Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package teleport for openSUSE:Factory checked in at 2024-05-24 19:51:58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/teleport (Old) and /work/SRC/openSUSE:Factory/.teleport.new.24587 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "teleport" Fri May 24 19:51:58 2024 rev:103 rq:1176544 version:15.3.6 Changes: -------- --- /work/SRC/openSUSE:Factory/teleport/teleport.changes 2024-05-09 13:12:02.546367814 +0200 +++ /work/SRC/openSUSE:Factory/.teleport.new.24587/teleport.changes 2024-05-24 19:52:18.796082526 +0200 @@ -1,0 +2,164 @@ +Thu May 23 19:36:32 UTC 2024 - Johannes Kastl <[email protected]> + +- update to 15.3.6 (no releases between .1 and .6): + This release contains fixes for several high-severity security + issues, as well as numerous other bug fixes and improvements. + Security Fixes + * [High] Unrestricted redirect in SSO Authentication + Teleport didnât sufficiently validate the client redirect URL. + This could allow an attacker to trick Teleport users into + performing an SSO authentication and redirect to an + attacker-controlled URL allowing them to steal the credentials. + #41834. + Warning: Teleport will now disallow non-localhost callback URLs + for SSO logins unless otherwise configured. Users of the tsh + login --callback feature should modify their auth connector + configuration as follows: + The allowed_https_hostnames field is an array containing + allowed hostnames, supporting glob matching and, if the string + begins and ends with ^ and $ respectively, full regular + expression syntax. Custom callback URLs are required to be + HTTPS on the standard port (443). + * [High] CockroachDB authorization bypass + When connecting to CockroachDB using Database Access, Teleport + did not properly consider the username case when running RBAC + checks. As such, it was possible to establish a connection + using an explicitly denied username when using a different + case. #41823. + * [High] Long-lived connection persistence issue with expired + certificates + Teleport did not terminate some long-running mTLS-authenticated + connections past the expiry of client certificates for users + with the disconnect_expired_cert option. This could allow such + users to perform some API actions after their certificate has + expired. #41827. + * [High] PagerDuty integration privilege escalation + When creating a role access request, Teleport would include + PagerDuty annotations from the entire userâs role set rather + than a specific role being requested. For users who run + multiple PagerDuty access plugins with auto-approval, this + could result in a request for a different role being + inadvertently auto-approved than the one which corresponds to + the userâs active on-call schedule. #41837. + * [High] SAML IdP session privilege escalation + When using Teleport as SAML IdP, authorization wasnât properly + enforced on the SAML IdP session creation. As such, + authenticated users could use an internal API to escalate their + own privileges by crafting a malicious program. #41846. + We strongly recommend all customers upgrade to the latest + releases of Teleport. + Other fixes and improvements + * Fixed access request annotations when annotations contain + globs, regular + * expressions, trait expansions, or claims_to_roles is used. + #41936. + * Added AWS Management Console as a guided flow using AWS OIDC + integration in + * the "Enroll New Resource" view in the web UI. #41864. + * Fixed spurious Windows Desktop sessions screen resize during an + MFA ceremony. #41856. + * Fixed session upload completion with large number of + simultaneous session + * uploads. #41854. + * Fixed MySQL databases version reporting on new connections. + #41819. + * Added read-only permissions for cluster maintenance config. + #41790. + * Stripped debug symbols from Windows builds, resulting in + smaller tsh and + * tctl binaries. #41787 + * Fixed passkey deletion so that a user may now delete their last + passkey if + * the have a password and another MFA configured. #41771. + * Changed the default permissions for the Workload Identity Unix + socket to 0777 + * rather than the default as applied by the umask. This will + allow the socket to + * be accessed by workloads running as users other than the user + that owns the + * tbot process. #41754 + * Added ability for teleport-event-handler to skip certain events + type when + * forwarding to an upstream server. #41747. + * Added automatic GCP label importing. #41733. + * Fixed missing variable and script options in Default Agentless + Installer + * script. #41723. + * Removed invalid AWS Roles from Web UI picker. #41707. + * Added remote address to audit log events emitted when a Bot or + Instance join + * completes, successfully or otherwise. #41700. + * Simplified how Bots are shown on the Users list page. #41697. + * Added improved-performance implementation of ProxyCommand for + Machine ID and + * SSH. This will become the default in v16. You can adopt this + new mode early by + * setting TBOT_SSH_CONFIG_PROXY_COMMAND_MODE=new. #41694. + * Improved EC2 Auto Discovery by adding the SSM script output and + more explicit + * error messages. #41664. + * Added webauthn diagnostics commands to tctl. #41643. + * Upgraded application heartbeat service to support 1000+ dynamic + applications. #41626 + * Fixed issue where Kubernetes watch requests are written out of + order. #41624. + * Fixed a race condition triggered by a reload during Teleport + startup. #41592. + * Updated discover wizard Install Script to support Ubuntu 24.04. + #41589. + * Fixed systemd unit to always restart Teleport on failure unless + explicitly stopped. #41581. + * Updated Teleport package installers to reload Teleport service + config after + * upgrades. #41547. + * Fixed file truncation bug in Desktop Directory Sharing. #41540. + * Fixed WebUI SSH connection leak when browser tab closed during + SSH connection + * establishment. #41518. + * Fixed AccessList reconciler comparison causing audit events + noise. #41517. + * Added tooling to create SCIM integrations in tctl. #41514. + * Fixed Windows Desktop error preventing rendering of the remote + session. #41498. + * Fixed issue in the PagerDuty, Opsgenie and ServiceNow access + plugins that + * causing duplicate calls on access requests containing duplicate + service names. + * Also increases the timeout so slow external API requests are + less likely to + * fail. #41488. + * Added basic Unix workload attestation to the tbot SPIFFE + workload API. You + * can now restrict the issuance of certain SVIDs to processes + running with a + * certain UID, GID or PID. #41450. + * Added "login failed" audit events for invalid passwords on + password+webauthn + * local authentication. #41432. + * Fixed Terraform provider issue causing the Provision Token + options to default + * to false instead of empty. #41429. + * Added support to automatically download CA for MongoDB Atlas + databases. #41338. + * Fixed broken "finish" web page for SSO Users on auto discover. + #41335. + * Allow setting Kubernetes Cluster name when using non-default + addresses. #41331. + * Added fallback on GetAccessList cache miss call. #41326. + * Fixed DiscoveryService panic when auto-enrolling EKS clusters. + #41320. + * Added validation for application URL extracted from the web + application launcher request route. #41304. + * Allow defining custom database names and users when selecting + wildcard during test connection when enrolling a database + through the web UI. #41301. + * Fixed broken link for alternative EC2 installation during EC2 + discover flow. #41292 + * Updated Go to v1.21.10. #41281. + * Updated user management to explicitly deny password resets and + local logins to + * SSO users. #41270. + * Fixed fetching suggested access lists with large IDs in + Telepor... + +------------------------------------------------------------------- Old: ---- teleport-15.3.1.obscpio New: ---- teleport-15.3.6.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ teleport.spec ++++++ --- /var/tmp/diff_new_pack.nYRfjk/_old 2024-05-24 19:52:24.196280070 +0200 +++ /var/tmp/diff_new_pack.nYRfjk/_new 2024-05-24 19:52:24.196280070 +0200 @@ -19,7 +19,7 @@ %define __arch_install_post export NO_BRP_STRIP_DEBUG=true Name: teleport -Version: 15.3.1 +Version: 15.3.6 Release: 0 Summary: Identity-aware, multi-protocol access proxy License: Apache-2.0 ++++++ _service ++++++ --- /var/tmp/diff_new_pack.nYRfjk/_old 2024-05-24 19:52:24.236281532 +0200 +++ /var/tmp/diff_new_pack.nYRfjk/_new 2024-05-24 19:52:24.240281679 +0200 @@ -4,7 +4,7 @@ <param name="scm">git</param> <param name="submodules">disable</param> <param name="exclude">.git</param> - <param name="revision">v15.3.1</param> + <param name="revision">v15.3.6</param> <param name="versionformat">@PARENT_TAG@</param> <param name="changesgenerate">disable</param> <param name="versionrewrite-pattern">v(.*)</param> ++++++ teleport-15.3.1.obscpio -> teleport-15.3.6.obscpio ++++++ /work/SRC/openSUSE:Factory/teleport/teleport-15.3.1.obscpio /work/SRC/openSUSE:Factory/.teleport.new.24587/teleport-15.3.6.obscpio differ: char 49, line 1 ++++++ teleport.obsinfo ++++++ --- /var/tmp/diff_new_pack.nYRfjk/_old 2024-05-24 19:52:24.304284020 +0200 +++ /var/tmp/diff_new_pack.nYRfjk/_new 2024-05-24 19:52:24.308284166 +0200 @@ -1,5 +1,5 @@ name: teleport -version: 15.3.1 -mtime: 1715102625 -commit: 1d048d0736fcb65b65bc513e328d7c98cbfe3d23 +version: 15.3.6 +mtime: 1716463822 +commit: 51cbf3516d3e8287c835fd130975e345023a0b67 ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/teleport/vendor.tar.gz /work/SRC/openSUSE:Factory/.teleport.new.24587/vendor.tar.gz differ: char 5, line 1
