github gravitational/teleport v12.4.28
Teleport 12.4.28
on GitHub

latest releases: v17.0.0-beta.2, v16.4.6-dev.forrest.1, api/v16.4.6-dev.forrest.1...
11 months ago

Security Fixes

[Medium] Arbitrary code execution with LD_PRELOAD and SFTP

Teleport implements SFTP using a subcommand. Prior to this release it was
possible to inject environment variables into the execution of this
subcommand, via shell init scripts or via the SSH environment request.

This is addressed by preventing LD_PRELOAD and other dangerous environment
variables from being forwarded during re-exec.

#34276

[Medium] Outbound SSH from Proxy can lead to IP spoofing

If the Teleport auth or proxy services are configured to accept PROXY
protocol headers, a malicious actor can use this to spoof their IP address.

This is addressed by requiring that the first bytes of any SSH connection are
the SSH protocol prefix, denying a malicious actor the opportunity to send their
own proxy headers.

#33731

Third-party Security Fixes

  • Updated go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc dependency
    • otelgrpc DoS vulnerability due to unbound cardinality metrics: CVE-2023-47108

Other Fixes & Improvements

  • Increased the maximum width of the console tabs in the web UI. #34649
  • Prevented .tsh/environment values from overriding prior set values. #34624
  • Fixed incorrect permissions when opening X11 listener. #34615
  • Fixed access requests to respect explicit deny rules. #34599
  • Improved the error message when attempting to enroll a hardware key that cannot support passwordless. #34591
  • Added post-review state of Access Request in audit log description #34215
  • Updated Operator Reconciliation to skip Teleport Operator on status updates #34197
  • Updated Server Auto-Discovery installer script to use bash instead of sh #34150
  • Fixed Azure Identity federated Application ID #33958
  • Fixed issue where Kubernetes Audit Events reported incorrect information in the exec audit #33950
  • Fixed issue where tsh aws ecs execute-command would always fail #33831
  • Fixed formatting errors on empty result sets in tsh #33725
  • Teleport Operator now caches and re-uses Teleport connections where possible 34451
  • Improved PostgreSQL Statement Bind audit log events by encoding binary params in base64 #34451
  • Fixed cleanup of unused GCP KMS keys #34470

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

labels: security-patch=yes

Check out latest releases or
releases around gravitational/teleport v12.4.28

Don't miss a new teleport release

NewReleases is sending notifications on new releases.

Get notifications