gravitational/teleport v16.5.13

Teleport 16.5.13

on GitHub

Description

Security fixes

This release also includes fixes for the following security issues:

[Critical] Remote authentication bypass

• Removed special handling for *ssh.Certificate authorities in the IsHostAuthority and IsUserAuthority callbacks used by x/crypto/ssh.CertChecker. #56253

Resolved an issue that allowed remote SSH authentication bypass on servers with Teleport SSH agents, OpenSSH-integrated deployments and Teleport Git proxy deployments. CVE-2025-49825. Refer to the RCA for the full details.

Other fixes and improvements

• Trait role templating is now supported in the workload_identity_labels Role resource field. #56298
• Updated the WindowsDesktop and WindowsDesktopService APIs to use pagination to avoid exceeding message size limitations. #56233
• Fixed duplicated entries in tctl inventory list when using DynamoDB as cluster state storage. #56183
• Fixed an issue that could prevent Windows desktop sessions from terminating when the idle timeout was exceeded. #56049
• Added the the teleport-update status --is-up-to-date flag to change the return code based on the update status. #55951
• Fixed Hardware Key Support for YubiKey firmware versions 5.7.x. #55902
• Fixed an error when creating or updating join tokens in the web UI when admin action is enabled (second_factor set to webauthn). #55852
• Fixes a memory leak in Kubernetes Access caused by resources not being cleaned up when clients terminate watch streams. #55768
• Fixed a bug that could cause Kubernetes exec requests to fail when the Kubernetes cluster had the WebSocket-based exec protocol disabled. #55733
• Fixed an issue where the output from tctl sso configure github could not be used with tctl create -f in OSS Teleport. #55728
• Fixed an issue that prevented changes to default shell from propagating for host users and static host users. #55649
• Updated Go to 1.23.10. #55603
• Fixed updating the default PIN and PUK for hardware key support in Teleport Connect. #55509
• The tbot client now ensures the O_CLOEXEC flag is used when opening files on Linux hosts. #55504

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

• Slack Linux amd64 | Linux arm64
• Mattermost Linux amd64 | Linux arm64
• Discord Linux amd64 | Linux arm64
• Terraform Provider Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal
• Event Handler Linux amd64 | Linux arm64 | macOS amd64
• PagerDuty Linux amd64 | Linux arm64
• Jira Linux amd64 | Linux arm64
• Email Linux amd64 | Linux arm64
• Microsoft Teams Linux amd64 | Linux arm64

labels: security-patch=yes,security-patch-alts=v16.5.12