Release 12.1.3

CHANGELOG.md

@@ -1,5 +1,87 @@
 # Changelog
 
+## 12.1.3 (03/30/23)
+
+This release of Teleport contains 2 security fixes as well as multiple improvements and bug fixes.
+
+### [High] OS authorization bypass in SSH tunneling
+
+When establishing an SSH port forwarding connection, Teleport did not
+sufficiently validate the specified OS principal.
+
+This could allow an attacker in possession of valid cluster credentials to
+establish a TCP tunnel to a node using a non-existent Linux user.
+
+The connection attempt would show up in the audit log as a "port" audit event
+(code T3003I) and include Teleport username in the "user" field.
+
+### [High] Teleport authorization bypass in Kubernetes Access
+
+When authorizing a Kubernetes Access request, Teleport did not adequately
+validate the target Kubernetes cluster.
+
+This could allow an attacker in possession of valid Kubernetes agent credentials
+or a join token to trick Teleport into forwarding requests to a different
+Kubernetes cluster.
+
+Every Kubernetes request would show up in the audit log as a "kube.request"
+audit event (code T3009I) and include the Kubernetes cluster metadata.
+
+### Other improvements and fixes
+
+* AMIs
+  * Added support for configuring TLS routing mode in AMIs. [#23678](https://github.com/gravitational/teleport/pull/23678)
+* Application Access
+  * Added support for application access behind ALB. [#23054](https://github.com/gravitational/teleport/pull/23054)
+  * Fixed app access requests being redirected to leaf's public address in some cases. [#23220](https://github.com/gravitational/teleport/pull/23220)
+  * Reduced log noise. [#23365](https://github.com/gravitational/teleport/pull/23365)
+* Bootstrap
+  * Added provision tokens support. [#23474](https://github.com/gravitational/teleport/pull/23474)
+* CLI
+  * Added `app_server` support to `tctl` resource commands. [#23136](https://github.com/gravitational/teleport/pull/23136)
+  * Display year in `tctl` commands output. [#23371](https://github.com/gravitational/teleport/pull/23371)
+  * Fixed issue with `tsh` reporting errors about missing webauthn.dll on Windows. [#23161](https://github.com/gravitational/teleport/pull/23161)
+  * Updated `tsh status` to not display internal logins. [#23411](https://github.com/gravitational/teleport/pull/23411)
+  * Added `--cluster` flag to `tsh kube sessions` command. [#23825](https://github.com/gravitational/teleport/pull/23825)
+* Database Access
+  * Added support for canceling in-progress PostgreSQL requests in database access. [#23467](https://github.com/gravitational/teleport/pull/23467)
+  * Fixed issue with query audit events always having `success: false` status. [#23274](https://github.com/gravitational/teleport/pull/23274)
+* Desktop Access
+  * Updated setup script to be idempotent. [#23176](https://github.com/gravitational/teleport/pull/23176)
+* Helm Charts
+  * Added ability to set resource limits and requests for pre-deployment jobs. [#23126](https://github.com/gravitational/teleport/pull/23126)
+* Infrastructure
+  * Introduced distroless Teleport container images. [#22814](https://github.com/gravitational/teleport/pull/22814)
+* Kubernetes Access
+  * Fixed issue with `tsh kube credentials` failing on remote clusters. [#23354](https://github.com/gravitational/teleport/pull/23354)
+  * Fixed issue with `tsh kube credentials` loading incorrect profile. [#23716](https://github.com/gravitational/teleport/pull/23716)
+* Machine ID
+  * Added ability to specify memory backend using CLI parameters. [#23495](https://github.com/gravitational/teleport/pull/23495)
+  * Added support for Azure delegated joining. [#23391](https://github.com/gravitational/teleport/pull/23391)
+  * Added support for Gitlab delegated joining. [#23191](https://github.com/gravitational/teleport/pull/23191)
+  * Added support for trusted clusters. [#23390](https://github.com/gravitational/teleport/pull/23390)
+* Proxy Peering
+  * Fixed proxy peering issues when running behind a load balancer. [#23506](https://github.com/gravitational/teleport/pull/23506)
+* Reverse Tunnels
+  * Fixed issue when joining leaf cluster over tunnel port with enabled proxy protocol. [#23487](https://github.com/gravitational/teleport/pull/23487)
+  * Fixed issue with joining agents over reverse tunnel port. [#23332](https://github.com/gravitational/teleport/pull/23332)
+* Performance & scalability
+  * Improved `tsh ls -R` performance in large clusters. [#23596](https://github.com/gravitational/teleport/pull/23596)
+  * Improved performance when setting session environment variables. [#23834](https://github.com/gravitational/teleport/pull/23834)
+* SSO
+  * Fixed issue with Github Enterprise SSO not working with custom URLs. [#23568](https://github.com/gravitational/teleport/pull/23568)
+* Teleport Connect
+  * Added support for config customization. [#23197](https://github.com/gravitational/teleport/pull/23197)
+  * Fixed unresponsive terminal on Windows Server 2019. [#22996](https://github.com/gravitational/teleport/pull/22996)
+* Tooling
+  * Updated Electron to `22.3.2`. [#23048](https://github.com/gravitational/teleport/pull/23048)
+  * Updated Go to `1.20.2`. [#22997](https://github.com/gravitational/teleport/pull/22997)
+  * Updated Rust to `1.68.0`. [#23101](https://github.com/gravitational/teleport/pull/23101)
+* Web UI
+  * Added MFA support when copying files. [#23195](https://github.com/gravitational/teleport/pull/23195)
+  * Fixed "ambiguous node" error when downloading files. [#23152](https://github.com/gravitational/teleport/pull/23152)
+  * Fixed intermittent "client connection is closing" errors in web UI after logging in. [#23733](https://github.com/gravitational/teleport/pull/23733)
+
 ## 12.1.1
 
 This release of Teleport contains multiple improvements and bug fixes.

Makefile

@@ -11,7 +11,7 @@
 #   Stable releases:   "1.0.0"
 #   Pre-releases:      "1.0.0-alpha.1", "1.0.0-beta.2", "1.0.0-rc.3"
 #   Master/dev branch: "1.0.0-dev"
-VERSION=12.1.1
+VERSION=12.1.3
 
 DOCKER_IMAGE ?= teleport
 

examples/chart/teleport-cluster/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "12.1.1"
+.version: &version "12.1.3"
 
 name: teleport-cluster
 apiVersion: v2

examples/chart/teleport-cluster/charts/teleport-operator/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "12.1.1"
+.version: &version "12.1.3"
 
 name: teleport-operator
 apiVersion: v2

examples/chart/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap

@@ -1,6 +1,6 @@
 should add an operator side-car when operator is enabled:
   1: |
-    image: public.ecr.aws/gravitational/teleport-operator:12.1.1
+    image: public.ecr.aws/gravitational/teleport-operator:12.1.3
     imagePullPolicy: IfNotPresent
     livenessProbe:
       httpGet:
@@ -30,7 +30,7 @@ should add an operator side-car when operator is enabled:
     - args:
       - --diag-addr=0.0.0.0:3000
       - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
-      image: public.ecr.aws/gravitational/teleport:12.1.1
+      image: public.ecr.aws/gravitational/teleport:12.1.3
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -135,7 +135,7 @@ should set nodeSelector when set in values:
     - args:
       - --diag-addr=0.0.0.0:3000
       - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
-      image: public.ecr.aws/gravitational/teleport:12.1.1
+      image: public.ecr.aws/gravitational/teleport:12.1.3
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -213,7 +213,7 @@ should set resources when set in values:
     - args:
       - --diag-addr=0.0.0.0:3000
       - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
-      image: public.ecr.aws/gravitational/teleport:12.1.1
+      image: public.ecr.aws/gravitational/teleport:12.1.3
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -280,7 +280,7 @@ should set securityContext when set in values:
     - args:
       - --diag-addr=0.0.0.0:3000
       - --apply-on-startup=/etc/teleport/apply-on-startup.yaml
-      image: public.ecr.aws/gravitational/teleport:12.1.1
+      image: public.ecr.aws/gravitational/teleport:12.1.3
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:

examples/chart/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap

@@ -5,7 +5,7 @@ should provision initContainer correctly when set in values:
       - wait
       - no-resolve
       - RELEASE-NAME-auth-v11.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport:12.1.1
+      image: public.ecr.aws/gravitational/teleport:12.1.3
       name: wait-auth-update
     - args:
       - echo test
@@ -58,7 +58,7 @@ should set nodeSelector when set in values:
     containers:
     - args:
       - --diag-addr=0.0.0.0:3000
-      image: public.ecr.aws/gravitational/teleport:12.1.1
+      image: public.ecr.aws/gravitational/teleport:12.1.3
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -116,7 +116,7 @@ should set nodeSelector when set in values:
       - wait
       - no-resolve
       - RELEASE-NAME-auth-v11.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport:12.1.1
+      image: public.ecr.aws/gravitational/teleport:12.1.3
       name: wait-auth-update
     nodeSelector:
       environment: security
@@ -151,7 +151,7 @@ should set resources when set in values:
     containers:
     - args:
       - --diag-addr=0.0.0.0:3000
-      image: public.ecr.aws/gravitational/teleport:12.1.1
+      image: public.ecr.aws/gravitational/teleport:12.1.3
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -216,7 +216,7 @@ should set resources when set in values:
       - wait
       - no-resolve
       - RELEASE-NAME-auth-v11.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport:12.1.1
+      image: public.ecr.aws/gravitational/teleport:12.1.3
       name: wait-auth-update
     serviceAccountName: RELEASE-NAME-proxy
     terminationGracePeriodSeconds: 60
@@ -233,7 +233,7 @@ should set securityContext for initContainers when set in values:
     containers:
     - args:
       - --diag-addr=0.0.0.0:3000
-      image: public.ecr.aws/gravitational/teleport:12.1.1
+      image: public.ecr.aws/gravitational/teleport:12.1.3
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -298,7 +298,7 @@ should set securityContext for initContainers when set in values:
       - wait
       - no-resolve
       - RELEASE-NAME-auth-v11.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport:12.1.1
+      image: public.ecr.aws/gravitational/teleport:12.1.3
       name: wait-auth-update
       securityContext:
         allowPrivilegeEscalation: false
@@ -322,7 +322,7 @@ should set securityContext when set in values:
     containers:
     - args:
       - --diag-addr=0.0.0.0:3000
-      image: public.ecr.aws/gravitational/teleport:12.1.1
+      image: public.ecr.aws/gravitational/teleport:12.1.3
       imagePullPolicy: IfNotPresent
       lifecycle:
         preStop:
@@ -387,7 +387,7 @@ should set securityContext when set in values:
       - wait
       - no-resolve
       - RELEASE-NAME-auth-v11.NAMESPACE.svc.cluster.local
-      image: public.ecr.aws/gravitational/teleport:12.1.1
+      image: public.ecr.aws/gravitational/teleport:12.1.3
       name: wait-auth-update
       securityContext:
         allowPrivilegeEscalation: false

examples/chart/teleport-kube-agent/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "12.1.1"
+.version: &version "12.1.3"
 
 name: teleport-kube-agent
 apiVersion: v2