Release 16.4.5

CHANGELOG.md

@@ -1,8 +1,39 @@
 # Changelog
 
-## 16.4.4 (10/22/2024)
+## 16.4.5 (10/22/2024)
 
-* Teleport's Windows Desktop service now filters domain-joined Linux hosts out during LDAP discovery. [#47773](https://github.com/gravitational/teleport/pull/47773)
+### Security Fixes
+
+#### [High] Privilege persistence in Okta SCIM-only integration
+
+When Okta SCIM-only integration is enabled, in certain cases Teleport could
+calculate the effective set of permission based on SSO user's stale traits. This
+could allow a user who was unassigned from an Okta group to log into a Teleport
+cluster once with a role granted by the unassigned group being present in their
+effective role set.
+
+Note: This issue only affects Teleport clusters that have installed a SCIM-only
+Okta integration as described in this guide. If you have an Okta integration
+with user sync enabled or only using Okta SSO auth connector to log into your
+Teleport cluster without SCIM integration configured, you're unaffected. To
+verify your configuration:
+
+- Use `tctl get plugins/okta --format=json | jq ".[].spec.Settings.okta.sync_settings.sync_users"`
+  command to check if you have Okta integration with user sync enabled. If it
+  outputs null or false, you may be affected and should upgrade.
+- Check SCIM provisioning settings for the Okta application you created or
+  updated while following the SCIM-only setup guide. If SCIM provisioning is
+  enabled, you may be affected and should upgrade.
+
+We strongly recommend customers who use Okta SCIM integration to upgrade their
+auth servers to version 16.3.0 or later. Teleport services other than auth
+(proxy, SSH, Kubernetes, desktop, application, database and discovery) are not
+impacted and do not need to be updated.
+
+### Other improvements and fixes
+
+* Added a new teleport_roles_total metric that exposes the number of roles which exist in a cluster. [#47812](https://github.com/gravitational/teleport/pull/47812)
+* Teleport's Windows Desktop Service now filters domain-joined Linux hosts out during LDAP discovery. [#47773](https://github.com/gravitational/teleport/pull/47773)
 * The `join_token.create` audit event has been enriched with additional metadata. [#47765](https://github.com/gravitational/teleport/pull/47765)
 * Propagate resources configured in teleport-kube-agent chart values to post-install and post-delete hooks. [#47743](https://github.com/gravitational/teleport/pull/47743)
 * Add support for the Datadog Incident Management plugin helm chart. [#47727](https://github.com/gravitational/teleport/pull/47727)

Makefile

@@ -11,7 +11,7 @@
 #   Stable releases:   "1.0.0"
 #   Pre-releases:      "1.0.0-alpha.1", "1.0.0-beta.2", "1.0.0-rc.3"
 #   Master/dev branch: "1.0.0-dev"
-VERSION=16.4.4
+VERSION=16.4.5
 
 DOCKER_IMAGE ?= teleport
 

build.assets/macos/tsh/tsh.app/Contents/Info.plist

@@ -19,13 +19,13 @@
 		<key>CFBundlePackageType</key>
 		<string>APPL</string>
 		<key>CFBundleShortVersionString</key>
-		<string>16.4.4</string>
+		<string>16.4.5</string>
 		<key>CFBundleSupportedPlatforms</key>
 		<array>
 			<string>MacOSX</string>
 		</array>
 		<key>CFBundleVersion</key>
-		<string>16.4.4</string>
+		<string>16.4.5</string>
 		<key>DTCompiler</key>
 		<string>com.apple.compilers.llvm.clang.1_0</string>
 		<key>DTPlatformBuild</key>

build.assets/macos/tshdev/tsh.app/Contents/Info.plist

@@ -17,13 +17,13 @@
 		<key>CFBundlePackageType</key>
 		<string>APPL</string>
 		<key>CFBundleShortVersionString</key>
-		<string>16.4.4</string>
+		<string>16.4.5</string>
 		<key>CFBundleSupportedPlatforms</key>
 		<array>
 			<string>MacOSX</string>
 		</array>
 		<key>CFBundleVersion</key>
-		<string>16.4.4</string>
+		<string>16.4.5</string>
 		<key>DTCompiler</key>
 		<string>com.apple.compilers.llvm.clang.1_0</string>
 		<key>DTPlatformBuild</key>

examples/chart/access/datadog/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "16.4.4"
+.version: &version "16.4.5"
 
 apiVersion: v2
 name: teleport-plugin-datadog

examples/chart/access/datadog/tests/__snapshot__/configmap_test.yaml.snap

@@ -26,6 +26,6 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-datadog
-        app.kubernetes.io/version: 16.4.4
-        helm.sh/chart: teleport-plugin-datadog-16.4.4
+        app.kubernetes.io/version: 16.4.5
+        helm.sh/chart: teleport-plugin-datadog-16.4.5
       name: RELEASE-NAME-teleport-plugin-datadog

examples/chart/access/datadog/tests/__snapshot__/deployment_test.yaml.snap

@@ -7,8 +7,8 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-datadog
-        app.kubernetes.io/version: 16.4.4
-        helm.sh/chart: teleport-plugin-datadog-16.4.4
+        app.kubernetes.io/version: 16.4.5
+        helm.sh/chart: teleport-plugin-datadog-16.4.5
       name: RELEASE-NAME-teleport-plugin-datadog
     spec:
       replicas: 1
@@ -22,8 +22,8 @@ should match the snapshot:
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-datadog
-            app.kubernetes.io/version: 16.4.4
-            helm.sh/chart: teleport-plugin-datadog-16.4.4
+            app.kubernetes.io/version: 16.4.5
+            helm.sh/chart: teleport-plugin-datadog-16.4.5
         spec:
           containers:
           - command:

examples/chart/access/discord/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "16.4.4"
+.version: &version "16.4.5"
 
 apiVersion: v2
 name: teleport-plugin-discord

examples/chart/access/discord/tests/__snapshot__/configmap_test.yaml.snap

@@ -24,6 +24,6 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-discord
-        app.kubernetes.io/version: 16.4.4
-        helm.sh/chart: teleport-plugin-discord-16.4.4
+        app.kubernetes.io/version: 16.4.5
+        helm.sh/chart: teleport-plugin-discord-16.4.5
       name: RELEASE-NAME-teleport-plugin-discord

examples/chart/access/discord/tests/__snapshot__/deployment_test.yaml.snap

@@ -7,8 +7,8 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-discord
-        app.kubernetes.io/version: 16.4.4
-        helm.sh/chart: teleport-plugin-discord-16.4.4
+        app.kubernetes.io/version: 16.4.5
+        helm.sh/chart: teleport-plugin-discord-16.4.5
       name: RELEASE-NAME-teleport-plugin-discord
     spec:
       replicas: 1
@@ -22,8 +22,8 @@ should match the snapshot:
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-discord
-            app.kubernetes.io/version: 16.4.4
-            helm.sh/chart: teleport-plugin-discord-16.4.4
+            app.kubernetes.io/version: 16.4.5
+            helm.sh/chart: teleport-plugin-discord-16.4.5
         spec:
           containers:
           - command:

examples/chart/access/email/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "16.4.4"
+.version: &version "16.4.5"
 
 apiVersion: v2
 name: teleport-plugin-email

examples/chart/access/email/tests/__snapshot__/configmap_test.yaml.snap

@@ -26,8 +26,8 @@ should match the snapshot (mailgun on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.4.4
-        helm.sh/chart: teleport-plugin-email-16.4.4
+        app.kubernetes.io/version: 16.4.5
+        helm.sh/chart: teleport-plugin-email-16.4.5
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on):
   1: |
@@ -59,8 +59,8 @@ should match the snapshot (smtp on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.4.4
-        helm.sh/chart: teleport-plugin-email-16.4.4
+        app.kubernetes.io/version: 16.4.5
+        helm.sh/chart: teleport-plugin-email-16.4.5
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, no starttls):
   1: |
@@ -92,8 +92,8 @@ should match the snapshot (smtp on, no starttls):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.4.4
-        helm.sh/chart: teleport-plugin-email-16.4.4
+        app.kubernetes.io/version: 16.4.5
+        helm.sh/chart: teleport-plugin-email-16.4.5
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, password file):
   1: |
@@ -125,8 +125,8 @@ should match the snapshot (smtp on, password file):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.4.4
-        helm.sh/chart: teleport-plugin-email-16.4.4
+        app.kubernetes.io/version: 16.4.5
+        helm.sh/chart: teleport-plugin-email-16.4.5
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, roleToRecipients set):
   1: |
@@ -161,8 +161,8 @@ should match the snapshot (smtp on, roleToRecipients set):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.4.4
-        helm.sh/chart: teleport-plugin-email-16.4.4
+        app.kubernetes.io/version: 16.4.5
+        helm.sh/chart: teleport-plugin-email-16.4.5
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, starttls disabled):
   1: |
@@ -194,6 +194,6 @@ should match the snapshot (smtp on, starttls disabled):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.4.4
-        helm.sh/chart: teleport-plugin-email-16.4.4
+        app.kubernetes.io/version: 16.4.5
+        helm.sh/chart: teleport-plugin-email-16.4.5
       name: RELEASE-NAME-teleport-plugin-email