Teleport 14.3.7

Description

• Resolved sporadic errors caused by requests fail to comply with Kubernetes API spec by not specifying resource identifiers. #39167
• Fixed a bug when using automatic updates and the discovery service. The default install script now installs the correct Teleport version by querying the version server. #39100
• Teleport Proxy Service now runs a version server by default serving its own version. #39096
• Fixed a regression where tsh kube credentials fails to re-login when credentials expire. #39074
• TBot now supports --proxy-server for explicitly configuring the Proxy address. We recommend switching to this if you currently specify the address of your Teleport proxy to --auth-server. #39056
• Expanded the EC2 joining process to include newly created AWS regions. #39052
• Added GCP MySQL access IAM Authentication support. #39041
• Fixed an issue in SAML IdP entity descriptor generator process, which would fail to generate entity descriptor if the configured Entity ID endpoint would return HTTP status code above 200 and below 400. #38988
• Updated Go to 1.21.8. #38985
• Updated electron-builder dependency to address possible arbitrary code execution in the Windows installer of Teleport Connect (CVE-2024-27303). #38966
• Improved reliability and performance of tbot. #38929
• Filtered terminated sessions from the tsh sessions ls output. #38886
• Prevented panic when AccessList's status field is not set. #38862
• Fixed an issue with over counting of reported Teleport updater metrics. #38832
• Fixed a bug that caused tsh to return "private key policy not met" errors instead of automatically initiating re-login to satisfy the private key policy. #38818
• Fixed application access events being overwritten when using DynamoDB as event storage. #38816
• Fixed issue where DynamoDB writes could fail when recording too many records. #38762
• Added a tbot-only tbot-distroless container image, bringing an 80% size reduction over the Teleport teleport image. #38719
• Fixed a Postgres v16.x compatibility issue preventing multiple connections for auto-provisioned users. #38542
• Tsh will now show access list review deadlines in dates rather than remaining hours.. #38526
• Fixed an issue where tsh would not function if one of its profiles is invalid. #38513
• Fixed an issue where teleport configure command logs would not use the configured logger. #38509
• Removed telnet from legacy Ubuntu images due to CVE-2021-40491. Netcat nc can be used instead. #38506
• Fixed a tsh WebAuthn.dll panic on Windows Server 2019. #38489
• Added ssh_service.enhanced_recording.root_path configuration option to change the cgroup slice path used by the agent. #38395
• Fixed a bug which allowed the operator to delete resources it does not own. #37751

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Teleport 15.1.3

Description

• Fix a bug when using automatic updates and the discovery service. The default install script now installs the correct teleport version by querying the version server. #39099
• Fix a regression where tsh kube credentials fails to re-login when credentials expire. #39075
• TBot now supports --proxy-server for explicitly configuring the Proxy address. We recommend switching to this if you currently specify the address of your Teleport proxy to --auth-server. #39055
• Expand the EC2 joining process to include newly created AWS regions. #39051
• Added GCP MySQL access IAM Authentication support. #39040
• Fixed compatibility of the Teleport service file with older versions of systemd. #39032
• Update WebUI database connection instructions. #39027
• Teleport Proxy Service now runs a version server by default serving its own version. #39017
• Significantly reduced latency of network calls in Teleport Connect. #39012
• SPIFFE SVID generation introduced to tbot (experimental). #39011
• Adds tsh workload issue command for issuing SVIDs using tsh. #39115
• Fixed an issue in SAML IdP entity descriptor generator process, which would fail to generate entity descriptor if the configured Entity ID endpoint would return HTTP status code above 200 and below 400 . #38987
• Updated Go to 1.21.8. #38983
• Updated electron-builder dependency to address possible arbitrary code execution in the Windows installer of Teleport Connect (CVE-2024-27303). #38964
• Fixed an issue where it was possible to skip providing old password when setting a new one. #38962
• Added database permission management support for Postgres. #38945
• Improved reliability and performance of tbot. #38928
• Filter terminated sessions from the tsh sessions ls output. #38887
• Make it easier to identify Teleport browser tabs by placing the session information before the cluster name. #38737
• The teleport-ent-upgrader package now gracefully restarts the Teleport binary if possible, to avoid cutting off ongoing connections. #3578
• Trusted device authentication failures may now include a brief explanation message in the corresponding audit event. #3572
• Okta access lists sync will now sync groups without members. #3636

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Teleport 15.1.1

Description

• Fixed panic when an older tsh or proxy changes an access list. #38861
• SSH connection resumption now works during graceful upgrades of the Teleport agent. #38842
• Fixed an issue with over counting of reported Teleport updater metrics. #38831
• Fixed tsh returning "private key policy not met" errors instead of automatically initiating re-login to satisfy the private key policy. #38819
• Made graceful shutdown and graceful restart terminate active sessions after 30 hours. #38803
• The teleport-ent-upgrader package now gracefully restarts the Teleport binary if possible, to avoid cutting off ongoing conections. #3578 (next release)

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Teleport 15.1.0

New Features

Standalone tbot Docker image

We now ship a new container image that contains tbot but omits other Teleport binaries, providing a light-weight option for Machine ID users.

Custom mouse pointers for remote desktop sessions

Teleport remote desktop sessions now automatically change the mouse cursor depending on context (when hovering over a link, resizing a window, or editing text, for example).

Synchronization of Okta groups and apps

Okta integration now support automatic synchronization of Okta groups and app assignments to Teleport as access lists giving users ability to request access to Okta apps without extra configuration.

EKS auto-discovery in Access Management UI

Users going through EKS enrollment flow in Access Management web UI now have an option to enable auto-discovery for EKS clusters.

Other changes

• Fixed application access events being overwritten when using DynamoDB as event storage. #38815
• Fixed a regression that had reintroduced long freezes for certain actions like "Run as different user". #38805
• When teleport is configured to require MFA for admin actions, MFA is required to get certificate authority secrets. Ex: tctl auth export --keys or tctl get cert_authority/host/root.example.com --with-secrets. #38777
• Added auto-enrolling capabilities to EKS discover flow in the web UI. #38773
• Heavily optimized the Access List page in the UI, speeding things up considerably. #38764
• Align DynamoDB BatchWriteItem max items limit. #38763
• tbot-distroless image is now published. This contains just the tbot binary and therefore has a smaller image size. #38718
• Fixed a regression with Teleport Connect not showing the re-login reason and connection errors when accessing databases, Kube clusters, and apps with an expired cert. #38716
• Re-enabled the Windows key and prevents it from sticking or otherwise causing problems when cmd+tab-ing or alt+tab-ing away from the browser during desktop sessions. #38699
• Resource limits are now correctly applied to the wait-auth-update initContainer in the teleport-cluster Helm chart. #38692
• When teleport is configured to require MFA for admin actions, MFA is required to create, update, or delete trusted clusters. #38690
• Fixed error in tctl get users --with-secrets when using SSO. #38663
• When device trust is required and MFA is optional, users will need to add their first MFA device from a trusted device. #38657
• Temporary files are no longer created during Discover UI EKS cluster enrollment. #38649
• When teleport is configured to require MFA for admin actions, MFA is required to get or list tokens with tctl. Ex: tctl tokens ls or tctl get tokens/foo. #38645
• Implemented dynamic mouse pointer updates to reflect context-specific actions, e.g. window resizing. #38614
• MFA approval is no longer required in the beginning of EKS Discover flow. #38580
• Fixed Postgres v16.x compatibility issue preventing multiple connections for auto-provisioned users. #38543
• Fixed incorrect color of resource cards after changing the theme in Web UI and Connect. #38537
• Updated the dialog for adding new authentication methods in the account settings screen. #38535
• Displays review dates for access lists in dates, not remaining hours in tsh. #38525
• Ensure that tsh continues to function if one of its profiles is invalid. #38514
• Fixed logging output for teleport configure ... commands. #38508
• Fixed tsh/WebAuthn.dll panic on Windows Server 2019. #38490
• Fixes an issue that prevented the Web UI from properly displaying the hostname of servers in leaf clusters. #38469
• Added ssh_service.enhanced_recording.root_path configuration option to change the cgroup slice path used by the agent. #38394
• Fixed a bug that could cause expired SSH servers from appearing in the Web UI until the Proxy is restarted. #38310
• Desktops can now be configured to use the same screen resolution for all sessions. #38307
• The maximum duration for an access request is now 14 days, the okta-requester role has been added which takes advantage of this. #38224
• Added TLS routing native WebSocket connection upgrade support. #38108
• Fixed a bug allowing the operator to delete resource it does not own. #37750

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Teleport 13.4.17

Description

13.4.17

• tbot-distroless image is now published. This contains just the tbot binary and therefore has a smaller image size. #38720
• Fixed Postgres v16.x compatibility issue preventing multiple connections for auto-provisioned users. #38541
• Ensured that tsh continues to function if one of its profiles is invalid. #38512
• Fixed logging output for teleport configure ... commands. #38510
• Removed telnet from legacy Ubuntu OCI due to CVE-2021-40491. Use nc instead. #38507
• Fixed tsh/WebAuthn.dll panic on Windows Server 2019. #38488
• Added ssh_service.enhanced_recording.root_path configuration option to change the cgroup slice path used by the agent. #38396
• Fixed a potential panic in the tsh status command. #38303
• Optionally permit the auth server to terminate client connections from unsupported versions. #38187
• Force agents to terminate Auth connections if joining fails. #38003
• Improved error handling when idle desktop connections are terminated. #37957
• Updated Go to 1.21.7. #37849
• Fixed app redirection loop on browser's incognito mode and 3rd party cookie block. #37698
• Fixed a database lateral movement exploit if a self-hosted database host is compromised, see Database CA Migrations. #35951

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

---

labels: security-patch=yes

Teleport 14.3.6

Description

• Fixed a potential panic in the tsh status command. #38304
• Fixed locking SSO user in the setup access step of the RDS auto discover flow in the web UI. #38284
• Optionally permit the auth server to terminate client connections from unsupported versions. #38186
• Removed access tokens from URL parameters, preventing them from being leaked to intermediary systems that may log them in plaintext. #38070
• Added option to validate hardware key serial numbers with hardware key support. #38069
• Forced agents to terminate Auth connections if joining fails. #38004
• Added a tsh sessions ls command to list active sessions. #37970
• Improved error handling when idle desktop connections are terminated. #37956
• Updated Go to 1.21.7. #37848
• Discover flow now starts two instances of DatabaseServices when setting up access to Amazon RDS. #37804
• Fixed incorrect resizing of CLI apps in Teleport Connect on Windows. #37799
• Fixed handling of non-registered U2F keys. #37722
• Fixed memory leak in tbot caused by never closing reverse tunnel address resolvers. #37719
• Fixed app redirection loop on browser's incognito mode and 3rd party cookie block. #37692

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Teleport 15.0.2

Description

• Fixed a potential panic in the tsh status command. #38305
• Fixed SSO user locking in the setup access step of the RDS auto discover flow in the web UI. #38283
• Optionally permit the auth server to terminate client connections from unsupported versions. #38182
• Fixed Assist obstructing the user dropdown menu when in docked mode. #38156
• Improved the stability of Teleport during graceful upgrades. #38145
• Added the ability to view and manage Machine ID bots from the UI. #38122
• Fixed a bug that prevented desktop clipboard sharing from working when large amounts of text are placed on the clipboard. #38120
• Added option to validate hardware key serial numbers with hardware key support. #38068
• Removed access tokens from URL parameters, preventing them from being leaked to intermediary systems that may log them in plaintext. #38032
• Forced agents to terminate Auth connections if joining fails. #38005
• Added a tsh sessions ls command to list active sessions. #37969
• Improved error handling when idle desktop connections are terminated. #37955
• Updated Go to 1.21.7. #37846
• Discover flow now starts two instances of DatabaseServices when setting up access to Amazon RDS. #37805

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Teleport 12.4.34

Description

Note: This is expected to be the last release in the v12 line. Users are encouraged to upgrade to a supported version.

• Fixed usage data submission becoming stuck sending too many reports at once (Teleport Enterprise only). #37690
• Update OpenSSL to 3.0.13. #37554
• Fixed CA key generation when two auth servers share a single YubiHSM2. #37305
• Fixed an issue selecting MySQL database is not reflected in the audit logs. #37259
• Ensure that moderated sessions do not get stuck in the event of an unexpected drop in the moderator's connection. #36919
• Ensure that any opened app session is always closed on completion. #36888
• Fixed tsh panic on Windows if WebAuthn.dll is missing. #36870
• Ensure connect_to_node_attempts_total is always incremented when dialing hosts. #36737
• Prevent a goroutine leak caused by app sessions not cleaning up resources properly. #36670
• Verify MFA device locks during user authentication. #36629
• Fixed goroutine leak per ssh session. #36513

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Teleport 15.0.1

Description

• Correctly handle non-registered U2F keys. #37720
• Fixed memory leak in tbot caused by never closing reverse tunnel address resolvers. #37718
• Fixed conditional user modifications (used by certain Teleport subsystems such as Device Trust) on users that have previously been locked out due to repeated recovery attempts. #37703
• Added SCIM support in Okta integration (cloud only). #3341
• Added okta integration SCIM support for web UI. #37697
• Fixed usage data submission becoming stuck sending too many reports at once (Teleport Enterprise only). #37687
• Fixed cache init issue with access list members/reviews. #37673
• Fixed "failed to close stream" log messages. #37662
• Skip tsh AppID pre-flight check whenever possible. #37642

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Teleport 13.4.16

Description

• Fixed incorrect resizing of CLI apps in Teleport Connect on Windows. #37800
• Fixed memory leak in tbot caused by never closing reverse tunnel address resolvers. #37723
• Correctly handle non-registered U2F keys. #37721
• Fixed usage data submission becoming stuck sending too many reports at once (Teleport Enterprise only). #37689
• Fixed cache init issue with access list members/reviews. #37675
• Skip tsh AppID pre-flight check whenever possible. #37644
• Updated Go to 1.21.6. #37561
• Updated OpenSSL to 3.0.13. #37553
• tsh FIDO2 backend re-written for improved responsiveness and reliability. #37539
• Do not add alphabetically first Kube cluster's name to a user certificate on login. #37503
• Allow to replicate proxy pods when using an ingress in the teleport-cluster Helm chart. #37481
• tbot now correctly uses the last good persisted identity if --join-token has not been specified. #37448
• Prevent backend throttling caused by a large number of app sessions. #37392
• Fixed querying of large audit events with Athena backend and added prometheus metrics for audit event sizes. #37350
• Fixed CA key generation when two auth servers share a single YubiHSM2. #37301
• Fixed an issue selecting MySQL database is not reflected in the audit logs. #37258
• Fixed missing proxy address in GCP and Azure VM auto-discovery. #37216
• Reduced logging level for services that reconcile resources. #37141
• Fixed webUI if automatic upgrades are misconfigured. #37131
• Improved styling of the login form in Connect and Web UI. #37004
• Fixed tsh trying to relogin on fatal errors. #36925
• Ensure that moderated sessions do not get stuck in the event of an unexpected drop in the moderator's connection. #36918
• The web terminal now properly displays underscores on Linux. #36891
• Ensure that any opened app session is always closed on completion. #36887
• Fixed tsh panic on Windows if WebAuthn.dll is missing. #36869
• Fixed a potential crash in Teleport Connect after downgrading the app from v15+. #36798
• Ensure connect_to_node_attempts_total is always incremented when dialing hosts. #36738
• Added missing create/update messages for some tctl create commands. #36702
• Prevent a goroutine leak caused by app sessions not cleaning up resources properly. #36669
• Fixed an issue where valid saml entity descriptors could be rejected. #36659
• Verify MFA device locks during user authentication. #36627
• Teleport updater now reloads systems units after an upgrade. #3228

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.