Release 13.4.26 (#41998)

CHANGELOG.md

@@ -1,5 +1,75 @@
 # Changelog
 
+## 13.4.26 (05/25/24)
+
+This release contains fixes for several high-severity security issues, as well
+as numerous other bug fixes and improvements.
+
+### Security Fixes
+
+* **[High]** Fixed unrestricted redirect in SSO Authentication. Teleport didn’t
+  sufficiently validate the client redirect URL. This could allow an attacker to
+  trick Teleport users into performing an SSO authentication and redirect to an
+  attacker-controlled URL allowing them to steal the credentials. [#41834](https://github.com/gravitational/teleport/pull/41834).
+
+* **[High]** Fixed CockroachDB authorization bypass. When connecting to
+  CockroachDB using Database Access, Teleport did not properly consider the
+  username case when running RBAC checks. As such, it was possible to establish
+  a connection using an explicitly denied username when using a different case.
+  [#41825](https://github.com/gravitational/teleport/pull/41825).
+
+* **[High]** Fixed Long-lived connection persistence issue with expired
+  certificates. Teleport did not terminate some long-running mTLS-authenticated
+  connections past the expiry of client certificates for users with the
+  `disconnect_expired_cert` option. This could allow such users to perform
+  some API actions after their certificate has expired. [#41829](https://github.com/gravitational/teleport/pull/41829).
+
+* **[High]** Fixed PagerDuty integration privilege escalation. When creating a
+  role access request, Teleport would include PagerDuty annotations from the
+  entire user’s role set rather than a specific role being requested. For users
+  who run multiple PagerDuty access plugins with auto-approval, this could
+  result in a request for a different role being inadvertently auto-approved 
+  than the one which corresponds to the user’s active on-call schedule. [#41831](https://github.com/gravitational/teleport/pull/41831).
+
+* **[High]** Fixed SAML IdP session privilege escalation. When using Teleport as
+  SAML IdP, authorization wasn’t properly enforced on the SAML IdP session
+  creation. As such, authenticated users could use an internal API to escalate
+  their own privileges by crafting a malicious program. [#41849](https://github.com/gravitational/teleport/pull/41849).  
+
+We strongly recommend all customers upgrade to the latest releases of Teleport.
+
+### Other fixes and improvements
+
+* Fixed access request annotations when annotations contain globs, regular
+  expressions, trait expansions, or `claims_to_roles` is used. [#41938](https://github.com/gravitational/teleport/pull/41938).
+* Fixed session upload completion with large number of simultaneous session
+  uploads. [#41852](https://github.com/gravitational/teleport/pull/41852).
+* Stripped debug symbols from Windows builds, resulting in smaller `tsh` and
+  `tctl` binaries. [#41838](https://github.com/gravitational/teleport/pull/41838).
+* Added read-only permissions for cluster maintenance config. [#41792](https://github.com/gravitational/teleport/pull/41792).
+* Simplified how Bots are shown on the Users list page. [#41738](https://github.com/gravitational/teleport/pull/41738).
+* Fixed missing variable and script options in Default Agentless Installer 
+  script. [#41721](https://github.com/gravitational/teleport/pull/41721).
+* Added remote address to audit log events emitted when a Bot or Instance join 
+  completes, successfully or otherwise. [#41698](https://github.com/gravitational/teleport/pull/41698).
+* Upgraded application heartbeat service to support 1000+ dynamic applications. [#41628](https://github.com/gravitational/teleport/pull/41628).
+* Fixed `systemd` unit to always restart Teleport on failure unless explicitly
+  stopped. [#41583](https://github.com/gravitational/teleport/pull/41583).
+* Updated Teleport package installers to reload Teleport service config after
+  upgrades. [#41549](https://github.com/gravitational/teleport/pull/41549).
+* Fixed WebUI SSH connection leak when browser tab closed during SSH connection
+  establishment.  [#41520](https://github.com/gravitational/teleport/pull/41520)
+* Added "login failed" audit events for invalid passwords on password+webauthn
+  local authentication. [#41435](https://github.com/gravitational/teleport/pull/41435)
+* Allow setting Kubernetes Cluster name when using non-default addresses. [#41356](https://github.com/gravitational/teleport/pull/41356).
+* Added support to automatically download CA for MongoDB Atlas databases. [#41340](https://github.com/gravitational/teleport/pull/41340).
+* Added validation for application URL extracted from the web application
+  launcher request route. [#41306](https://github.com/gravitational/teleport/pull/41306).
+* Allow defining custom database names and users when selecting wildcard during
+  test connection when enrolling a database through the web UI. [#41303](https://github.com/gravitational/teleport/pull/41303).
+* Updated user management to explicitly deny password resets and local logins to 
+  SSO users. [#41272](https://github.com/gravitational/teleport/pull/41272).
+
 ## 13.4.24 (05/07/24)
 
 * Fix a bug that was preventing tsh proxy kube certificate renewal from working when accessing a leaf kubernetes cluster via the root. [#41159](https://github.com/gravitational/teleport/pull/41159)

Makefile

@@ -11,7 +11,7 @@
 #   Stable releases:   "1.0.0"
 #   Pre-releases:      "1.0.0-alpha.1", "1.0.0-beta.2", "1.0.0-rc.3"
 #   Master/dev branch: "1.0.0-dev"
-VERSION=13.4.24
+VERSION=13.4.26
 
 DOCKER_IMAGE ?= teleport
 

build.assets/macos/tsh/tsh.app/Contents/Info.plist

@@ -19,13 +19,13 @@
 		<key>CFBundlePackageType</key>
 		<string>APPL</string>
 		<key>CFBundleShortVersionString</key>
-		<string>13.4.24</string>
+		<string>13.4.26</string>
 		<key>CFBundleSupportedPlatforms</key>
 		<array>
 			<string>MacOSX</string>
 		</array>
 		<key>CFBundleVersion</key>
-		<string>13.4.24</string>
+		<string>13.4.26</string>
 		<key>DTCompiler</key>
 		<string>com.apple.compilers.llvm.clang.1_0</string>
 		<key>DTPlatformBuild</key>

build.assets/macos/tshdev/tsh.app/Contents/Info.plist

@@ -17,13 +17,13 @@
 		<key>CFBundlePackageType</key>
 		<string>APPL</string>
 		<key>CFBundleShortVersionString</key>
-		<string>13.4.24</string>
+		<string>13.4.26</string>
 		<key>CFBundleSupportedPlatforms</key>
 		<array>
 			<string>MacOSX</string>
 		</array>
 		<key>CFBundleVersion</key>
-		<string>13.4.24</string>
+		<string>13.4.26</string>
 		<key>DTCompiler</key>
 		<string>com.apple.compilers.llvm.clang.1_0</string>
 		<key>DTPlatformBuild</key>

examples/chart/teleport-cluster/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "13.4.24"
+.version: &version "13.4.26"
 
 name: teleport-cluster
 apiVersion: v2

examples/chart/teleport-cluster/charts/teleport-operator/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "13.4.24"
+.version: &version "13.4.26"
 
 name: teleport-operator
 apiVersion: v2

examples/chart/teleport-cluster/tests/__snapshot__/auth_config_test.yaml.snap

@@ -1797,8 +1797,8 @@ sets clusterDomain on Configmap:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-cluster
-        app.kubernetes.io/version: 13.4.24
-        helm.sh/chart: teleport-cluster-13.4.24
+        app.kubernetes.io/version: 13.4.26
+        helm.sh/chart: teleport-cluster-13.4.26
         teleport.dev/majorVersion: "13"
       name: RELEASE-NAME-auth
       namespace: NAMESPACE

examples/chart/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap

@@ -1,6 +1,6 @@
 should add an operator side-car when operator is enabled:
   1: |
-    image: public.ecr.aws/gravitational/teleport-operator:13.4.24
+    image: public.ecr.aws/gravitational/teleport-operator:13.4.26
     imagePullPolicy: IfNotPresent
     livenessProbe:
       httpGet:
@@ -41,7 +41,7 @@ should add an operator side-car when operator is enabled:
     - args:
       - --diag-addr=0.0.0.0:3000
       - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
-      image: public.ecr.aws/gravitational/teleport-distroless:13.4.24
+      image: public.ecr.aws/gravitational/teleport-distroless:13.4.26
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -174,7 +174,7 @@ should set nodeSelector when set in values:
     - args:
       - --diag-addr=0.0.0.0:3000
       - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
-      image: public.ecr.aws/gravitational/teleport-distroless:13.4.24
+      image: public.ecr.aws/gravitational/teleport-distroless:13.4.26
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -271,7 +271,7 @@ should set resources when set in values:
     - args:
       - --diag-addr=0.0.0.0:3000
       - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
-      image: public.ecr.aws/gravitational/teleport-distroless:13.4.24
+      image: public.ecr.aws/gravitational/teleport-distroless:13.4.26
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -357,7 +357,7 @@ should set securityContext when set in values:
     - args:
       - --diag-addr=0.0.0.0:3000
       - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
-      image: public.ecr.aws/gravitational/teleport-distroless:13.4.24
+      image: public.ecr.aws/gravitational/teleport-distroless:13.4.26
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:

examples/chart/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap

@@ -11,8 +11,8 @@ sets clusterDomain on Deployment Pods:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-cluster
-        app.kubernetes.io/version: 13.4.24
-        helm.sh/chart: teleport-cluster-13.4.24
+        app.kubernetes.io/version: 13.4.26
+        helm.sh/chart: teleport-cluster-13.4.26
         teleport.dev/majorVersion: "13"
       name: RELEASE-NAME-proxy
       namespace: NAMESPACE
@@ -34,8 +34,8 @@ sets clusterDomain on Deployment Pods:
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-cluster
-            app.kubernetes.io/version: 13.4.24
-            helm.sh/chart: teleport-cluster-13.4.24
+            app.kubernetes.io/version: 13.4.26
+            helm.sh/chart: teleport-cluster-13.4.26
             teleport.dev/majorVersion: "13"
         spec:
           affinity:
@@ -44,7 +44,7 @@ sets clusterDomain on Deployment Pods:
           containers:
           - args:
             - --diag-addr=0.0.0.0:3000
-            image: public.ecr.aws/gravitational/teleport-distroless:13.4.24
+            image: public.ecr.aws/gravitational/teleport-distroless:13.4.26
             imagePullPolicy: IfNotPresent
             lifecycle:
               preStop:
@@ -105,7 +105,7 @@ sets clusterDomain on Deployment Pods:
             - wait
             - no-resolve
             - RELEASE-NAME-auth-v12.NAMESPACE.svc.test.com
-            image: public.ecr.aws/gravitational/teleport-distroless:13.4.24
+            image: public.ecr.aws/gravitational/teleport-distroless:13.4.26
             name: wait-auth-update
           serviceAccountName: RELEASE-NAME-proxy
           terminationGracePeriodSeconds: 60
@@ -137,7 +137,7 @@ should provision initContainer correctly when set in values:
       - wait
       - no-resolve
       - RELEASE-NAME-auth-v12.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport-distroless:13.4.24
+      image: public.ecr.aws/gravitational/teleport-distroless:13.4.26
       name: wait-auth-update
     - args:
       - echo test
@@ -194,7 +194,7 @@ should set nodeSelector when set in values:
     containers:
     - args:
       - --diag-addr=0.0.0.0:3000
-      image: public.ecr.aws/gravitational/teleport-distroless:13.4.24
+      image: public.ecr.aws/gravitational/teleport-distroless:13.4.26
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -255,7 +255,7 @@ should set nodeSelector when set in values:
       - wait
       - no-resolve
       - RELEASE-NAME-auth-v12.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport-distroless:13.4.24
+      image: public.ecr.aws/gravitational/teleport-distroless:13.4.26
       name: wait-auth-update
     nodeSelector:
       environment: security
@@ -306,7 +306,7 @@ should set resources when set in values:
     containers:
     - args:
       - --diag-addr=0.0.0.0:3000
-      image: public.ecr.aws/gravitational/teleport-distroless:13.4.24
+      image: public.ecr.aws/gravitational/teleport-distroless:13.4.26
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -374,7 +374,7 @@ should set resources when set in values:
       - wait
       - no-resolve
       - RELEASE-NAME-auth-v12.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport-distroless:13.4.24
+      image: public.ecr.aws/gravitational/teleport-distroless:13.4.26
       name: wait-auth-update
     serviceAccountName: RELEASE-NAME-proxy
     terminationGracePeriodSeconds: 60
@@ -407,7 +407,7 @@ should set securityContext for initContainers when set in values:
     containers:
     - args:
       - --diag-addr=0.0.0.0:3000
-      image: public.ecr.aws/gravitational/teleport-distroless:13.4.24
+      image: public.ecr.aws/gravitational/teleport-distroless:13.4.26
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -475,7 +475,7 @@ should set securityContext for initContainers when set in values:
       - wait
       - no-resolve
       - RELEASE-NAME-auth-v12.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport-distroless:13.4.24
+      image: public.ecr.aws/gravitational/teleport-distroless:13.4.26
       name: wait-auth-update
       securityContext:
         allowPrivilegeEscalation: false
@@ -515,7 +515,7 @@ should set securityContext when set in values:
     containers:
     - args:
       - --diag-addr=0.0.0.0:3000
-      image: public.ecr.aws/gravitational/teleport-distroless:13.4.24
+      image: public.ecr.aws/gravitational/teleport-distroless:13.4.26
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -583,7 +583,7 @@ should set securityContext when set in values:
       - wait
       - no-resolve
       - RELEASE-NAME-auth-v12.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport-distroless:13.4.24
+      image: public.ecr.aws/gravitational/teleport-distroless:13.4.26
       name: wait-auth-update
       securityContext:
         allowPrivilegeEscalation: false

examples/chart/teleport-kube-agent/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "13.4.24"
+.version: &version "13.4.26"
 
 name: teleport-kube-agent
 apiVersion: v2