github gravitational/teleport v9.3.4
Teleport 9.3.4
on GitHub

latest releases: v17.0.0-dev.algorithms.1, api/v17.0.0-dev.algorithms.1, v16.4.0-dev.capnspacehook.iam-fips.1...
2 years ago

Description

This release of Teleport contains multiple security, bug fixes and improvements.

Escalation attack in agent forwarding

When setting up agent forwarding on the node, Teleport did not handle unix socket creation in a secure manner.

This could have given a potential attacker an opportunity to get Teleport to change arbitrary file permissions to the attacker’s user.

Websockets CSRF

When handling websocket requests, Teleport did not verify that the provided Bearer token was generated for the correct user.

This could have allowed a malicious low privileged Teleport user to use a social engineering attack to gain higher privileged access on the same Teleport cluster.

Denial of service in access requests

When accepting an access request, Teleport did not enforce the maximum request reason size.

This could allow a malicious actor to mount a DoS attack by creating an access request with a very large request reason.

Auth bypass in moderated sessions

When initializing a moderated session, Teleport did not discard participant’s input prior to the moderator joining.

This could prevent a moderator from being able to interrupt a malicious command executed by a participant.

Actions

We recommend upgrading Auth, Proxy, SSH and Kubernetes agents.

Users should backup the Teleport cluster, then follow the standard Teleport upgrade procedure.

Other fixes

  • Fixed issue with stdin hijacking when per-session MFA is enabled. #13212
  • Added support for automatic tags import when running on AWS EC2. #12593
  • Added ability to use multiple redirect URLs in OIDC connectors. #13046
  • Fixed issue with ANSI escape sequences being broken when using tsh on Windows. #13221
  • Fixed issue with tsh ssh printing extra error upon exit if last command was unsuccessful. #12903
  • Added support for Proxy Protocol v2 in MySQL proxy. #12993
  • Upgraded to Go v1.17.11. #13104
  • Added Windows desktops labeling based on their LDAP attributes. #13238
  • Improved performance when listing resources for users with many roles. #13263

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Check out latest releases or
releases around gravitational/teleport v9.3.4

Don't miss a new teleport release

NewReleases is sending notifications on new releases.

Get notifications