Description
Security Fixes
- Fixed security issue with arbitrary file reads on SSH nodes. #52138
- Verify that cluster name of TLS peer certs matches the cluster name of the CA that issued it to prevent Auth bypasses. #52132
Other fixes and improvements
- Removed the ability of
tctlto load the default configuration file on Windows. #52190 - Moved PostgreSQL auto provisioning users procedures to
pg_tempschema. #52150 - Applied
TELEPORT_UNSTABLE_DISABLE_AWS_FIPSto IAM and STS credentials. #52134 - Fixed graceful closing of networking subprocesses when the Teleport parent process is gracefully closed (SIGQUIT). #52117
- Updated Go to 1.23.6. #52087
- Updated OpenSSL to 3.0.16. #52039
- Reduced CPU consumption required to map roles between clusters and perform trait to role resolution. #51941
- Client tools managed updates require a base URL for the open-source build type. #51934
- Added an escape hatch to allow non-FIPS AWS endpoints on FIPS binaries (
TELEPORT_UNSTABLE_DISABLE_AWS_FIPS=yes). #51932 - Added securityContext value to the tbot Helm chart. #51909
- Teleport agents always create the
debug.sockUNIX socket. The configuration fielddebug_service.enablednow controls if the debug and metrics endpoints are available via the UNIX socket. #51890 - Updated Go to 1.22.12. #51837
- Improved instance.join event error messaging. #51781
- Added support for caching Microsoft Remote Desktop Services licenses. #51686
- Added Audit Log statistics to
tctl top. #51656 - Fixed an issue where the Postgres backend would drop App Access events. #51645
- Fixed a rare crash that can happen with malformed SAML connector. #51636
- Fixed occasional Web UI session renewal issues (reverts "Avoid tight renewals for sessions with short TTL"). #51604
- Quoted the
KUBECONFIGenvironment variable output by thetsh proxy kubecommand. #51525 - Added support for customizing the base URL for downloading Teleport packages used in client tools managed updates. #51482
- Added support for continuous profile collection with Pyroscope. #51480
- Improved handling of client session termination during Kubernetes Exec sessions. The disconnection reason is now accurately returned for cases such as certificate expiration, forced lock activation, or idle timeout. #51456
- Fixed an issue that prevented IPs provided in the
X-Forwarded-Forheader from being honored in some scenarios whenTrustXForwardedForis enabled. #51425 - Added support for multiple active CAs in the /auth/export endpoint. #51420
- Fixed a bug in GKE auto-discovery where the process failed to discover any clusters if the identity lacked permissions for one or more detected GCP project IDs. #51401
- Added support for multiple active CAs in tctl auth export. #51377
- Added more granular audit logging surrounding SSH port forwarding. #51327
Enterprise:
- Removed Desktop Access support in arm64 FIPS builds.
Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
Plugins
Download the current release of Teleport plugins from the links below.
- Slack Linux amd64 | Linux arm64
- Mattermost Linux amd64 | Linux arm64
- Discord Linux amd64 | Linux arm64
- Terraform Provider Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal
- Event Handler Linux amd64 | Linux arm64 | macOS amd64
- PagerDuty Linux amd64 | Linux arm64
- Jira Linux amd64 | Linux arm64
- Email Linux amd64 | Linux arm64
- Microsoft Teams Linux amd64 | Linux arm64
labels: security-patch=yes,security-patch-alts=v15.4.27