Release 13.4.23

[camscale]

Note: This release supersedes 13.4.22 which did not complete due to tbot
workflow issues. This PR includes an e ref update to bring in a fix to
the tbot workflow issues.

• Fixed a bug in the teleport-cluster Helm chart that happened when sessionRecording was off. #40921
• Issue cert.create events during device authentication. #40874
• Added a new Audit log event that is emitted when an Agent or Bot request to join the cluster is denied. #40816
• Fixed an issue that prevented uploading a zip file larger than 10MiB when updating an AWS Lambda function via tsh app access. #40795
• Added a new Prometheus metric to track requests initiated by Teleport against the control plane API. #40757
• Fixed possible data race that could lead to concurrent map read and map write while proxying Kubernetes requests. #40722
• Patch CVE-2023-45288 and CVE-2024-32473. #40698
• Generic "not found" errors are returned whether a remote cluster can't be found or access is denied. #40683
• Fixed a resource leak in the Teleport proxy server when using proxy peering. #40676
• Updated cosign to address CVE-2024-29902 and CVE-2024-29903. #40500
• Prevented accidental passkey "downgrades" to MFA. #40411
• Teleport Connect now hides cluster name in the connection list if there's only a single cluster available. #40358
• Teleport Connect now shows all recent connections instead of capping them at 10. #40252
• Fixed an issue that prevents the teleport service from restarting. #40231
• Include system annotations in audit event entries for access requests. #40216
• Updated Go to 1.21.9. #40178
• Allow diagnostic endpoints to be accessed behind a PROXY protocol enabled loadbalancer/proxy. #40140
• Fixed "Invalid URI" error in Teleport Connect when starting mongosh from database connection tab. #40106
• Fixed a verbosity issue that caused the teleport-kube-agent-updater to output debug logs by default. #39955
• Reduced default Jamf inventory page size, allow custom values to be provided. #39935
• Improved performance of resource filtering via labels and fuzzy search. #39793

Enterprise (not in CHANGELOG.md):

• Publishes the tbot-fips-distroless OCI image. This is similar to the existing tbot-distroless image but packages the FIPS-compliant binary. It also specifies the --fips flag by default when starting tbot which enables FIPS mode. This image must be used in FIPS compliant environments. #3875
• Reduced default Jamf inventory page size, allow custom values to be provided. #3819
• Prevent unintentional teleport-ent updates by using version locks. #3799
• Fixed an issue with the Teleport updater if the proxy value is surrounded in quotes. #3594