github gravitational/teleport v12.4.23
Teleport 12.4.23
on GitHub

latest releases: v17.0.0-dev.algorithms.1, api/v17.0.0-dev.algorithms.1, v16.4.0-dev.capnspacehook.iam-fips.1...
11 months ago

Security fixes

  • Updated golang.org/x/net dependency. #33448
    • swift-nio-http2 vulnerable to HTTP/2 Stream Cancellation Attack: CVE-2023-44487
  • Updated google.golang.org/grpc to v1.57.1. #33487
    • swift-nio-http2 vulnerable to HTTP/2 Stream Cancellation Attack: CVE-2023-44487
  • Updated Go library dependencies. #33544
    • crewjam/saml vulnerable to Denial Of Service Via Deflate Decompression Bomb: CVE-2023-28119
    • Snowflake Golang Driver vulnerable to Command Injection: CVE-2023-34231
    • Docker Swarm encrypted overlay network may be unauthenticated: CVE-2023-28840
    • Docker Swarm encrypted overlay network traffic may be unencrypted: CVE-2023-28841
    • Docker Swarm encrypted overlay network with a single endpoint is unauthenticated: CVE-2023-28842
  • Updated OpenTelemetry dependency. #33552
  • OpenTelemetry-Go Contrib vulnerable to denial of service in otelhttp due to unbound cardinality metrics: CVE-2023-45142
  • Updated JS dependencies. #33426 #33467
    • Regular Expression Denial of Service in trim: CVE-2020-7753
    • semver vulnerable to Regular Expression Denial of Service: CVE-2022-25883
    • word-wrap vulnerable to Regular Expression Denial of Service: CVE-2023-26115
    • xmldom allows multiple root nodes in a DOM: CVE-2022-39353
    • loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS): CVE-2022-37599
    • Prototype pollution in webpack loader-utils: CVE-2022-37601
    • loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable: CVE-2022-37603
    • Prototype pollution in Plist before 3.0.5 can cause denial of service: CVE-2022-22912
    • decode-uri-component vulnerable to Denial of Service (DoS): CVE-2022-38900
    • Cross-realm object access in Webpack 5: CVE-2023-28154
    • Prototype Pollution in JSON5 via Parse Method: CVE-2022-46175
    • http-cache-semantics vulnerable to Regular Expression Denial of Service: CVE-2022-25881
    • Exposure of sensitive information in follow-redirects: CVE-2022-0155
    • node-fetch forwards secure headers to untrusted sites: CVE-2022-0235
    • Exposure of Sensitive Information to an Unauthorized Actor in nanoid: CVE-2021-23566
    • Terser insecure use of regular expressions leads to ReDoS: CVE-2022-25858
  • Updated babel/core to 7.3.2. #33445
    • Arbitrary code execution when compiling specifically crafted malicious code: CVE-2023-45133

Other fixes and improvements

  • Fixed failure to connect to OpenSSH nodes when tracing is enabled. #33594
  • Web SSH sessions are terminated right away when a user closes the tab. #33535
  • Added support for Windows AD root domain for PKI operations. #33395

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

labels: security-patch=yes

Check out latest releases or
releases around gravitational/teleport v12.4.23

Don't miss a new teleport release

NewReleases is sending notifications on new releases.

Get notifications