teleport@16 16.5.13

[bayandin]

Created by brew bump

---

Created with brew bump-formula-pr.

Details

release notes

## Description
Security fixes
This release also includes fixes for the following security issues:
[Critical] Remote authentication bypass

Removed special handling for *ssh.Certificate authorities in the IsHostAuthority and IsUserAuthority callbacks used by x/crypto/ssh.CertChecker. #56253

Resolved an issue that allowed remote SSH authentication bypass on servers with Teleport SSH agents, OpenSSH-integrated deployments and Teleport Git proxy deployments.  CVE-2025-49825. Refer to the RCA for the full details.
Other fixes and improvements

Trait role templating is now supported in the workload_identity_labels Role resource field. #56298
Updated the WindowsDesktop and WindowsDesktopService APIs to use pagination to avoid exceeding message size limitations. #56233
Fixed duplicated entries in tctl inventory list when using DynamoDB as cluster state storage. #56183
Fixed an issue that could prevent Windows desktop sessions from terminating when the idle timeout was exceeded. #56049
Added the the teleport-update status --is-up-to-date flag to change the return code based on the update status. #55951
Fixed Hardware Key Support for YubiKey firmware versions 5.7.x. #55902
Fixed an error when creating or updating join tokens in the web UI when admin action is enabled (second_factor set to webauthn). #55852
Fixes a memory leak in Kubernetes Access caused by resources not being cleaned up when clients terminate watch streams. #55768
Fixed a bug that could cause Kubernetes exec requests to fail when the Kubernetes cluster had the WebSocket-based exec protocol disabled. #55733
Fixed an issue where the output from tctl sso configure github could not be used with tctl create -f in OSS Teleport. #55728
Fixed an issue that prevented changes to default shell from propagating for host users and static host users. #55649
Updated Go to 1.23.10. #55603
Fixed updating the default PIN and PUK for hardware key support in Teleport Connect. #55509
The tbot client now ensures the O_CLOEXEC flag is used when opening files on Linux hosts. #55504

Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
Plugins
Download the current release of Teleport plugins from the links below.

Slack Linux amd64 | Linux arm64
Mattermost Linux amd64 | Linux arm64
Discord Linux amd64 | Linux arm64
Terraform Provider Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal
Event Handler Linux amd64 | Linux arm64 | macOS amd64
PagerDuty Linux amd64 | Linux arm64
Jira Linux amd64 | Linux arm64
Email Linux amd64 | Linux arm64
Microsoft Teams Linux amd64 | Linux arm64


labels: security-patch=yes,security-patch-alts=v16.5.12

View the full release notes at https://github.com/gravitational/teleport/releases/tag/v16.5.13.

---