Release 14.3.30

[camscale]

Security fix

[High] Stored XSS in SAML IdP

When registering a service provider with SAML IdP, Teleport did not sufficiently
validate the ACS endpoint. This could allow a Teleport administrator with
permissions to write saml_idp_service_provider resources to configure a
malicious service provider with an XSS payload and compromise session of users
who would access that service provider.

Note: This vulnerability is only applicable when Teleport itself is acting as
the identity provider. If you only use SAML to connect to an upstream identity
provider you are not impacted. You can use the tctl get
saml_idp_service_provider command to verify if you have any Service Provider
applications registered and Teleport acts as an IdP.

For self-hosted Teleport customers that use Teleport as SAML Identity Provider,
we recommend upgrading auth and proxy servers. Teleport agents (SSH, Kubernetes,
desktop, application, database and discovery) are not impacted and do not need
to be updated.

Other fixes and improvements

• Fixed an issue where host_sudoers could be written to Teleport proxy server sudoer lists in Teleport v14 and v15. #45960
• Prevent interactive sessions from hanging on exit. #45954
• Fixed kernel version check of Enhanced Session Recording for distributions with backported BPF. #45943
• When a database is created manually (without auto-discovery) the teleport.dev/db-admin and teleport.dev/db-admin-default-database labels are no longer ignored and can be used to configure database auto-user provisioning. #45893
• Fixed an issue where Teleport could modify group assignments for users not managed by Teleport. This will require a migration of host users created with create_host_user_mode: keep in order to maintain Teleport management. More info can be found at Migrating unmanaged users. #45796
• Fixed host user creation for tsh scp. #45682
• Fixed an issue AWS access fails when the username is longer than 64 characters. #45657
• Remove empty tcp app session recordings. #45647
• Fixed an issue where users created in keep mode could effectively become insecure_drop and get cleaned up as a result. #45607
• Prevent RBAC bypass for new Postgres connections. #45556
• Fixed an issue that could cause auth servers to panic when their backend connectivity was interrupted. #45494
• Improve the output of tsh sessions ls. #45454

Enterprise:

• Fixed issue in Okta Sync that spuriously deletes Okta Applications due to connectivity errors.
• Fixed an issue in the SAML IdP session which prevented SAML IdP sessions to be consistently updated when users assumed or switched back from the roles granted in the access request.
• Fixed a stored Cross-Site Scripting (XSS) issue in the SAML IdP authentication flow where a Teleport administrator with a create and update privilege on saml_idp_service_provider resource could configure a malicious service provider with an XSS payload and compromise session of users who would access that service provider.

---

Note: This release supersedes 14.3.28 and 14.3.29 which failed to build on GHA.

Note: This includes an e ref update for the AMI workflow fix.