Release 14.3.28

CHANGELOG.md

@@ -1,5 +1,44 @@
 # Changelog
 
+## 14.3.28 (08/26/24)
+
+### Security fix
+
+#### [High] Stored XSS in SAML IdP
+
+When registering a service provider with SAML IdP, Teleport did not sufficiently
+validate the ACS endpoint. This could allow a Teleport administrator with
+permissions to write saml_idp_service_provider resources to configure a
+malicious service provider with an XSS payload and compromise session of users
+who would access that service provider.
+
+Note: This vulnerability is only applicable when Teleport itself is acting as
+the identity provider. If you only use SAML to connect to an upstream identity
+provider you are not impacted. You can use the tctl get
+saml_idp_service_provider command to verify if you have any Service Provider
+applications registered and Teleport acts as an IdP.
+
+For self-hosted Teleport customers that use Teleport as SAML Identity Provider,
+we recommend upgrading auth and proxy servers. Teleport agents (SSH, Kubernetes,
+desktop, application, database and discovery) are not impacted and do not need
+to be updated.
+
+### Other fixes and improvements
+
+* Fixed an issue where Teleport could modify group assignments for users not managed by Teleport. This will require a migration of host users created with create_host_user_mode: keep in order to maintain Teleport management. More info can be found at [Migrating unmanaged users](./docs/pages/enroll-resources/server-access/guides/host-user-creation.mdx#migrating-unmanaged-users). [#45796](https://github.com/gravitational/teleport/pull/45796)
+* Fixed host user creation for tsh scp. [#45682](https://github.com/gravitational/teleport/pull/45682)
+* Fixed an issue AWS access fails when the username is longer than 64 characters. [#45657](https://github.com/gravitational/teleport/pull/45657)
+* Remove empty tcp app session recordings. [#45647](https://github.com/gravitational/teleport/pull/45647)
+* Fixed an issue where users created in keep mode could effectively become insecure_drop and get cleaned up as a result. [#45607](https://github.com/gravitational/teleport/pull/45607)
+* Prevent RBAC bypass for new Postgres connections. [#45556](https://github.com/gravitational/teleport/pull/45556)
+* Fixed an issue that could cause auth servers to panic when their backend connectivity was interrupted. [#45494](https://github.com/gravitational/teleport/pull/45494)
+* Improve the output of `tsh sessions ls`. [#45454](https://github.com/gravitational/teleport/pull/45454)
+
+Enterprise:
+* Fixed issue in Okta Sync that spuriously deletes Okta Applications due to connectivity errors.
+* Fixed an issue in the SAML IdP session which prevented SAML IdP sessions to be consistently updated when users assumed or switched back from the roles granted in the access request.
+* Fixed a stored Cross-Site Scripting (XSS) issue in the SAML IdP authentication flow where a Teleport administrator with a create and update privilege on `saml_idp_service_provider` resource could configure a malicious service provider with an XSS payload and compromise session of users who would access that service provider.
+
 ## 14.3.23 (08/08/24)
 
 * Updated Go toolchain to `1.22.6`. [#45196](https://github.com/gravitational/teleport/pull/45196)

Makefile

@@ -11,7 +11,7 @@
 #   Stable releases:   "1.0.0"
 #   Pre-releases:      "1.0.0-alpha.1", "1.0.0-beta.2", "1.0.0-rc.3"
 #   Master/dev branch: "1.0.0-dev"
-VERSION=14.3.23
+VERSION=14.3.28
 
 DOCKER_IMAGE ?= teleport
 

build.assets/macos/tsh/tsh.app/Contents/Info.plist

@@ -19,13 +19,13 @@
 		<key>CFBundlePackageType</key>
 		<string>APPL</string>
 		<key>CFBundleShortVersionString</key>
-		<string>14.3.23</string>
+		<string>14.3.28</string>
 		<key>CFBundleSupportedPlatforms</key>
 		<array>
 			<string>MacOSX</string>
 		</array>
 		<key>CFBundleVersion</key>
-		<string>14.3.23</string>
+		<string>14.3.28</string>
 		<key>DTCompiler</key>
 		<string>com.apple.compilers.llvm.clang.1_0</string>
 		<key>DTPlatformBuild</key>

build.assets/macos/tshdev/tsh.app/Contents/Info.plist

@@ -17,13 +17,13 @@
 		<key>CFBundlePackageType</key>
 		<string>APPL</string>
 		<key>CFBundleShortVersionString</key>
-		<string>14.3.23</string>
+		<string>14.3.28</string>
 		<key>CFBundleSupportedPlatforms</key>
 		<array>
 			<string>MacOSX</string>
 		</array>
 		<key>CFBundleVersion</key>
-		<string>14.3.23</string>
+		<string>14.3.28</string>
 		<key>DTCompiler</key>
 		<string>com.apple.compilers.llvm.clang.1_0</string>
 		<key>DTPlatformBuild</key>

examples/chart/teleport-cluster/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "14.3.23"
+.version: &version "14.3.28"
 
 name: teleport-cluster
 apiVersion: v2

examples/chart/teleport-cluster/charts/teleport-operator/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "14.3.23"
+.version: &version "14.3.28"
 
 name: teleport-operator
 apiVersion: v2

examples/chart/teleport-cluster/tests/__snapshot__/auth_clusterrole_test.yaml.snap

@@ -8,8 +8,8 @@ adds operator permissions to ClusterRole:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-cluster
-        app.kubernetes.io/version: 14.3.23
-        helm.sh/chart: teleport-cluster-14.3.23
+        app.kubernetes.io/version: 14.3.28
+        helm.sh/chart: teleport-cluster-14.3.28
         teleport.dev/majorVersion: "14"
       name: RELEASE-NAME
     rules:

examples/chart/teleport-cluster/tests/__snapshot__/auth_config_test.yaml.snap

@@ -1797,8 +1797,8 @@ sets clusterDomain on Configmap:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-cluster
-        app.kubernetes.io/version: 14.3.23
-        helm.sh/chart: teleport-cluster-14.3.23
+        app.kubernetes.io/version: 14.3.28
+        helm.sh/chart: teleport-cluster-14.3.28
         teleport.dev/majorVersion: "14"
       name: RELEASE-NAME-auth
       namespace: NAMESPACE

examples/chart/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap

@@ -1,6 +1,6 @@
 should add an operator side-car when operator is enabled:
   1: |
-    image: public.ecr.aws/gravitational/teleport-operator:14.3.23
+    image: public.ecr.aws/gravitational/teleport-operator:14.3.28
     imagePullPolicy: IfNotPresent
     livenessProbe:
       httpGet:
@@ -41,7 +41,7 @@ should add an operator side-car when operator is enabled:
     - args:
       - --diag-addr=0.0.0.0:3000
       - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
-      image: public.ecr.aws/gravitational/teleport-distroless:14.3.23
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.28
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -174,7 +174,7 @@ should set nodeSelector when set in values:
     - args:
       - --diag-addr=0.0.0.0:3000
       - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
-      image: public.ecr.aws/gravitational/teleport-distroless:14.3.23
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.28
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -271,7 +271,7 @@ should set resources when set in values:
     - args:
       - --diag-addr=0.0.0.0:3000
       - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
-      image: public.ecr.aws/gravitational/teleport-distroless:14.3.23
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.28
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -357,7 +357,7 @@ should set securityContext when set in values:
     - args:
       - --diag-addr=0.0.0.0:3000
       - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
-      image: public.ecr.aws/gravitational/teleport-distroless:14.3.23
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.28
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:

examples/chart/teleport-cluster/tests/__snapshot__/proxy_config_test.yaml.snap

@@ -567,8 +567,8 @@ sets clusterDomain on Configmap:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-cluster
-        app.kubernetes.io/version: 14.3.23
-        helm.sh/chart: teleport-cluster-14.3.23
+        app.kubernetes.io/version: 14.3.28
+        helm.sh/chart: teleport-cluster-14.3.28
         teleport.dev/majorVersion: "14"
       name: RELEASE-NAME-proxy
       namespace: NAMESPACE

examples/chart/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap

@@ -11,8 +11,8 @@ sets clusterDomain on Deployment Pods:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-cluster
-        app.kubernetes.io/version: 14.3.23
-        helm.sh/chart: teleport-cluster-14.3.23
+        app.kubernetes.io/version: 14.3.28
+        helm.sh/chart: teleport-cluster-14.3.28
         teleport.dev/majorVersion: "14"
       name: RELEASE-NAME-proxy
       namespace: NAMESPACE
@@ -26,16 +26,16 @@ sets clusterDomain on Deployment Pods:
       template:
         metadata:
           annotations:
-            checksum/config: 0dc9f49f0e96c011ffe822e396b98a2cb33c210b9b7a74cb9896ac1be13a1ff2
+            checksum/config: 536cfdfc42216be0bddd99d57e2769736572017a577ca3c42800194f9d7d38df
             kubernetes.io/pod: test-annotation
             kubernetes.io/pod-different: 4
           labels:
             app.kubernetes.io/component: proxy
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-cluster
-            app.kubernetes.io/version: 14.3.23
-            helm.sh/chart: teleport-cluster-14.3.23
+            app.kubernetes.io/version: 14.3.28
+            helm.sh/chart: teleport-cluster-14.3.28
             teleport.dev/majorVersion: "14"
         spec:
           affinity:
@@ -44,7 +44,7 @@ sets clusterDomain on Deployment Pods:
           containers:
           - args:
             - --diag-addr=0.0.0.0:3000
-            image: public.ecr.aws/gravitational/teleport-distroless:14.3.23
+            image: public.ecr.aws/gravitational/teleport-distroless:14.3.28
             imagePullPolicy: IfNotPresent
             lifecycle:
               preStop:
@@ -105,7 +105,7 @@ sets clusterDomain on Deployment Pods:
             - wait
             - no-resolve
             - RELEASE-NAME-auth-v13.NAMESPACE.svc.test.com
-            image: public.ecr.aws/gravitational/teleport-distroless:14.3.23
+            image: public.ecr.aws/gravitational/teleport-distroless:14.3.28
             name: wait-auth-update
           serviceAccountName: RELEASE-NAME-proxy
           terminationGracePeriodSeconds: 60
@@ -137,7 +137,7 @@ should provision initContainer correctly when set in values:
       - wait
       - no-resolve
       - RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport-distroless:14.3.23
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.28
       name: wait-auth-update
     - args:
       - echo test
@@ -194,7 +194,7 @@ should set nodeSelector when set in values:
     containers:
     - args:
       - --diag-addr=0.0.0.0:3000
-      image: public.ecr.aws/gravitational/teleport-distroless:14.3.23
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.28
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -255,7 +255,7 @@ should set nodeSelector when set in values:
       - wait
       - no-resolve
       - RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport-distroless:14.3.23
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.28
       name: wait-auth-update
     nodeSelector:
       environment: security
@@ -306,7 +306,7 @@ should set resources when set in values:
     containers:
     - args:
       - --diag-addr=0.0.0.0:3000
-      image: public.ecr.aws/gravitational/teleport-distroless:14.3.23
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.28
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -374,7 +374,7 @@ should set resources when set in values:
       - wait
       - no-resolve
       - RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport-distroless:14.3.23
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.28
       name: wait-auth-update
     serviceAccountName: RELEASE-NAME-proxy
     terminationGracePeriodSeconds: 60
@@ -407,7 +407,7 @@ should set securityContext for initContainers when set in values:
     containers:
     - args:
       - --diag-addr=0.0.0.0:3000
-      image: public.ecr.aws/gravitational/teleport-distroless:14.3.23
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.28
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -475,7 +475,7 @@ should set securityContext for initContainers when set in values:
       - wait
       - no-resolve
       - RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport-distroless:14.3.23
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.28
       name: wait-auth-update
       securityContext:
         allowPrivilegeEscalation: false
@@ -515,7 +515,7 @@ should set securityContext when set in values:
     containers:
     - args:
       - --diag-addr=0.0.0.0:3000
-      image: public.ecr.aws/gravitational/teleport-distroless:14.3.23
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.28
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -583,7 +583,7 @@ should set securityContext when set in values:
       - wait
       - no-resolve
       - RELEASE-NAME-auth-v13.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport-distroless:14.3.23
+      image: public.ecr.aws/gravitational/teleport-distroless:14.3.28
       name: wait-auth-update
       securityContext:
         allowPrivilegeEscalation: false

examples/chart/teleport-kube-agent/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "14.3.23"
+.version: &version "14.3.28"
 
 name: teleport-kube-agent
 apiVersion: v2