Teleport 15.1.5

Description

• Improve error messaging when creating resources fails because they already exist or updating resources fails because they were removed. #39395
• The audit entry for access_request.search will now truncate the list of roles in the audit UI if it exceeds 80 characters. #39372
• Re-enable AWS IMDSv1 fallback due to some EKS clusters having their IMDSv2 hop limit set to 1, leading to IMDSv2 requests failing. Users who wish to keep IMDSv1 fallback disabled can set the AWS_EC2_METADATA_V1_DISABLED environmental variable. #39366
• Only allow necessary operations during moderated file transfers and limit in-flight file transfer requests to one per session. #39351
• Make the Jira access plugin log Jira errors properly. #39346
• Fixed allowing invalid access request start time date to be set. #39322
• Teleport Enterprise now attempts to load the license file from the configured data directory if not otherwise specified. #39314
• Improve the security for MFA for Admin Actions when used alongside Hardware Key support. #39306
• The saml_idp_service_provider spec adds a new preset field that can be used to specify predefined SAML service provider profile. #39277
• Fixed a bug that caused some MFA for Admin Action flows to fail instead of retrying: ex: tctl bots add --token=<token>. #39269

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Teleport 13.4.18

Description

• Patched CVE-2024-27304 (Postgres driver). #39263
• Raised the concurrent connection limits between Teleport Cloud regions and in clusters that use proxy peering. #39231
• Improved the clean up of system resources during a fast shutdown of Teleport. #39214
• Fixed an issue where it was possible to skip providing old password when setting a new one. #39125
• Fixed a bug when using automatic updates and the discovery service. The default install script now installs the correct teleport version by querying the version server. #39103
• Fixed a regression where tsh kube credentials fails to re-login when credentials expire. #39073
• Expanded the EC2 joining process to include newly created AWS regions. #39053
• Added GCP MySQL access IAM Authentication support. #39042
• Updated Go to 1.21.8. #38986
• Updated electron-builder dependency to address possible arbitrary code execution in the Windows installer of Teleport Connect (CVE-2024-27303). #38967
• Fixed an issue with over counting of reported Teleport updater metrics. #38833
• Fixed a bug that caused tsh to return "private key policy not met" errors instead of automatically initiating re-login to satisfy the private key policy. #38817
• Fixed issue where DynamoDB writes could fail when recording too many records. #38761

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Teleport 15.1.4

Description

• Raised concurrent connection limits between Teleport Cloud regions and in clusters that use proxy peering. #39233
• Improved clean up of system resources during a fast shutdown of Teleport. #39211
• Resolved sporadic errors caused by requests fail to comply with Kubernetes API spec by not specifying resource identifiers. #39168
• Added a new password change wizard. #39124
• Fixed the NumLock and Pause keys for Desktop Access sessions not working. #39095

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Teleport 14.3.7

Description

• Resolved sporadic errors caused by requests fail to comply with Kubernetes API spec by not specifying resource identifiers. #39167
• Fixed a bug when using automatic updates and the discovery service. The default install script now installs the correct Teleport version by querying the version server. #39100
• Teleport Proxy Service now runs a version server by default serving its own version. #39096
• Fixed a regression where tsh kube credentials fails to re-login when credentials expire. #39074
• TBot now supports --proxy-server for explicitly configuring the Proxy address. We recommend switching to this if you currently specify the address of your Teleport proxy to --auth-server. #39056
• Expanded the EC2 joining process to include newly created AWS regions. #39052
• Added GCP MySQL access IAM Authentication support. #39041
• Fixed an issue in SAML IdP entity descriptor generator process, which would fail to generate entity descriptor if the configured Entity ID endpoint would return HTTP status code above 200 and below 400. #38988
• Updated Go to 1.21.8. #38985
• Updated electron-builder dependency to address possible arbitrary code execution in the Windows installer of Teleport Connect (CVE-2024-27303). #38966
• Improved reliability and performance of tbot. #38929
• Filtered terminated sessions from the tsh sessions ls output. #38886
• Prevented panic when AccessList's status field is not set. #38862
• Fixed an issue with over counting of reported Teleport updater metrics. #38832
• Fixed a bug that caused tsh to return "private key policy not met" errors instead of automatically initiating re-login to satisfy the private key policy. #38818
• Fixed application access events being overwritten when using DynamoDB as event storage. #38816
• Fixed issue where DynamoDB writes could fail when recording too many records. #38762
• Added a tbot-only tbot-distroless container image, bringing an 80% size reduction over the Teleport teleport image. #38719
• Fixed a Postgres v16.x compatibility issue preventing multiple connections for auto-provisioned users. #38542
• Tsh will now show access list review deadlines in dates rather than remaining hours.. #38526
• Fixed an issue where tsh would not function if one of its profiles is invalid. #38513
• Fixed an issue where teleport configure command logs would not use the configured logger. #38509
• Removed telnet from legacy Ubuntu images due to CVE-2021-40491. Netcat nc can be used instead. #38506
• Fixed a tsh WebAuthn.dll panic on Windows Server 2019. #38489
• Added ssh_service.enhanced_recording.root_path configuration option to change the cgroup slice path used by the agent. #38395
• Fixed a bug which allowed the operator to delete resources it does not own. #37751

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Teleport 15.1.3

Description

• Fix a bug when using automatic updates and the discovery service. The default install script now installs the correct teleport version by querying the version server. #39099
• Fix a regression where tsh kube credentials fails to re-login when credentials expire. #39075
• TBot now supports --proxy-server for explicitly configuring the Proxy address. We recommend switching to this if you currently specify the address of your Teleport proxy to --auth-server. #39055
• Expand the EC2 joining process to include newly created AWS regions. #39051
• Added GCP MySQL access IAM Authentication support. #39040
• Fixed compatibility of the Teleport service file with older versions of systemd. #39032
• Update WebUI database connection instructions. #39027
• Teleport Proxy Service now runs a version server by default serving its own version. #39017
• Significantly reduced latency of network calls in Teleport Connect. #39012
• SPIFFE SVID generation introduced to tbot (experimental). #39011
• Adds tsh workload issue command for issuing SVIDs using tsh. #39115
• Fixed an issue in SAML IdP entity descriptor generator process, which would fail to generate entity descriptor if the configured Entity ID endpoint would return HTTP status code above 200 and below 400 . #38987
• Updated Go to 1.21.8. #38983
• Updated electron-builder dependency to address possible arbitrary code execution in the Windows installer of Teleport Connect (CVE-2024-27303). #38964
• Fixed an issue where it was possible to skip providing old password when setting a new one. #38962
• Added database permission management support for Postgres. #38945
• Improved reliability and performance of tbot. #38928
• Filter terminated sessions from the tsh sessions ls output. #38887
• Make it easier to identify Teleport browser tabs by placing the session information before the cluster name. #38737
• The teleport-ent-upgrader package now gracefully restarts the Teleport binary if possible, to avoid cutting off ongoing connections. #3578
• Trusted device authentication failures may now include a brief explanation message in the corresponding audit event. #3572
• Okta access lists sync will now sync groups without members. #3636

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Teleport 15.1.1

Description

• Fixed panic when an older tsh or proxy changes an access list. #38861
• SSH connection resumption now works during graceful upgrades of the Teleport agent. #38842
• Fixed an issue with over counting of reported Teleport updater metrics. #38831
• Fixed tsh returning "private key policy not met" errors instead of automatically initiating re-login to satisfy the private key policy. #38819
• Made graceful shutdown and graceful restart terminate active sessions after 30 hours. #38803
• The teleport-ent-upgrader package now gracefully restarts the Teleport binary if possible, to avoid cutting off ongoing conections. #3578 (next release)

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Teleport 15.1.0

New Features

Standalone tbot Docker image

We now ship a new container image that contains tbot but omits other Teleport binaries, providing a light-weight option for Machine ID users.

Custom mouse pointers for remote desktop sessions

Teleport remote desktop sessions now automatically change the mouse cursor depending on context (when hovering over a link, resizing a window, or editing text, for example).

Synchronization of Okta groups and apps

Okta integration now support automatic synchronization of Okta groups and app assignments to Teleport as access lists giving users ability to request access to Okta apps without extra configuration.

EKS auto-discovery in Access Management UI

Users going through EKS enrollment flow in Access Management web UI now have an option to enable auto-discovery for EKS clusters.

Other changes

• Fixed application access events being overwritten when using DynamoDB as event storage. #38815
• Fixed a regression that had reintroduced long freezes for certain actions like "Run as different user". #38805
• When teleport is configured to require MFA for admin actions, MFA is required to get certificate authority secrets. Ex: tctl auth export --keys or tctl get cert_authority/host/root.example.com --with-secrets. #38777
• Added auto-enrolling capabilities to EKS discover flow in the web UI. #38773
• Heavily optimized the Access List page in the UI, speeding things up considerably. #38764
• Align DynamoDB BatchWriteItem max items limit. #38763
• tbot-distroless image is now published. This contains just the tbot binary and therefore has a smaller image size. #38718
• Fixed a regression with Teleport Connect not showing the re-login reason and connection errors when accessing databases, Kube clusters, and apps with an expired cert. #38716
• Re-enabled the Windows key and prevents it from sticking or otherwise causing problems when cmd+tab-ing or alt+tab-ing away from the browser during desktop sessions. #38699
• Resource limits are now correctly applied to the wait-auth-update initContainer in the teleport-cluster Helm chart. #38692
• When teleport is configured to require MFA for admin actions, MFA is required to create, update, or delete trusted clusters. #38690
• Fixed error in tctl get users --with-secrets when using SSO. #38663
• When device trust is required and MFA is optional, users will need to add their first MFA device from a trusted device. #38657
• Temporary files are no longer created during Discover UI EKS cluster enrollment. #38649
• When teleport is configured to require MFA for admin actions, MFA is required to get or list tokens with tctl. Ex: tctl tokens ls or tctl get tokens/foo. #38645
• Implemented dynamic mouse pointer updates to reflect context-specific actions, e.g. window resizing. #38614
• MFA approval is no longer required in the beginning of EKS Discover flow. #38580
• Fixed Postgres v16.x compatibility issue preventing multiple connections for auto-provisioned users. #38543
• Fixed incorrect color of resource cards after changing the theme in Web UI and Connect. #38537
• Updated the dialog for adding new authentication methods in the account settings screen. #38535
• Displays review dates for access lists in dates, not remaining hours in tsh. #38525
• Ensure that tsh continues to function if one of its profiles is invalid. #38514
• Fixed logging output for teleport configure ... commands. #38508
• Fixed tsh/WebAuthn.dll panic on Windows Server 2019. #38490
• Fixes an issue that prevented the Web UI from properly displaying the hostname of servers in leaf clusters. #38469
• Added ssh_service.enhanced_recording.root_path configuration option to change the cgroup slice path used by the agent. #38394
• Fixed a bug that could cause expired SSH servers from appearing in the Web UI until the Proxy is restarted. #38310
• Desktops can now be configured to use the same screen resolution for all sessions. #38307
• The maximum duration for an access request is now 14 days, the okta-requester role has been added which takes advantage of this. #38224
• Added TLS routing native WebSocket connection upgrade support. #38108
• Fixed a bug allowing the operator to delete resource it does not own. #37750

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Teleport 13.4.17

Description

13.4.17

• tbot-distroless image is now published. This contains just the tbot binary and therefore has a smaller image size. #38720
• Fixed Postgres v16.x compatibility issue preventing multiple connections for auto-provisioned users. #38541
• Ensured that tsh continues to function if one of its profiles is invalid. #38512
• Fixed logging output for teleport configure ... commands. #38510
• Removed telnet from legacy Ubuntu OCI due to CVE-2021-40491. Use nc instead. #38507
• Fixed tsh/WebAuthn.dll panic on Windows Server 2019. #38488
• Added ssh_service.enhanced_recording.root_path configuration option to change the cgroup slice path used by the agent. #38396
• Fixed a potential panic in the tsh status command. #38303
• Optionally permit the auth server to terminate client connections from unsupported versions. #38187
• Force agents to terminate Auth connections if joining fails. #38003
• Improved error handling when idle desktop connections are terminated. #37957
• Updated Go to 1.21.7. #37849
• Fixed app redirection loop on browser's incognito mode and 3rd party cookie block. #37698
• Fixed a database lateral movement exploit if a self-hosted database host is compromised, see Database CA Migrations. #35951

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

---

labels: security-patch=yes

Teleport 14.3.6

Description

• Fixed a potential panic in the tsh status command. #38304
• Fixed locking SSO user in the setup access step of the RDS auto discover flow in the web UI. #38284
• Optionally permit the auth server to terminate client connections from unsupported versions. #38186
• Removed access tokens from URL parameters, preventing them from being leaked to intermediary systems that may log them in plaintext. #38070
• Added option to validate hardware key serial numbers with hardware key support. #38069
• Forced agents to terminate Auth connections if joining fails. #38004
• Added a tsh sessions ls command to list active sessions. #37970
• Improved error handling when idle desktop connections are terminated. #37956
• Updated Go to 1.21.7. #37848
• Discover flow now starts two instances of DatabaseServices when setting up access to Amazon RDS. #37804
• Fixed incorrect resizing of CLI apps in Teleport Connect on Windows. #37799
• Fixed handling of non-registered U2F keys. #37722
• Fixed memory leak in tbot caused by never closing reverse tunnel address resolvers. #37719
• Fixed app redirection loop on browser's incognito mode and 3rd party cookie block. #37692

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Teleport 15.0.2

Description

• Fixed a potential panic in the tsh status command. #38305
• Fixed SSO user locking in the setup access step of the RDS auto discover flow in the web UI. #38283
• Optionally permit the auth server to terminate client connections from unsupported versions. #38182
• Fixed Assist obstructing the user dropdown menu when in docked mode. #38156
• Improved the stability of Teleport during graceful upgrades. #38145
• Added the ability to view and manage Machine ID bots from the UI. #38122
• Fixed a bug that prevented desktop clipboard sharing from working when large amounts of text are placed on the clipboard. #38120
• Added option to validate hardware key serial numbers with hardware key support. #38068
• Removed access tokens from URL parameters, preventing them from being leaked to intermediary systems that may log them in plaintext. #38032
• Forced agents to terminate Auth connections if joining fails. #38005
• Added a tsh sessions ls command to list active sessions. #37969
• Improved error handling when idle desktop connections are terminated. #37955
• Updated Go to 1.21.7. #37846
• Discover flow now starts two instances of DatabaseServices when setting up access to Amazon RDS. #37805

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.