. #​34958
  • Fixed an issue tsh db connect <mongodb> does not give reason on connection errors. #​34910
  • Updated distroless images to use Debian 12. #​34878
  • Added new email-based UI for inviting new local users on Teleport Cloud clusters. #​34869
  • Fix an issue "Allowed Users" in "tsh db ls" shows wrong user for databases with Automatic User Provisioning enabled. #​34850
  • Fixed issue with application access requests and web UI large file downloads timing out after 30 seconds. #​34849
  • Added default database support for PostgreSQL auto-user provisioning. #​34840
  • Machine ID: handle kernel version check failing more gracefully. #​34828

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

v14.2.0: Teleport 14.2.0

Compare Source

Description

New Features
Advanced Okta Integration (Enterprise Edition only)

Teleport will be able to automatically create SSO connector and sync users when configuring Okta integration.

Connect my Computer support in Web UI

The Teleport web UI will provide a guided flow for joining your computer to the Teleport cluster using Teleport Connect.

Dynamic credential reloading for plugins

Teleport plugins will support dynamic credential reloading, allowing them to take advantage of short-lived (and frequently rotated) credentials generated by Machine ID.

Fixes and Improvements
  • Access list review reminders will now be sent via Slack #​34663
  • Improve the error message when attempting to enroll a hardware key that cannot support passwordless #​34589
  • Allow selecting multiple resource filters in the search bar in Connect #​34543
  • Added a guided flow for joining your computer to the Teleport cluster using Teleport Connect; find it in the Web UI under Enroll New Resource -> Connect My Computer (available only for local users, with prerequisites) #​33688

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

v14.1.5: Teleport 14.1.5

Compare Source

Description

  • Increased the maximum width of the console tabs in the web UI. #​34648
  • Fixed accessing dedicated Proxy Kubernetes port when TLS routing is enabled. #​34645
  • Fixed tsh --piv-slot custom PIV slot setting for Hardware Key Support. #​34592
  • Disabled AWS IMDSv1 fallback and enforced use of FIPS endpoints in FIPS mode. #​34433
  • Fixed incorrect permissions when opening X11 listener. #​34617
  • Prevented .tsh/environment values from overriding prior set values. #​34626
  • Changed access lists to respect user locking. #​34620
  • Fixed access requests to respect explicit deny rules. #​34600
  • Added Teleport Access Graph integration. #​34569
  • Fixed cleanup of unused GCP KMS keys. #​34468
  • Added list view option to the unified resources page. #​34466
  • Fixed duplicate entries in resources view when updating nodename #​34236 #​34453
  • Allow configuring cluster_networking_config and cluster_auth_preference via --bootstrap. #​34445
  • Fixed tsh logout with broken key directory. #​34435
  • Added binary formatted parameters as base64 encoded strings to PostgreSQL Statement Bind audit log events. #​34432
  • Reduced CPU & memory usage, and logging in the operator, by reusing connections to Teleport. #​34425
  • Updated the code signing certificate for Windows artifacts. #​34377
  • Added IAM Authentication support for Amazon MemoryDB Access. #​34348
  • Split large desktop recordings into multiple files during export. #​34319
  • Allow setting server labels from tctl. #​34137

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

v14.1.4

Compare Source

v14.1.3: Teleport 14.1.3

Compare Source

Description

This release contains two security fixes, plus numerous other fixes and improvements.

Security Fixes
[Medium] Arbitrary code execution with LD_PRELOAD and SFTP

Teleport implements SFTP using a subcommand. Prior to this release it was
possible to inject environment variables into the execution of this
subcommand, via shell init scripts or via the SSH environment request.

This is addressed by preventing LD_PRELOAD and other dangerous environment
variables from being forwarded during re-exec.

#​3274

[Medium] Outbound SSH from Proxy can lead to IP spoofing

If the Teleport auth or proxy services are configured to accept PROXY
protocol headers, a malicious actor can use this to spoof their IP address.

This is addressed by requiring that the first bytes of any SSH connection are
the SSH protocol prefix, denying a malicious actor the opportunity to send their
own proxy headers.

#​33729

Other Fixes & Improvements
  • Fixed issue where tbot would select the wrong address for Kubernetes Access when in ports separate mode #​34283
  • Added post-review state of Access Request in audit log description #​34213
  • Updated Operator Reconciliation to skip Teleport Operator on status updates #​34194
  • Updated Kube Agent Auto-Discovery to install the Teleport version provided by Automatic Upgrades #​34157
  • Updated Server Auto-Discovery installer script to use bash instead of sh #​34144
  • When a promotable Access Request targets a resource that belongs to an Access List, owners of that list will now automatically be added as reviewers. #​34131
  • Added Database Automatic User Provisioning support for Redshift #​34126
  • Added teleport_auth_type config parameter to the AWS Terraform examples #​34124
  • Fixed issue where an auto-provisioned PostgreSQL user may keep old roles indefinitely #​34121
  • Fixed incorrectly set file mode for Windows TPM files #​34113
  • Added dynamic credential reloading for access plugins #​34079
  • Fixed Azure Identity federated Application ID #​33960
  • Fixed issue where Kubernetes Audit Events reported incorrect information in the exec audit #​33950
  • Added support for formatting hostname as host:port to tsh puttyconfig #​33883
  • Added support for --set-context-name to tsh proxy kube
  • Fixed various Access List bookkeeping issues #​33834
  • Fixed issue where tsh aws ecs execute-command would always fail #​33833
  • Updated UI to automatically redirect to login page on missing session cookie #​33806
  • Added Dynamic Discovery matching for Databases #​33693
  • Fixed formatting errors on empty result sets in tsh #​33633
  • Added Database Automatic User Provisioning support for MariaDB #​34256
  • Fixed issue where MySQL auto-user deletion fails on usernames with quotes #​34304

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.


labels: security-patch=yes

v14.1.2

Compare Source

v14.1.1: Teleport 14.1.1

Compare Source

Description

  • Fixed the top bar breaking layout when the window is narrow in Connect #​33821
  • Limited Snowflake decompressed request to 10MB #​33764
  • Added MySQL auto-user deletion #​33710
  • Configured Connect to intercept deep link clicks #​33684
  • Added URL and SAML connector name in entity descriptor URL errors #​33667
  • Added the ability to run a specific tool to Assist. #​33640
  • Added PostgreSQL auto-user deletion #​33570
  • Added DiscoveryConfig CRUD operations #​33380

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

v14.1.0: Teleport 14.1.0

Compare Source

New features
  • Teleport Connect 14.1 introduces Connect My Computer which makes it possible to add your personal machine to a Teleport cluster in just a couple of clicks. Whether you're exploring capabilities of Teleport or want to make your computer available in your private cluster, Connect My Computer lets you do that without having to use the terminal to get the job done. Docs: https://goteleport.com/docs/connect-your-client/teleport-connect/#connect-my-computer
  • Resource pinning allows you to pin your most frequently accessed resources to a separate page for easy access.
  • Access Monitoring provides a view of risky accounts access and access anti-patterns in clusters using Athena as the audit log backend.
  • Users can connect to EC2 instances via AWS EC2 Instance Connect endpoints without needing to install Teleport agents.
  • Access list owners will be able to perform regular periodic reviews of the access list members.
Security fixes
  • Updated golang.org/x/net dependency. #​33420
    • swift-nio-http2 vulnerable to HTTP/2 Stream Cancellation Attack: CVE-2023-44487
  • Updated google.golang.org/grpc to v1.57.1. #​33487
    • swift-nio-http2 vulnerable to HTTP/2 Stream Cancellation Attack: CVE-2023-44487
  • Updated OpenTelemetry dependency. #​33523 #​33550
    • OpenTelemetry-Go Contrib vulnerable to denial of service in otelhttp due to unbound cardinality metrics: CVE-2023-45142
  • Updated babel/core to 7.3.2. #​33441
    • Arbitrary code execution when compiling specifically crafted malicious code: CVE-2023-45133
Other fixes and improvements
  • Web SSH sessions are terminated right away when a user closes the tab. #​33529
  • Added the ability for bots to submit access request reviews. #​33509
  • Added access review notifications when logging in via tsh or running tsh status. #​33468
  • Added database automatic user provisioning support for MySQL. #​33379
  • Added job to update the Teleport version for deployments in Amazon ECS used during RDS Enrollment. #​33313
  • Fixed Teleport Assist SQL view names. #​33581
  • Fixed hardware key support for sso web login. #​33548
  • Fixed access lists to allow them to affect access request permissions. #​33350
  • Prevented remote proxies from impersonating users from different clusters. #​33539
  • Added link to access request in ServiceNow incidents. #​33593
  • Added new "Identity Governance & Security" navigation section in web UI. #​33423
  • Fixed tsh connection issue when Proxy is in separate mode and Web port is TLS-terminated by a load balancer. #​32531 #​33406
  • Fixed panic when trying to register resources from older Kubernetes clusters with extensions/v1beta1 group/version. #​33402
  • Fixed access list audit log messages to properly include user names. #​33383
  • Added notification icon to Web UI to show Access List review notifications. #​33381
  • Fixed creation of @teleport-access-approver role to v6 to support downgrades to Teleport 13. #​33354
  • Added ability to specify PIV slot for hardware key supoprt. #​33352 #​33353
  • Extended timeout when waiting for hardware key touch/PIN. #​33348
  • Added support for Windows AD root domain for PKI operations. #​33275
  • Added resources to Slack notification of Access Requests. #​33264
  • Fixed provision tokens to make system roles case-insensitive. #​33260

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.


labels: security-patch=yes

v14.0.3: Teleport 14.0.3

Compare Source

Description

This release of Teleport contains one security fix, and various other updates.

Security Fixes
[Critical] Privilege escalation through RecursiveChown

When using automatic Linux user creation, an attacker could exploit a race condition in the user creation functionality to chown arbitrary files on the system.

Users who aren't using automatic Linux host user creation aren’t affected by this vulnerability.

#​33248

Other Fixes
  • Fixed spurious timeouts in Database Access Sessions #​32720
  • Azure VM auto-discovery can now find VMs with multiple managed identities #​32800
  • Fixed improperly set Kubernetes impersonation headers #​32848
  • tsh puttyconfig now uses Validity format for WinSCP compatibility #​32856
  • Teleport client now uses gRPC when connecting to the root cluster #​32662
  • Teleport client now uses gRPC when creating tracing client #​32663
  • Fixed panic on tsh device enroll --current-device #​32756
  • The Teleport etcd backend will now start if some nodes are unreachable #​32779
  • Fixed certificate verification issues when using kubectl exec #​32768
  • Added Discover flow for enrolling EC2 Instances with EICE #​32760
  • Added connection information to multiplexer logs #​32738
  • Fixed issue causing keys to be incorrectly removed in tsh and Teleport Connect on Windows #​32963
  • Improved Unified Resource Cache performance #​33027
  • Adds Audit Review recurrence presets #​32960
  • Fixed multiple discovery install attempts on Azure & GCP VMs #​32569
  • Fixed a corner case of privilege tokens where MFA devices disabled by cluster settings were still counted against the user #​32430
  • Fixed Access List caching & eventing issues #​32649
  • Fixed user session tracking across trusted clusters #​32967
  • Added cost optimized pagination search for athena #​33007
  • Teleport now reports initial command to session moderators #​33112
  • OneOff install script now installs enterprise Teleport when generated by an enterprise cluster #​33148
  • Fixed issue when playing back a session recorded on a leaf cluster #​33102
  • Fixed self-signed certificate issue on macOS #​33156
  • Discovery EC2 instance listing now shows instance name #​33179
  • Fixed HTTP connection hijack issue when using tsh proxy kube #​33172
  • Improved error messaging in tsh kube credentials when root cluster roles don't allow Kube access #​33210

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

v14.0.1: Teleport 14.0.1

Compare Source

Description

  • Fixed issue where Teleport Connect Kube terminal throws an internal server error #​32612
  • Fixed create_host_user_mode issue with TeleportRole in the Teleport Operator CRDs #​32557
  • Fixed issue that allowed for duplicate Access List owners #​32481
  • Removed unnecessary permission requirement from PostgreSQL backend #​32474
  • Added feature allowing for managing host sudoers without also creating users #​32400
  • Fixed dynamic labels not being present on server access audit events #​32382
  • Added PostHog events for discovered Kubernetes Apps #​32379
  • Fixed issue where changing the cluster name leads to cluster being unaccessible #​32352
  • Added additional logging for when the Teleport process file is not accessible due to a permission issue upon startup #​32348
  • Fixed issue where the teleport-kube-agent Helm chart would created the same ServiceAccount multiple times #​32338
  • Fixed GCP VM auto-discovery bugs #​32316
  • Added Access List usage events #​32297
  • Allowed for including only traits when doing a JWT rewrite for web application access #​32291
  • Added IneligibleStatus fields for access list members and owners #​32278
  • Fixed issue where the auth server was listed twice in the inventory of connected resources #​32270
  • Added three second shutdown delay on on SIGINT/SIGTERM #​32189
  • Add initial ServiceNow plugin #​32131

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

v14.0.0: Teleport 14.0.0

Compare Source

Description

Teleport 14 brings the following new major features and improvements:

  • Access lists
  • Unified resource view
  • ClickHouse support for database access
  • Advanced audit log
  • Kubernetes apps auto-discovery
  • Extended Kubernetes per-resource RBAC
  • Oracle database access audit logging support
  • Enhanced PuTTY support
  • Support for TLS routing in Terraform deployment examples
  • Discord and ServiceNow hosted plugins
  • Limited passwordless access for local Windows users in OSS Teleport
  • Machine ID: Kubernetes Secret destination

In addition, this release includes several changes that affect existing functionality listed in the “Breaking changes” section below. Users are advised to review them before upgrading.

New Features

Advanced audit log

Teleport 14 includes support for a new audit log powered by Amazon S3 and Athena that supports efficient searching, sorting, and filtering operations. Teleport Cloud customers will have their audit log automatically migrated to this new backend.

See the documentation here.

Access lists

Teleport 14 introduces foundational support for access lists, an extension to the short-lived access requests system targeted towards longer-term access. Administrators can add users to access lists granting them long-term permissions within the cluster.

As the feature is being developed, future Teleport releases will add support for periodic audit reviews and deeper integration of access lists with Okta.

You can find existing access lists documentation here.

Unified resources view

The web UI in Teleport 14 has been updated to show all resources in a single unified view.

This is the first step in a series of changes designed to support a customizable Teleport experience and make it easier to access the resources that are most important to you.

Kubernetes apps auto-discovery

Teleport 14 updates its auto-discovery capabilities with support for web applications in Kubernetes clusters. When connected to a Kubernetes cluster (or deployed as a Helm chart), Teleport discovery service will automatically find and enroll web applications for use with app access.

See documentation here.

Extended Kubernetes per-resource RBAC

Teleport 14 extends resource-based access requests to support more Kubernetes resources than just pods, including custom resources, and verbs. Note that this feature requires role version v7.

See Kubernetes resources documentation to see a full list of supported resources.

ClickHouse support for database access

Teleport 14 adds database access support for ClickHouse HTTP and native (TCP) protocols. When using HTTP protocol, the user's query activity is captured in the Teleport audit log.

See how to connect ClickHouse to Teleport here.

Oracle database access audit logging support

In Teleport 14, database access for Oracle integration is updated with query audit logging support.

See documentation on how to configure it in the Oracle guide.

Limited passwordless access for local Windows users in OSS Teleport

In Teleport 14, access to Windows desktops with local Windows users has been extended to Community Edition. Teleport will permit users to register and connect to up to 5 desktops with local users without an enterprise license.

For more information on using Teleport with local Windows users, see docs.

Discord and ServiceNow hosted plugins

Teleport 14 includes support for hosted Discord and ServiceNow plugins. Teleport Cloud users can configure Discord and ServiceNow integrations to receive access request notifications.

Discord plugin is available now, ServiceNow is coming in 14.0.1.

Enhanced PuTTY Support

tsh on Windows now supports the tsh puttyconfig command, which can easily configure saved sessions inside the well-known PuTTY client to connect to Teleport SSH services.

For more information, see docs.

Support for TLS routing in Terraform deployment examples

The ha-autoscale-cluster and starter-cluster Terraform deployment examples now support a USE_TLS_ROUTING variable to enable TLS routing inside the deployed Teleport cluster.

Machine ID: Kubernetes Secret destination

In Teleport 14, tbot can now be configured to write artifacts such as credentials and configuration files directly to a Kubernetes secret rather than a directory on the local file system. This allows other services to more easily consume the credentials output by tbot .

For more information, see docs.

Breaking changes and deprecations

Please familiarize yourself with the following potentially disruptive changes in Teleport 14 before upgrading.

SSH node open dial no longer supported

Teleport 14 no longer allows connecting to OpenSSH servers not registered with the cluster. Follow the updated agentless OpenSSH integration guide to register your OpenSSH nodes in the cluster’s inventory.

You can set TELEPORT_UNSTABLE_UNLISTED_AGENT_DIALING=yes environment variable on Teleport proxy to temporarily re-enable the open dial functionality. The environment variable will be removed in Teleport 15.

Proxy protocol default change

Starting from version 14, Teleport will require users to explicitly enable or disable PROXY protocol in their proxy_service/auth_service configuration using proxy_protocol: on|off option.

Users who run their proxies behind L4 load balancers with PROXY protocol enabled, should set proxy_protocol: on. Users who don’t run Teleport behind PROXY protocol enabled load balancers, should disable proxy_protocol: off explicitly for security reasons.

By default, Teleport will accept the PROXY line but will prevent connections with IP pinning enabled. IP pinning users will need to explicitly enable/disable proxy protocol like explained above.

See more details in our documentation.

Legacy deb/rpm package repositories are deprecated

Teleport 14 will be the last release published to the legacy package repositories at deb.releases.teleport.dev and rpm.releases.teleport.dev. Starting with Teleport 15, packages will only be published to the new repositories at apt.releases.teleport.dev and yum.releases.teleport.dev.

All users are recommended to switch to apt.releases.teleport.dev and yum.releases.teleport.dev repositories as described in installation instructions.

Cf-Access-Token header no longer included with app access requests

Starting from Teleport 14, the Cf-Access-Token header containing the signed JWT token will no longer be included by default with all app access requests. All requests will still include Teleport-JWT-Assertion containing the JWT token.

See documentation for details on how to inject the JWT token into any header using header rewriting.

tsh db CLI commands changes

In Teleport 14 tsh db sub-commands will attempt to select a default value for --db-user or --db-name flags if they are not provided by the user by examining their allowed db_users and db_names.

The flags --cert-file and --key-file for tsh proxy db command were also removed, in favor of the --tunnel flag that opens an authenticated local database proxy.

MongoDB versions prior to 3.6 are no longer supported

Teleport 14 includes an update to the MongoDB driver.

Due to the MongoDB team dropping support for servers prior to version 3.6 (which reached EOL on April 30, 2021), Teleport also will no longer be able to support these old server versions.

Symlinks for ~/.tsh/environment no longer supported

In order to strengthen the security in Teleport 14, file loading from home directories where the path includes a symlink is no longer allowed. The most common use case for this is loading environment variables from the ~/.tsh/environment file. This will still work normally as long as the path includes no symlinks.

Deprecated audit event

Teleport 14 deprecates the trusted_cluster_token.create audit event, replacing it with a new join_token.create event. The new event is emitted when any join token is created, whether it be for trusted clusters or other Teleport services.

Teleport 14 will emit both events when a trusted cluster join token is created. Starting in Teleport 15, the trusted_cluster_token.create event will no longer be emitted.

Other changes

DynamoDB billing mode defaults to on-demand

In Teleport 14, when creating new DynamoDB tables, Teleport will now create them with the billing mode set to pay_per_request instead of being set to provisioned mode.

The old behavior can be restored by setting the billing_mode option in the storage configuration.

Default role version is v7

The default role version in Teleport 14 is v7 which enables support for extended Kubernetes per-resource RBAC, and changes the kubernetes_resources default to wildcard for better getting started user experience.

You can review role versions in the documentation.

Stricter name validation for auto-discovered databases

In Teleport 14, database discovery via db_service config enforces the same name validation as for databases created via tctl, static config, and discovery_service.

As such, database names in AWS, GCP and Azure must start with a letter, contain only letters, digits, and hyphens and end with a letter or digit (no trailing hyphens).

Access Request API changes

Teleport 14 introduces a new and more secure API for submitting access requests. As a result, tsh users may be prompted to upgrade their clients before submitting an access request.

Desktop discovery name change

Desktops discovered via LDAP will have a short suffix appended to their name to ensure uniqueness. Users will notice duplicate desktops (with and without the suffix) for up to an hour after upgrading. Connectivity to desktops will not be affected, and the old record will naturally expire after 1 hour.

Machine ID : New configuration schema

Teleport 14 introduces a new configuration schema (v2) for Machine ID’s agent tbot. The new schema is designed to be simpler, more explicit and more extensible:

version: v2
onboarding:
 token: gcp-bot
 join_method: gcp
storage:
 type: memory
auth_server: example.teleport.sh:443
outputs:
 - type: identity
   destination:
     type: kubernetes_secret
     name: my-secret

 - type: kubernetes
   kubernetes_cluster: my-cluster
   destination:
     type: directory
     path: ./k8s

 - type: database
   service: my-postgres-service
   database: postgres
   username: postgres
   destination:
     type: directory
     path: ./db

 - type: application
   app_name: my-app
   destination:
     type: directory
     path: ./app

tbot will continue to support the v1 schema for several Teleport versions but it is recommended that you migrate to v2 as soon as possible to benefit from new Machine ID features.

For more details and guidance on how to upgrade to v2, see docs.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

v13.4.11: Teleport 13.4.11

Compare Source

Description

  • Prevent Cloud tenants from being a leaf cluster. #​35688
  • Fixed regression of Kubernetes Server Address when Teleport runs in multiplex mode. #​35634
  • Fixed bug where configuration errors with an individual SSO connector impacted other connectors. #​35575
  • Fixed GCP VM auto-discovery not using instances' internal IP address. #​35522
  • Fixed bot being unable to view or approve access requests issue. #​35511
  • Fixed panic on potential nil value when requesting /webapi/presetroles. #​35462
  • Properly identify the Teleport user responsible for modifying user resources. #​35450
  • Added insecure-drop host user creation mode. #​35404
  • Updated Go to 1.20.12. #​35372
  • Desktop connections default to RDP port 3389 if not otherwise specified. #​35344
  • Added cluster_auth_preferences to the shortcuts for cluster_auth_preference. #​35328
  • Prevent EKS fetcher not having correct IAM permissions from stopping whole Discovery service start up. #​35323
  • Added email-based credential reset UI for Cloud users. #​35239
  • Fixed a possible panic when downgrading Teleport Roles to older versions. #​35237
  • OSS Teleport packages will now be published to OS package repos when private releases are cut. #​35224
  • Improved streaming event handling for Kubernetes API by flushing response after each event, ensuring complete, well-formed chunks. #​35196
  • Updated Teleport distroless OCI images to Debian 12. #​35111
  • Fixed FIPS distroless OCI image to run with the --fips flag. #​35111
  • Allow Teleport to complete abandoned uploads faster in HA deployments. #​35103
  • Added new email-based UI for inviting new local users on Teleport Cloud clusters. #​35076
  • Fixed issue with the absence of membership expiry circumventing membership requirements check. #​35056
  • Added read verb to suggested role spec when enrolling new resources. #​35052
  • Fixed tsh db connect <mongodb> to give reason on connection errors. #​34909
  • Fixed an issue "Allowed Users" in "tsh db ls" shows wrong user for databases with Automatic User Provisioning enabled. #​34851
  • Override the version of tsh kubectl with the upstream kubectl version used. #​34826

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

v13.4.10: Teleport 13.4.10

Compare Source

Description

  • Device trust data is now collected concurrently on Windows #​34838
  • Fixed crash when writing kubeconfig with tctl auth sign --tar #​34822
  • Multiple resource filters can now be selected in the search bar in Teleport Connect #​34544

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

v13.4.9: Teleport 13.4.9

Compare Source

Description

  • Increased the maximum width of the console tabs in the web UI. #​34650
  • Prevented .tsh/environment values from overriding prior set values. #​34625
  • Fixed incorrect permissions when opening X11 listener. #​34616
  • Changed access lists to respect user locking. #​34619
  • Fixed access requests to respect explicit deny rules. #​34603
  • Improved the error message when attempting to enroll a hardware key that cannot support passwordless. #​34590
  • Fixed cleanup of unused GCP KMS keys. #​34469
  • Added binary formatted parameters as base64 encoded strings to PostgreSQL Statement Bind audit log events. #​34434
  • Reduced CPU & memory usage, and logging in the operator, by reusing connections to Teleport. #​34431
  • Updated the code signing certificate for Windows artifacts. #​34378
  • Added IAM Authentication support for Amazon MemoryDB Access. #​34357
  • Split large desktop recordings into multiple files during export. #​34320

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

v13.4.8

Compare Source

v13.4.7: Teleport 13.4.7

Compare Source

Description

This release contains two security fixes, plus numerous other fixes and improvements.

Security Fixes
[Medium] Arbitrary code execution with LD_PRELOAD and SFTP

Teleport implements SFTP using a subcommand. Prior to this release it was
possible to inject environment variables into the execution of this
subcommand, via shell init scripts or via the SSH environment request.

This is addressed by preventing LD_PRELOAD and other dangerous environment
variables from being forwarded during re-exec.

#​34275

[Medium] Outbound SSH from Proxy can lead to IP spoofing

If the Teleport auth or proxy services are configured to accept PROXY
protocol headers, a malicious actor can use this to spoof their IP address.

This is addressed by requiring that the first bytes of any SSH connection are
the SSH protocol prefix, denying a malicious actor the opportunity to send their
own proxy headers.

#​33730

Other Fixes & Improvements
  • Updated Operator Reconciliation to skip Teleport Operator on status updates #​34196
  • Updated Kube Agent Auto-Discovery to install the Teleport version provided by Automatic Upgrades #​34158
  • Updated Server Auto-Discovery installer script to use bash instead of sh #​34143
  • When a promotable Access Request targets a resource that belongs to an Access List, owners of that list will now automatically be added as reviewers. #​34130
  • Fixed issue where an auto-provisioned PostgreSQL user may keep old roles indefinitely #​34120
  • Fixed incorrectly set file mode for Windows TPM files #​34114
  • Fixed Azure Identity federated Application ID #​33959
  • Fixed issue where Kubernetes Audit Events reported incorrect information in the exec audit #​33951
  • Added support for formatting hostname as host:port to tsh puttyconfig #​33884
  • Fixed various Access List bookkeeping issues #​33835
  • Fixed issue where tsh aws ecs execute-command would always fail #​33832

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.


labels: security-patch=yes

v13.4.6

Compare Source

v13.4.5: Teleport 13.4.5

Compare Source

Description

  • Fixed the top bar breaking layout when the window is narrow in Connect #​33822
  • Web UI will now redirect to login upon missing session cookie #​33807
  • Limited Snowflake decompressed request size to 10MB #​33763
  • Added URL and SAML connector name in entity descriptor URL errors #​33668
  • Updated tsh to accept --proxy values with https:// prefixes #​33647

Enhanced PuTTY/WinSCP Support

tsh on Windows now supports the tsh puttyconfig command, which can easily configure saved sessions inside the well-known PuTTY and WinSCP clients to connect to Teleport SSH services.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

v13.4.4: Teleport 13.4.4

Compare Source

Description

  • Prevented remote proxies from impersonating users from different clusters. #​33540
  • Web SSH sessions are terminated right away when a user closes the tab. #​33532
  • Added the ability for bots to submit access request reviews. #​33510
  • Added access review notifications when logging in via tsh or running tsh status. #​33469
  • Added optional security group selection in AWS RDS Discovery flow. #​33454
  • Added new "Identity Governance & Security" navigation section in web UI. #​33425
  • Fixed access list audit log messages to properly include user names. #​33384
  • Added notification icon to Web UI to show Access List review notifications. #​33382
  • Fixed access lists to allow them to affect access request permissions. #​33351
  • Added job to update the Teleport version for deployments in Amazon ECS used during RDS Enrollment. #​33311
  • Added support for Windows AD root domain for PKI operations. #​33276
Security fixes
  • Updated golang.org/x/net dependency. #​33447
    • CVE-2023-44487: swift-nio-http2 vulnerable to HTTP/2 Stream Cancellation Attack
  • Updated google.golang.org/grpc to v1.57.1. #​33488
    • CVE-2023-44487: swift-nio-http2 vulnerable to HTTP/2 Stream Cancellation Attack
  • Updated OpenTelemetry dependency. #​33551
  • CVE-2023-45142: OpenTelemetry-Go Contrib vulnerable to denial of service in otelhttp due to unbound cardinality metrics
  • Updated Go library depe

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot requested a review from a team as a code owner October 23, 2023 05:35
@renovate renovate bot added dependencies renovate This is an automated PR by RenovateBot labels Oct 23, 2023
@renovate
Copy link
Contributor Author

renovate bot commented Oct 23, 2023

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum
Command failed: go get -d -t ./...
go: errors parsing go.mod:
go.mod:10:2: require github.com/gravitational/teleport/api: version "v14.2.3" invalid: should be v0 or v1, not v14

@renovate renovate bot force-pushed the renovate/github.com-gravitational-teleport-api-14.x branch 2 times, most recently from d7b4a3f to 6effa1f Compare October 30, 2023 06:43
@renovate renovate bot force-pushed the renovate/github.com-gravitational-teleport-api-14.x branch 3 times, most recently from e76ec6b to e4e2a83 Compare November 13, 2023 06:07
@renovate renovate bot force-pushed the renovate/github.com-gravitational-teleport-api-14.x branch 3 times, most recently from 88b3e9a to 5174e21 Compare November 21, 2023 02:05
@renovate renovate bot force-pushed the renovate/github.com-gravitational-teleport-api-14.x branch 2 times, most recently from b7fa4ae to a09727d Compare December 1, 2023 02:16
@renovate renovate bot force-pushed the renovate/github.com-gravitational-teleport-api-14.x branch 2 times, most recently from 3a9893a to 76a4750 Compare December 15, 2023 00:52
@renovate renovate bot force-pushed the renovate/github.com-gravitational-teleport-api-14.x branch from 76a4750 to c1e9726 Compare December 19, 2023 13:06
Copy link
Contributor Author

renovate bot commented Dec 20, 2023

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

Warning: custom changes will be lost.

@OnurYilmazGit OnurYilmazGit self-assigned this Dec 22, 2023
@anvddriesch anvddriesch merged commit e3a7ac2 into main Jan 8, 2024
5 checks passed
@anvddriesch anvddriesch deleted the renovate/github.com-gravitational-teleport-api-14.x branch January 8, 2024 07:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies renovate This is an automated PR by RenovateBot
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants