Description
This release contains two security fixes, plus numerous other fixes and improvements.
Security Fixes
[Medium] Arbitrary code execution with LD_PRELOAD and SFTP
Teleport implements SFTP using a subcommand. Prior to this release it was
possible to inject environment variables into the execution of this
subcommand, via shell init scripts or via the SSH environment request.
This is addressed by preventing LD_PRELOAD and other dangerous environment
variables from being forwarded during re-exec.
[Medium] Outbound SSH from Proxy can lead to IP spoofing
If the Teleport auth or proxy services are configured to accept PROXY
protocol headers, a malicious actor can use this to spoof their IP address.
This is addressed by requiring that the first bytes of any SSH connection are
the SSH protocol prefix, denying a malicious actor the opportunity to send their
own proxy headers.
Other Fixes & Improvements
- Updated Operator Reconciliation to skip Teleport Operator on status updates #34196
- Updated Kube Agent Auto-Discovery to install the Teleport version provided by Automatic Upgrades #34158
- Updated Server Auto-Discovery installer script to use
bashinstead ofsh#34143 - When a promotable Access Request targets a resource that belongs to an Access List, owners of that list will now automatically be added as reviewers. #34130
- Fixed issue where an auto-provisioned PostgreSQL user may keep old roles indefinitely #34120
- Fixed incorrectly set file mode for Windows TPM files #34114
- Fixed Azure Identity federated Application ID #33959
- Fixed issue where Kubernetes Audit Events reported incorrect information in the exec audit #33951
- Added support for formatting hostname as
host:porttotsh puttyconfig#33884 - Fixed various Access List bookkeeping issues #33835
- Fixed issue where
tsh aws ecs execute-commandwould always fail #33832
Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
labels: security-patch=yes