Release 14.1.0

[camscale]

New features

• Teleport Connect 14.1 introduces Connect My Computer which makes it possible to add your personal machine to a Teleport cluster in just a couple of clicks. Whether you're exploring capabilities of Teleport or want to make your computer available in your private cluster, Connect My Computer lets you do that without having to use the terminal to get the job done. Docs: https://goteleport.com/docs/connect-your-client/teleport-connect/#connect-my-computer
• Resource pinning allows you to pin your most frequently accessed resources to a separate page for easy access.
• Access Monitoring provides a view of risky accounts access and access anti-patterns in clusters using Athena as the audit log backend.
• Users can connect to EC2 instances via AWS EC2 Instance Connect endpoints without needing to install Teleport agents.
• Access list owners will be able to perform regular periodic reviews of the access list members.

Security fixes

• Updated golang.org/x/net dependency. #33420
  • swift-nio-http2 vulnerable to HTTP/2 Stream Cancellation Attack: CVE-2023-44487
• Updated google.golang.org/grpc to v1.57.1. #33487
  • swift-nio-http2 vulnerable to HTTP/2 Stream Cancellation Attack: CVE-2023-44487
• Updated OpenTelemetry dependency. #33523 #33550
  • OpenTelemetry-Go Contrib vulnerable to denial of service in otelhttp due to unbound cardinality metrics: CVE-2023-45142
• Updated babel/core to 7.3.2. #33441
  • Arbitrary code execution when compiling specifically crafted malicious code: CVE-2023-45133

Other fixes and improvements

• Web SSH sessions are terminated right away when a user closes the tab. #33529
• Added the ability for bots to submit access request reviews. #33509
• Added access review notifications when logging in via tsh or running tsh status. #33468
• Added database automatic user provisioning support for MySQL. #33379
• Added job to update the Teleport version for deployments in Amazon ECS used during RDS Enrollment. #33313
• Fixed Teleport Assist SQL view names. #33581
• Fixed hardware key support for sso web login. #33548
• Fixed access lists to allow them to affect access request permissions. #33350
• Prevented remote proxies from impersonating users from different clusters. #33539
• Added link to access request in ServiceNow incidents. #33593
• Added new "Identity Governance & Security" navigation section in web UI. #33423
• Fixed tsh connection issue when Proxy is in separate mode and Web port is TLS-terminated by a load balancer. #32531 #33406
• Fixed panic when trying to register resources from older Kubernetes clusters with extensions/v1beta1 group/version. #33402
• Fixed access list audit log messages to properly include user names. #33383
• Added notification icon to Web UI to show Access List review notifications. #33381
• Fixed creation of @teleport-access-approver role to v6 to support downgrades to Teleport 13. #33354
• Added ability to specify PIV slot for hardware key supoprt. #33352 #33353
• Extended timeout when waiting for hardware key touch/PIN. #33348
• Added support for Windows AD root domain for PKI operations. #33275
• Added resources to Slack notification of Access Requests. #33264
• Fixed provision tokens to make system roles case-insensitive. #33260

Ignored

• Docs
  • [v14] Update hardware key support docs #33650
  • [v14] docs: include all db protocols in faq and config #33641
  • Update upcoming-releases.mdx #33525
  • [v14] docs: update okta service setup #33464
  • [v14] docs: Add WinSCP to PuTTY client instructions #33092
  • [v14] docs: Add timing for automatic agent updates to the cloud FAQ #33400
  • [v14] docs: Fix a couple of typos and reword scenario descriptions #33397
  • [v14] [docs] clarify RDS/Aurora databases getting modified #33410
  • [v14] docs: update macos app remove command to delete dir and correct fips debug container address #33367
  • [auto] docs: Update version to v14.0.3 #33361
  • [v14] docs: Add Docker to email access request plugin #33321
  • [v14] docs: Reduce the use of capitalized trusted clusters and a few other fixes #33310
  • [v14] Add pcscd install instructions for hardware key support #33376
  • Added 10/11 Upcoming Releases Update #33309
  • [v14] docs: include servicenow and opsgenie in plugin index #33292
  • [v14] docs: join_sessions overrides the deny rule for sessions a user is allowed … #33161
• Examples
  • [v14] Add param extraContainers to teleport-cluster and teleport-kube-agent #33299
• Test-only changes
  • [v14] Deflake TestChaosUpload #33610
  • [v14] Wait for nodes to be availble in disconnection integration test #33446
  • [v14] fix oidc test race #33432
  • [v14] Fix flaky test TestWithRsync/with_headless_tsh #33557
• No user-visible changes
  • [v14] Add Hardware Key login audit event fields #33549
  • [v14] Add Hardware Key login PostHog event fields #33615
  • [v14] Add Hardware Key login audit event fields #33549
  • [v14] Add usage events for desktop access #33455
  • [v14] Revert private key policy error handling in WebUI #33482
  • [v14] Make privateKeyPolicyEnabled an optional field #33481
  • [v14] Fix user login state gRPC client upsert. #33451
  • [v14] Propagate resource revision to/from the backend #33214
  • [v14] Update generate-eventschema #33598
  • [v14] Include 'nextAuditDate' in 'CreateAccessListReview' method #33485
  • [v14] Add a duration for starting notifications to access lists. #33474
  • [v14] PIV refactors #33349
  • [v14] Remove access lists and members from the cache. #33322
  • [v14] Use searchAsRoles in unified requests and set default kinds in unified web requests #33427
  • [v14] Refactor desktop audit event emission #33316
  • [v14] Add user_certificates_generated prometheus metric #33476
• Trivial user-visible changes
  • [v14] Manually sort pinned resources and UI fixes #33475
  • [v14] Machine ID: Improve warning/error message when secure symlinks are not available #33562
  • [v14] AWS OIDC: Only consider Linux/UNIX when listing EC2 instances #33515
• Part of "New features" section
  • [v14] Show Connect My Computer button in empty state in Connect #33440
  • [v14] Remove Connect My Computer feature flag #32850
  • [v14] Show Connect My Computer CTA only if versions are compatible #33563
  • [v14] Make initialization of Connect synchronous #33508
  • [v14] Add resource pinning to Unified Resource cards (Add resource pinning to Unified Resource cards #32980) #33404
  • [v14] Add Access Monitoring Ping Auth Response Feature flag #33585
  • [v14] Security Reports #33459
  • [v14] [Access Monitoring] Add nav title & packages #33580
• e updates
  • [v14] Update e #33530
  • [v14] Update e #33605
  • Update e #33602
  • [v14] update e #33493
• Previous release
  • Release 14.0.3 #33290

[r0mant]

Let's hold this off until everything we need in 14.1 (access monitoring reports and access reviews) is backported and merged.

[camscale]

Let's hold this off until everything we need in 14.1 (access monitoring reports and access reviews) is backported and merged.

Ok, but we have scheduled this release for October 16th, so I have prepared it for that date. I wont have a lot of time to get it all out on the 16th (17th here already).

[r0mant]

@camscale Yeah, it was supposed to say 18th (the upcoming releases page is updated now). Thanks for preparing this in advance!

[greedy52]

FYI:

• [v14] Database Automatic User Provisioning support for MySQL #33379

Doc change is still getting reviewed

[r0mant]

@camscale We should be ok to release now, everything's merged.