Teleport 15.4.17

Description

• Prevent connections from being randomly terminated by Teleport proxies when proxy_protocol is enabled and TLS is terminated before Teleport Proxy. #45993
• Fixed an issue where host_sudoers could be written to Teleport proxy server sudoer lists in Teleport v14 and v15. #45961
• Prevent interactive sessions from hanging on exit. #45953
• Fixed kernel version check of Enhanced Session Recording for distributions with backported BPF. #45942
• Added a flag to skip a relogin attempt when using tsh ssh and tsh proxy ssh. #45930
• Fixed an issue WebSocket upgrade fails with MiTM proxies that can remask payloads. #45900
• When a database is created manually (without auto-discovery) the teleport.dev/db-admin and teleport.dev/db-admin-default-database labels are no longer ignored and can be used to configure database auto-user provisioning. #45892
• Slack plugin now lists logins permitted by requested roles. #45854
• Fixed an issue that prevented the creation of AWS App Access for an Integration that used digits only (eg, AWS Account ID). #45818
• For new EKS Cluster auto-enroll configurations, the temporary Access Entry is tagged with teleport.dev/ namespaced tags. For existing set ups, please add the eks:TagResource action to the Integration IAM Role to get the same behavior. #45726
• Added support for importing S3 Bucket Tags into Teleport Policy's Access Graph. For existing configurations, ensure that the s3:GetBucketTagging permission is manually included in the Teleport Access Graph integration role. #45550

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Download the current release of Teleport plugins from the links below.

• Slack (Linux amd64)
• Mattermost (Linux amd64)
• Discord (Linux amd64)
• Terraform Provider (Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal)
• Event Handler (Linux amd64 | macOS amd64)
• PagerDuty (Linux amd64)
• Jira (Linux amd64)
• Email (Linux amd64)
• Microsoft Teams (Linux amd64)

Teleport 14.3.30

Description

Security fix

[High] Stored XSS in SAML IdP

When registering a service provider with SAML IdP, Teleport did not sufficiently
validate the ACS endpoint. This could allow a Teleport administrator with
permissions to write saml_idp_service_provider resources to configure a
malicious service provider with an XSS payload and compromise session of users
who would access that service provider.

Note: This vulnerability is only applicable when Teleport itself is acting as
the identity provider. If you only use SAML to connect to an upstream identity
provider you are not impacted. You can use the tctl get
saml_idp_service_provider command to verify if you have any Service Provider
applications registered and Teleport acts as an IdP.

For self-hosted Teleport customers that use Teleport as SAML Identity Provider,
we recommend upgrading auth and proxy servers. Teleport agents (SSH, Kubernetes,
desktop, application, database and discovery) are not impacted and do not need
to be updated.

Other fixes and improvements

• Fixed an issue where host_sudoers could be written to Teleport proxy server sudoer lists in Teleport v14 and v15. #45960
• Prevent interactive sessions from hanging on exit. #45954
• Fixed kernel version check of Enhanced Session Recording for distributions with backported BPF. #45943
• When a database is created manually (without auto-discovery) the teleport.dev/db-admin and teleport.dev/db-admin-default-database labels are no longer ignored and can be used to configure database auto-user provisioning. #45893
• Fixed an issue where Teleport could modify group assignments for users not managed by Teleport. This will require a migration of host users created with create_host_user_mode: keep in order to maintain Teleport management. More info can be found at Migrating unmanaged users. #45796
• Fixed host user creation for tsh scp. #45682
• Fixed an issue AWS access fails when the username is longer than 64 characters. #45657
• Remove empty tcp app session recordings. #45647
• Fixed an issue where users created in keep mode could effectively become insecure_drop and get cleaned up as a result. #45607
• Prevent RBAC bypass for new Postgres connections. #45556
• Fixed an issue that could cause auth servers to panic when their backend connectivity was interrupted. #45494
• Improve the output of tsh sessions ls. #45454

Enterprise:

• Fixed issue in Okta Sync that spuriously deletes Okta Applications due to connectivity errors.
• Fixed an issue in the SAML IdP session which prevented SAML IdP sessions to be consistently updated when users assumed or switched back from the roles granted in the access request.
• Fixed a stored Cross-Site Scripting (XSS) issue in the SAML IdP authentication flow where a Teleport administrator with a create and update privilege on saml_idp_service_provider resource could configure a malicious service provider with an XSS payload and compromise session of users who would access that service provider.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

--

labels: security-patch=yes, security-patch-alts=v14.3.25|v14.3.26

Teleport 16.2.0

Description

NLA Support for Windows Desktops

Teleport now supports Network Level Authentication (NLA) when connecting to Windows hosts that are part of an Active Directory domain. NLA support is currently opt-in. It will be enabled by default in a future release.

To enable NLA, set the TELEPORT_ENABLE_RDP_NLA environment variable to yes on your windows_desktop_service instances. It is not necessary to configure the Windows hosts to require NLA - Teleport's client will perform NLA when configured to do so, even if the server does not require it.

More information is available in the Active Directory docs.

DocumentDB IAM authentication support

Teleport now supports authenticating to DocumentDB with IAM users and roles
recently released
by AWS.

Join Tokens in the Web UI

Teleport now allows users to manage join tokens in the web UI as an alternative
to the tctl tokens commands.

Database Access Controls in Access Graph

Database Access users are now able to see database objects and their access
paths in Access Graph.

Logrotate support

Teleport now integrates with logrotate by automatically reopening log files when
detecting that they were renamed.

Other improvements and fixes

• Failure to share a local directory in a Windows desktop session is no longer considered a fatal error. #45852
• Add teleport.dev/project-id label for auto-enrolled instances in GCP. #45820
• Fix an issue that prevented the creation of AWS App Access for an Integration that used digits only (eg, AWS Account ID). #45819
• Slack plugin now lists logins permitted by requested roles. #45759
• For new EKS Cluster auto-enroll configurations, the temporary Access Entry is tagged with teleport.dev/ namespaced tags. For existing set ups, please add the eks:TagResource action to the Integration IAM Role to get the same behavior. #45725
• Added support for importing S3 Bucket Tags into Teleport Policy's Access Graph. For existing configurations, ensure that the s3:GetBucketTagging permission is manually included in the Teleport Access Graph integration role. #45551
• Add a tctl terraform env command to simplify running the Teleport Terraform provider locally. #44690
• Add native MachineID support to the Terraform provider. Environments with delegated joining methods such as GitHub Actions, GitLab CI, CircleCI, GCP, or AWS can run the Terraform provider without having to setup tbot. #44690
• The Terraform Provider now sequentially tries every credential source and provide more actionable error messages if it cannot connect. #44690
• When the Terraform provider finds expired credentials it will now fail fast with a clear error instead of hanging for 30 seconds and sending potentially misleading error about certificates being untrusted. #44690
• Fix a bug that caused some enterprise clusters to incorrectly display a message that the cluster had a monthly allocation of 0 access requests. #4923

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

• Slack (Linux amd64)
• Mattermost (Linux amd64)
• Discord (Linux amd64)
• Terraform Provider (Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal)
• Event Handler (Linux amd64 | macOS amd64)
• PagerDuty (Linux amd64)
• Jira (Linux amd64)
• Email (Linux amd64)
• Microsoft Teams (Linux amd64)

Teleport 16.1.8

Description

Security fix

[High] Stored XSS in SAML IdP

When registering a service provider with SAML IdP, Teleport did not sufficiently
validate the ACS endpoint. This could allow a Teleport administrator with
permissions to write saml_idp_service_provider resources to configure a
malicious service provider with an XSS payload and compromise session of users
who would access that service provider.

Note: This vulnerability is only applicable when Teleport itself is acting as
the identity provider. If you only use SAML to connect to an upstream identity
provider you are not impacted. You can use the tctl get saml_idp_service_provider
command to verify if you have any Service Provider applications registered and Teleport acts as an IdP.

For self-hosted Teleport customers that use Teleport as SAML Identity Provider,
we recommend upgrading auth and proxy servers. Teleport agents (SSH, Kubernetes,
desktop, application, database and discovery) are not impacted and do not need
to be updated.

Other fixes and improvements

• Fixed an issue where Teleport could modify group assignments for users not managed by Teleport. This will require a migration of host users created with create_host_user_mode: keep in order to maintain Teleport management. #45791
• The terminal shell can now be changed in Teleport Connect by right-clicking on a terminal tab. This allows using WSL (wsl.exe) if it is installed. Also, the default shell on Windows has been changed to pwsh.exe (instead of powershell.exe). #45734
• Improve web UI enroll RDS flow where VPC, subnets, and security groups are now selectable. #45688
• Allow to limit duration of local tsh proxy certificates with a new MFAVerificationInterval option. #45686
• Fixed host user creation for tsh scp. #45680
• Fixed an issue AWS access fails when the username is longer than 64 characters. #45658
• Permit setting a cluster wide SSH connection dial timeout. #45650
• Improve performance of host resolution performed via tsh ssh when connecting via labels or proxy templates. #45644
• Remove empty tcp app session recordings. #45643
• Fixed bug causing FeatureHiding flag to not hide the "Access Management" section in the UI as intended. #45608
• Fixed an issue where users created in keep mode could effectively become insecure_drop and get cleaned up as a result. #45594
• Prevent RBAC bypass for new Postgres connections. #45554
• tctl allows cluster administrators to create custom notifications targeting Teleport users. #45503
• Fixed debug service not enabled by default when not using a configuration file. #45480
• Introduce support for Envoy SDS into the Machine ID spiffe-workload-api service. #45460
• Improve the output of tsh sessions ls. #45452
• Fix access entry handling permission error when EKS auto-discovery was set up in the Discover UI. #45442
• Fix showing error message when enrolling EKS clusters in the Discover UI. #45415
• Fixed the "Create A Bot" flow for GitHub Actions and SSH. It now correctly grants the bot the role created during the flow, and the example YAML is now correctly formatted. #45409
• Mark authenticators used for passwordless as a passkey, if not previously marked as such. #45395
• Prevents a panic caused by AWS STS client not being initialized when assuming an AWS Role. #45382
• Update teleport debug commands to handle data dir not set. #45341
• Fix tctl get all not returning SAML or OIDC auth connectors. #45319
• The Opsgenie plugin recipients can now be dynamically configured by creating Access Monitoring Rules resources with the required Opsgenie notify schedules. #45307
• Improve discoverability of the source or rejected connections due to unsupported versions. #45278
• Improved copy and paste behavior in the terminal in Teleport Connect. On Windows and Linux, Ctrl+Shift+C/V now copies and pastes text (these shortcuts can be changed with keymap.terminalCopy/keymap.terminalPaste). A mouse right click (terminal.rightClick) can copy/paste text too (enabled by default on Windows). #45265
• Fixed an issue that could cause auth servers to panic when their backend connectivity was interrupted. #45225
• Adds SPIFFE compatible federation bundle endpoint to the Proxy API, allowing other workload identity platforms to federate with the Teleport cluster. #44998
• Add 'Download CSV' button to Access Monitoring Query results. #4899
• Fixed issue in Okta Sync that spuriously deletes Okta Applications due to connectivity errors. #4885
• Fixed bug in Okta Sync that mistakenly removes Apps and Groups on connectivity failure. #4883
• Fixed bug that caused some enterprise clusters to incorrectly display a message that the cluster had a monthly allocation of 0 access requests. #4923

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Download the current release of Teleport plugins from the links below.

• Slack (Linux amd64)
• Mattermost (Linux amd64)
• Discord (Linux amd64)
• Terraform Provider (Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal)
• Event Handler (Linux amd64 | macOS amd64)
• PagerDuty (Linux amd64)
• Jira (Linux amd64)
• Email (Linux amd64)
• Microsoft Teams (Linux amd64)

--

labels: security-patch=yes, security-patch-alts=v16.1.5|v16.1.6

Teleport 15.4.16

Description

Security fix

[High] Stored XSS in SAML IdP

When registering a service provider with SAML IdP, Teleport did not sufficiently
validate the ACS endpoint. This could allow a Teleport administrator with
permissions to write saml_idp_service_provider resources to configure a
malicious service provider with an XSS payload and compromise session of users
who would access that service provider.

Note: This vulnerability is only applicable when Teleport itself is acting as
the identity provider. If you only use SAML to connect to an upstream identity
provider you are not impacted. You can use the tctl get
saml_idp_service_provider command to verify if you have any Service Provider
applications registered and Teleport acts as an IdP.

For self-hosted Teleport customers that use Teleport as SAML Identity Provider,
we recommend upgrading auth and proxy servers. Teleport agents (SSH, Kubernetes,
desktop, application, database and discovery) are not impacted and do not need
to be updated.

Other fixes and improvements

• Fixed an issue where Teleport could modify group assignments for users not managed by Teleport. This will require a migration of host users created with create_host_user_mode: keep in order to maintain Teleport management. #45792
• Fixed host user creation for tsh scp. #45681
• Fixed AWS access failing when the username is longer than 64 characters. #45656
• Permit setting a cluster wide SSH connection dial timeout. #45651
• Improved performance of host resolution performed via tsh ssh when connecting via labels or proxy templates. #45645
• Removed empty tcp app session recordings. #45642
• Fixed Teleport plugins images using the wrong entrypoint. #45618
• Added debug images for Teleport plugins. #45618
• Fixed FeatureHiding flag not hiding the "Access Management" section in the UI. #45613
• Fixed Host User Management deletes users that are not managed by Teleport. #45595
• Fixed a security vulnerability with PostgreSQL integration where a maliciously crafted startup packet with an empty database name can bypass the intended access control. #45555
• Fixed the debug service not being enabled by default when not using a configuration file. #45479
• Introduced support for Envoy SDS into the Machine ID spiffe-workload-api service. #45463
• Improved the output of tsh sessions ls to make it easier to understand what sessions are ongoing and what sessions are user can/should join as a moderator. #45453
• Fixed access entry handling permission error when EKS auto-discovery was set up in the Discover UI. #45443
• Fixed the web UI showing vague error messages when enrolling EKS clusters in the Discover UI. #45416
• Fixed the "Create A Bot" flow for GitHub Actions and SSH not correctly granting the bot the role created during the flow. #45410
• Fixed a panic caused by AWS STS client not being initialized when assuming an AWS Role. #45381
• Fixed teleport debug commands incorrectly handling an unset data directory in the Teleport config. #45342

Enterprise:

• Fixed Okta Sync spuriously deleting Okta Applications due to connectivity errors. #4886
• Fixed Okta Sync mistakenly removing Apps and Groups on connectivity failure. #4884
• Fixes the SAML IdP session preventing SAML IdP sessions from being consistently updated when users assumed a role or switched back from the role granted in the access request. #4879
• Fixed a security issue where a user who can create saml_idp_service_provider resources can compromise the sessions of more powerful users and perform actions on behalf of others. #4863
• Fixed the SAML IdP authentication middleware preventing users from signing into the service provider when an SAML authentication request was made with an HTTP-POST binding protocol and user's didn't already have an active session with Teleport. #4852

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

• Slack (Linux amd64)
• Mattermost (Linux amd64)
• Discord (Linux amd64)
• Terraform Provider (Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal)
• Event Handler (Linux amd64 | macOS amd64)
• PagerDuty (Linux amd64)
• Jira (Linux amd64)
• Email (Linux amd64)
• Microsoft Teams (Linux amd64)

--

labels: security-patch=yes, security-patch-alts=v15.4.13|v15.4.14

Teleport 14.3.23

Description

• Updated Go toolchain to 1.22.6. #45196
• Teleport Connect now sets TERM_PROGRAM: Teleport_Connect and TERM_PROGRAM_VERSION: <app_version> environment variables in the integrated terminal. #45065
• Fixed race condition between session recording uploads and session recording upload cleanup. #44980
• Prevent Kubernetes per-Resource RBAC from blocking access to namespaces when denying access to a single resource kind in every namespace. #44976
• Improved stability of very large teleport clusters during temporary backend disruption/degradation. #44696
• Fixed Application Access regression where an HTTP header wasn't set in forwarded requests. #44630
• Use the registered port of the target host when tsh puttyconfig is invoked without --port. #44574
• Fixed Teleport Connect binaries not being signed correctly. #44473
• Fixed terminal sessions with a database CLI client in Teleport Connect hanging indefinitely if the client cannot be found. #44467
• Fixed a low-probability panic in audit event upload logic. #44423
• Prevented DoSing the cluster during a mass failed join event by agents. #44416
• Added audit events for AWS and Azure integration resource actions. #44405
• Prevented an infinite loop in DynamoDB event querying by advancing the cursor to the next day when the limit is reached at the end of a day with an empty iterator. This ensures the cursor does not reset to the beginning of the day. #44273
• Fixed a kube-agent-updater bug affecting resolutions of private images. #44193
• Prevented redirects to arbitrary URLs when launching an app. #44190
• The teleport-cluster chart can now use existing ingresses instead of creating its own. #44148
• Ensured that tsh login outputs accurate status information for the new session. #44145
• Fixes "device trust mode x requires Teleport Enterprise" errors on tctl. #44136
• Honor proxy templates in tsh ssh. #44031
• Fix eBPF error occurring during startup on Linux RHEL 9. #44025
• Fixed Redshift auto-user deactivation/deletion failure that occurs when a user is created or deleted and another user is deactivated concurrently. #43984
• Lowered latency of detecting Kubernetes cluster becoming online. #43969
• Teleport AMIs now optionally source environment variables from /etc/default/teleport as regular Teleport package installations do. #43960
• Fixed teleport-kube-agent Helm chart to correctly propagate extraLabels to post-delete hooks. A new extraLabels.job object has been added for labels which should only apply to the post-delete job. #43933
• Added audit events for discovery config actions. #43795
• Fixed startup crash of Teleport Connect on Ubuntu 24.04 by adding an AppArmor profile. #43651
• Extend Teleport ability to use non-default cluster domains in Kubernetes, avoiding the assumption of cluster.local. #43633
• Wait for user MFA input when reissuing expired certificates for a kube proxy. #43614
• Display errors in the web UI console for SSH sessions. #43492
• Updated go-retryablehttp to v0.7.7 (fixes CVE-2024-6104). #43476
• Fixed an issue preventing accurate inventory reporting of the updater after it is removed. #43452
• Remaining alert TTL is now displayed with tctl alerts ls. #43434
• Fixed headless auth for SSO users, including when local auth is disabled. #43363
• Fixed an issue with incorrect yum/zypper updater packages being installed. #4686
• Fixed inaccurately notifying user that access list reviews are due in the web UI. #4523
• The Teleport updater will no longer default to using the global version channel, avoiding incompatible updates. #4475

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Teleport 15.4.12

Description

• Improved copy and paste behavior in the terminal in Teleport Connect. On Windows and Linux, Ctrl+Shift+C/V now copies and pastes text (these shortcuts can be changed with keymap.terminalCopy/keymap.terminalPaste). A mouse right click (terminal.rightClick) can copy/paste text too (enabled by default on Windows). #45266
• Updated Go toolchain to 1.22.6. #45195
• Improved tsh ssh performance for concurrent execs. #45163
• Fixed regression that denied access to launch some applications. #45150
• Bot resources now honour their metadata.expires field. #45133
• Teleport Connect now sets TERM_PROGRAM: Teleport_Connect and TERM_PROGRAM_VERSION: <app_version> environment variables in the integrated terminal. #45064
• Fix a panic in the Microsoft teams plugin when it receives an error. #45012
• Adds SPIFFE compatible federation bundle endpoint to the Proxy API, allowing other workload identity platforms to federate with the Teleport cluster. #44999
• Added warning on tbot startup when the requested certificate TTL exceeds the maximum allowed value. #44988
• Fixed race condition between session recording uploads and session recording upload cleanup. #44979
• Prevent Kubernetes per-Resource RBAC from blocking access to namespaces when denying access to a single resource kind in every namespace. #44975
• Fix tbot FIPS builds failing to start due to missing boringcrypto. #44908
• Added support for Kubernetes Workload Attestation into Teleport Workload Identity to allow the authentication of pods running within Kubernetes without secrets. #44884
• Machine ID can now be configured to use Kubernetes Secret destinations from the command line using the kubernetes-secret schema. #44804
• Prevent discovery service from overwriting Teleport dynamic resources that have the same name as discovered resources. #44786
• Teleport Connect now uses ConPTY for better terminal resizing and accurate color rendering on Windows, with an option to disable it in the app config. #44743
• Fixed event-handler Helm charts using the wrong command when starting the event-handler container. #44698
• Enabled Mattermost plugin for notification routing ruled. #4773

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

• Slack (Linux amd64)
• Mattermost (Linux amd64)
• Discord (Linux amd64)
• Terraform Provider (Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal)
• Event Handler (Linux amd64 | macOS amd64)
• PagerDuty (Linux amd64)
• Jira (Linux amd64)
• Email (Linux amd64)
• Microsoft Teams (Linux amd64)

Teleport 16.1.4

Description

• Improved tsh ssh performance for concurrent execs. #45162
• Fixed issue with loading cluster features when agents are upgraded prior to auth. #45226
• Updated Go to 1.22.6. #45194

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Download the current release of Teleport plugins from the links below.

• Slack (Linux amd64)
• Mattermost (Linux amd64)
• Discord (Linux amd64)
• Terraform Provider (Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal)
• Event Handler (Linux amd64 | macOS amd64)
• PagerDuty (Linux amd64)
• Jira (Linux amd64)
• Email (Linux amd64)
• Microsoft Teams (Linux amd64)

Teleport 16.1.3

Description

• Fixed an issue where tsh aws may display extra text in addition to the original command output. #45168
• Fixed regression that denied access to launch some Apps. #45149
• Bot resources now honor their metadata.expires field. #45130
• Teleport Connect now sets TERM_PROGRAM: Teleport_Connect and TERM_PROGRAM_VERSION: <app_version> environment variables in the integrated terminal. #45063
• Fixed a panic in the Microsoft Teams plugin when it receives an error. #45011
• Added a background item for VNet in Teleport Connect; VNet now prompts for a password only during the first launch. #44994
• Added warning on tbot startup when the requested certificate TTL exceeds the maximum allowed value. #44989
• Fixed a race condition between session recording uploads and session recording upload cleanup. #44978
• Prevented Kubernetes per-Resource RBAC from blocking access to namespaces when denying access to a single resource kind in every namespace. #44974
• SSO login flows can now authorize web sessions with Device Trust. #44906
• Added support for Kubernetes Workload Attestation into Teleport Workload Identity to allow the authentication of pods running within Kubernetes without secrets. #44883

Enterprise:

• Fixed a redirection issue with the SAML IdP authentication middleware which prevented users from signing into the service provider when an SAML authentication request was made with an HTTP-POST binding protocol, and user's didn't already have an active session with Teleport.
• SAML applications can now be deleted from the Web UI.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Download the current release of Teleport plugins from the links below.

• Slack (Linux amd64)
• Mattermost (Linux amd64)
• Discord (Linux amd64)
• Terraform Provider (Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal)
• Event Handler (Linux amd64 | macOS amd64)
• PagerDuty (Linux amd64)
• Jira (Linux amd64)
• Email (Linux amd64)
• Microsoft Teams (Linux amd64)

Teleport 16.1.1

Description

• Added option to allow client redirects from IPs in specified CIDR ranges in SSO client logins. #44846
• Machine ID can now be configured to use Kubernetes Secret destinations from the command line using the kubernetes-secret schema. #44801
• Prevent discovery service from overwriting Teleport dynamic resources that have the same name as discovered resources. #44785
• Reduced the probability that the event-handler deadlocks when encountering errors processing session recordings. #44771
• Improved event-handler diagnostics by providing a way to capture profiles dynamically via SIGUSR1. #44758
• Teleport Connect now uses ConPTY for better terminal resizing and accurate color rendering on Windows, with an option to disable it in the app config. #44742
• Fixed event-handler Helm charts using the wrong command when starting the event-handler container. #44697
• Improved stability of very large Teleport clusters during temporary backend disruption/degradation. #44694
• Resolved compatibility issue with Paramiko and Machine ID's SSH multiplexer SSH agent. #44673
• Teleport no longer creates invalid SAML Connectors when calling tctl get saml/<connector-name> | tctl create -f without the --with-secrets flag. #44666
• Fixed a fatal error in tbot when unable to lookup the user from a given UID in containerized environments for checking ACL configuration. #44645
• Fixed Application Access regression where an HTTP header wasn't set in forwarded requests. #44628
• Added Server auto-discovery support for Rocky and AlmaLinux distros. #44612
• Use the registered port of the target host when tsh puttyconfig is invoked without --port. #44572
• Added more icons for guessing application icon by name or by label teleport.icon in the web UI. #44566
• Remove deprecated S3 bucket option when creating or editing AWS OIDC integration in the web UI. #44485
• Fixed terminal sessions with a database CLI client in Teleport Connect hanging indefinitely if the client cannot be found. #44465
• Added application-tunnel service to Machine ID for establishing a long-lived tunnel to a HTTP or TCP application for Machine to Machine access. #44443
• Fixed a regression that caused Teleport Connect to fail to start on Intel Macs. #44435
• Improved auto-discovery resiliency by recreating Teleport configuration when the node fails to join the cluster. #44432
• Fixed a low-probability panic in audit event upload logic. #44425
• Fixed Teleport Connect binaries not being signed correctly. #44419
• Prevented DoSing the cluster during a mass failed join event by agents. #44414
• The availability filter is now a toggle to show (or hide) requestable resources. #44413
• Moved PostgreSQL auto provisioning users procedures to pg_temp schema. #44409
• Added audit events for AWS and Azure integration resource actions. #44403
• Fixed automatic updates with previous versions of the teleport.yaml config. #44379
• Added support for Rocky and AlmaLinux when enrolling a new server from the UI. #44332
• Fixed PostgreSQL session playback not rendering queries line breaks correctly. #44315
• Fixed Teleport access plugin tarballs containing a build directory, which was accidentally added upon v16.0.0 release. #44300
• Prevented an infinite loop in DynamoDB event querying by advancing the cursor to the next day when the limit is reached at the end of a day with an empty iterator. This ensures the cursor does not reset to the beginning of the day. #44275
• The clipboard sharing tooltip for desktop sessions now indicates why clipboard sharing is disabled. #44237
• Prevented redirects to arbitrary URLs when launching an app. #44188
• Added a --skip-idle-time flag to tsh play. #44013
• Added audit events for discovery config actions. #43793
• Enabled Access Monitoring Rules routing with Mattermost plugin. #43601
• SAML application can now be deleted from the Web UI. #4778
• Fixed an Access List permission bug where an access list owner, who is also a member, was not able to add/remove access list member. #4744
• Fixed a bug in Web UI where clicking SAML GCP Workforce Identity Federation discover tile would throw an error, preventing from using the guided enrollment feature. #4720
• Fixed an issue with incorrect yum/zypper updater packages being installed. #4684

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Download the current release of Teleport plugins from the links below.

• Slack (Linux amd64)
• Mattermost (Linux amd64)
• Discord (Linux amd64)
• Terraform Provider (Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal)
• Event Handler (Linux amd64 | macOS amd64)
• PagerDuty (Linux amd64)
• Jira (Linux amd64)
• Email (Linux amd64)
• Microsoft Teams (Linux amd64)