Release 13.4.17 (#38780)

* Release 13.4.17

* Update CHANGELOG fixing link and adding new commits

CHANGELOG.md

@@ -1,5 +1,22 @@
 # Changelog
 
+## 13.4.17
+
+* tbot-distroless image is now published. This contains just the tbot binary and therefore has a smaller image size. [#38720](https://github.com/gravitational/teleport/pull/38720)
+* Fixed Postgres v16.x compatibility issue preventing multiple connections for auto-provisioned users. [#38541](https://github.com/gravitational/teleport/pull/38541)
+* Ensured that tsh continues to function if one of its profiles is invalid. [#38512](https://github.com/gravitational/teleport/pull/38512)
+* Fixed logging output for `teleport configure ...` commands. [#38510](https://github.com/gravitational/teleport/pull/38510)
+* Removed `telnet` from legacy Ubuntu OCI due to CVE-2021-40491. Use `nc` instead. [#38507](https://github.com/gravitational/teleport/pull/38507)
+* Fixed tsh/WebAuthn.dll panic on Windows Server 2019. [#38488](https://github.com/gravitational/teleport/pull/38488)
+* Added `ssh_service.enhanced_recording.root_path` configuration option to change the cgroup slice path used by the agent. [#38396](https://github.com/gravitational/teleport/pull/38396)
+* Fixed a potential panic in the `tsh status` command. [#38303](https://github.com/gravitational/teleport/pull/38303)
+* Optionally permit the auth server to terminate client connections from unsupported versions. [#38187](https://github.com/gravitational/teleport/pull/38187)
+* Force agents to terminate Auth connections if joining fails. [#38003](https://github.com/gravitational/teleport/pull/38003)
+* Improved error handling when idle desktop connections are terminated. [#37957](https://github.com/gravitational/teleport/pull/37957)
+* Updated Go to 1.21.7. [#37849](https://github.com/gravitational/teleport/pull/37849)
+* Fixed app redirection loop on browser's incognito mode and 3rd party cookie block. [#37698](https://github.com/gravitational/teleport/pull/37698)
+* Fixed a database lateral movement exploit if a self-hosted database host is compromised, see [Database CA Migrations](docs/pages/management/operations/db-ca-migrations.mdx). [#35951](https://github.com/gravitational/teleport/pull/35951)
+
 ## 13.4.16
 
 * Fixed incorrect resizing of CLI apps in Teleport Connect on Windows. [#37800](https://github.com/gravitational/teleport/pull/37800)

Makefile

@@ -11,7 +11,7 @@
 #   Stable releases:   "1.0.0"
 #   Pre-releases:      "1.0.0-alpha.1", "1.0.0-beta.2", "1.0.0-rc.3"
 #   Master/dev branch: "1.0.0-dev"
-VERSION=13.4.16
+VERSION=13.4.17
 
 DOCKER_IMAGE ?= teleport
 

build.assets/macos/tsh/tsh.app/Contents/Info.plist

@@ -19,13 +19,13 @@
 		<key>CFBundlePackageType</key>
 		<string>APPL</string>
 		<key>CFBundleShortVersionString</key>
-		<string>13.4.16</string>
+		<string>13.4.17</string>
 		<key>CFBundleSupportedPlatforms</key>
 		<array>
 			<string>MacOSX</string>
 		</array>
 		<key>CFBundleVersion</key>
-		<string>13.4.16</string>
+		<string>13.4.17</string>
 		<key>DTCompiler</key>
 		<string>com.apple.compilers.llvm.clang.1_0</string>
 		<key>DTPlatformBuild</key>

build.assets/macos/tshdev/tsh.app/Contents/Info.plist

@@ -17,13 +17,13 @@
 		<key>CFBundlePackageType</key>
 		<string>APPL</string>
 		<key>CFBundleShortVersionString</key>
-		<string>13.4.16</string>
+		<string>13.4.17</string>
 		<key>CFBundleSupportedPlatforms</key>
 		<array>
 			<string>MacOSX</string>
 		</array>
 		<key>CFBundleVersion</key>
-		<string>13.4.16</string>
+		<string>13.4.17</string>
 		<key>DTCompiler</key>
 		<string>com.apple.compilers.llvm.clang.1_0</string>
 		<key>DTPlatformBuild</key>

examples/chart/teleport-cluster/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "13.4.16"
+.version: &version "13.4.17"
 
 name: teleport-cluster
 apiVersion: v2

examples/chart/teleport-cluster/charts/teleport-operator/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "13.4.16"
+.version: &version "13.4.17"
 
 name: teleport-operator
 apiVersion: v2

examples/chart/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap

@@ -1,6 +1,6 @@
 should add an operator side-car when operator is enabled:
   1: |
-    image: public.ecr.aws/gravitational/teleport-operator:13.4.16
+    image: public.ecr.aws/gravitational/teleport-operator:13.4.17
     imagePullPolicy: IfNotPresent
     livenessProbe:
       httpGet:
@@ -41,7 +41,7 @@ should add an operator side-car when operator is enabled:
     - args:
       - --diag-addr=0.0.0.0:3000
       - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
-      image: public.ecr.aws/gravitational/teleport-distroless:13.4.16
+      image: public.ecr.aws/gravitational/teleport-distroless:13.4.17
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -174,7 +174,7 @@ should set nodeSelector when set in values:
     - args:
       - --diag-addr=0.0.0.0:3000
       - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
-      image: public.ecr.aws/gravitational/teleport-distroless:13.4.16
+      image: public.ecr.aws/gravitational/teleport-distroless:13.4.17
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -271,7 +271,7 @@ should set resources when set in values:
     - args:
       - --diag-addr=0.0.0.0:3000
       - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
-      image: public.ecr.aws/gravitational/teleport-distroless:13.4.16
+      image: public.ecr.aws/gravitational/teleport-distroless:13.4.17
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -357,7 +357,7 @@ should set securityContext when set in values:
     - args:
       - --diag-addr=0.0.0.0:3000
       - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
-      image: public.ecr.aws/gravitational/teleport-distroless:13.4.16
+      image: public.ecr.aws/gravitational/teleport-distroless:13.4.17
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:

examples/chart/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap

@@ -5,7 +5,7 @@ should provision initContainer correctly when set in values:
       - wait
       - no-resolve
       - RELEASE-NAME-auth-v12.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport-distroless:13.4.16
+      image: public.ecr.aws/gravitational/teleport-distroless:13.4.17
       name: wait-auth-update
     - args:
       - echo test
@@ -62,7 +62,7 @@ should set nodeSelector when set in values:
     containers:
     - args:
       - --diag-addr=0.0.0.0:3000
-      image: public.ecr.aws/gravitational/teleport-distroless:13.4.16
+      image: public.ecr.aws/gravitational/teleport-distroless:13.4.17
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -123,7 +123,7 @@ should set nodeSelector when set in values:
       - wait
       - no-resolve
       - RELEASE-NAME-auth-v12.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport-distroless:13.4.16
+      image: public.ecr.aws/gravitational/teleport-distroless:13.4.17
       name: wait-auth-update
     nodeSelector:
       environment: security
@@ -174,7 +174,7 @@ should set resources when set in values:
     containers:
     - args:
       - --diag-addr=0.0.0.0:3000
-      image: public.ecr.aws/gravitational/teleport-distroless:13.4.16
+      image: public.ecr.aws/gravitational/teleport-distroless:13.4.17
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -242,7 +242,7 @@ should set resources when set in values:
       - wait
       - no-resolve
       - RELEASE-NAME-auth-v12.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport-distroless:13.4.16
+      image: public.ecr.aws/gravitational/teleport-distroless:13.4.17
       name: wait-auth-update
     serviceAccountName: RELEASE-NAME-proxy
     terminationGracePeriodSeconds: 60
@@ -275,7 +275,7 @@ should set securityContext for initContainers when set in values:
     containers:
     - args:
       - --diag-addr=0.0.0.0:3000
-      image: public.ecr.aws/gravitational/teleport-distroless:13.4.16
+      image: public.ecr.aws/gravitational/teleport-distroless:13.4.17
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -343,7 +343,7 @@ should set securityContext for initContainers when set in values:
       - wait
       - no-resolve
       - RELEASE-NAME-auth-v12.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport-distroless:13.4.16
+      image: public.ecr.aws/gravitational/teleport-distroless:13.4.17
       name: wait-auth-update
       securityContext:
         allowPrivilegeEscalation: false
@@ -383,7 +383,7 @@ should set securityContext when set in values:
     containers:
     - args:
       - --diag-addr=0.0.0.0:3000
-      image: public.ecr.aws/gravitational/teleport-distroless:13.4.16
+      image: public.ecr.aws/gravitational/teleport-distroless:13.4.17
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -451,7 +451,7 @@ should set securityContext when set in values:
       - wait
       - no-resolve
       - RELEASE-NAME-auth-v12.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport-distroless:13.4.16
+      image: public.ecr.aws/gravitational/teleport-distroless:13.4.17
       name: wait-auth-update
       securityContext:
         allowPrivilegeEscalation: false

examples/chart/teleport-kube-agent/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "13.4.16"
+.version: &version "13.4.17"
 
 name: teleport-kube-agent
 apiVersion: v2