From b9c0d30ce13dfc5eb0e239cdaad1cbaeafca1806 Mon Sep 17 00:00:00 2001 From: Cam Hutchison Date: Tue, 22 Aug 2023 18:32:36 +1000 Subject: [PATCH 1/3] Release 12.4.15 --- CHANGELOG.md | 30 +++++++++ Makefile | 2 +- api/version.go | 2 +- .../macos/tsh/tsh.app/Contents/Info.plist | 4 +- .../macos/tshdev/tsh.app/Contents/Info.plist | 4 +- docs/cspell.json | 3 +- examples/chart/teleport-cluster/Chart.yaml | 2 +- .../charts/teleport-operator/Chart.yaml | 2 +- .../auth_deployment_test.yaml.snap | 10 +-- .../proxy_deployment_test.yaml.snap | 18 +++--- examples/chart/teleport-kube-agent/Chart.yaml | 2 +- .../__snapshot__/deployment_test.yaml.snap | 58 ++++++++--------- .../__snapshot__/statefulset_test.yaml.snap | 64 +++++++++---------- version.go | 2 +- 14 files changed, 117 insertions(+), 86 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c81ca528e35f3..4b8140ab5ab36 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,35 @@ # Changelog +## 12.4.15 (08/22/23) + +* Fixed S3 metric name for completed multipart uploads. [#30697](https://github.com/gravitational/teleport/pull/30697) +* Fixed Teleport Connect to properly show errors from the remote end. [#30695](https://github.com/gravitational/teleport/pull/30695) +* Fixed Review Requests to disallow reviews after request is resolved. [#30689](https://github.com/gravitational/teleport/pull/30689) +* Fixed an issue with `tsh aws ssm start-session`. [#30669](https://github.com/gravitational/teleport/pull/30669) +* Fixed Discovery service panics on GKE clusters without labels. [#30646](https://github.com/gravitational/teleport/pull/30646) +* Fixed forwarding of SSH agent in a Cygwin environment. [#30581](https://github.com/gravitational/teleport/pull/30581) +* Removed legacy AWS "aurora" engine type from discovery. [#30547](https://github.com/gravitational/teleport/pull/30547) +* Fixed memory leak using PAM libraries. [#30520](https://github.com/gravitational/teleport/pull/30520) +* Updated LDAP desktop discovery to handle slow DNS queries better. [#30463](https://github.com/gravitational/teleport/pull/30463) +* Updated SAML certificate parsing to allow leading/trailing spaces. [#30451](https://github.com/gravitational/teleport/pull/30451) +* Fixed "user is not managed" error when accessing ElastiCache and MemoryDB. [#30354](https://github.com/gravitational/teleport/pull/30354) +* Show error if users attempt to do `tsh login --headless`. [#30308](https://github.com/gravitational/teleport/pull/30308) +* Fixed resources being deleted from Firestore on update. [#30288](https://github.com/gravitational/teleport/pull/30288) +* Fixed desktop access connecting to direct dial nodes. [#30276](https://github.com/gravitational/teleport/pull/30276) +* Improved audit logging support for large SQL Server queries. [#30244](https://github.com/gravitational/teleport/pull/30244) +* Fixed infinite retry in generic app access plugin. [#30232](https://github.com/gravitational/teleport/pull/30232) +* `tsh` and `tctl` commands that output a text-formatted table will now consistently output resource labels as a comma-separated string, sorted by label namespace. Labels starting with `teleport.dev/`, `teleport.hidden/`, and `teleport.internal/` are omitted unless the --verbose flag is used. [#30227](https://github.com/gravitational/teleport/pull/30227) [#30224](https://github.com/gravitational/teleport/pull/30224) +* Explicitly mention _registered_ and _new_ device when running `tsh mfa add` on Windows. [#30216](https://github.com/gravitational/teleport/pull/30216) +* helm: Allow setting storage class name for auth component in the `teleport-cluster` chart. [#30144](https://github.com/gravitational/teleport/pull/30144) +* helm: Use `imagePullSecrets` for pre-deploy test pods in the `teleport-cluster` chart. [#30143](https://github.com/gravitational/teleport/pull/30143) +* Improved logging of Teleport Connect child processes. [#30026](https://github.com/gravitational/teleport/pull/30026) +* Added IP pinning support for TLS routing behind ALB mode. [#30004](https://github.com/gravitational/teleport/pull/30004) +* Tighten discovery service permissions. [#29995](https://github.com/gravitational/teleport/pull/29995) + +### Security fix + +* TODO(jent): Update this when security fix lands + ## 12.4.14 (08/03/23) * Updated Go to 1.20.7 [#29906](https://github.com/gravitational/teleport/pull/29906) diff --git a/Makefile b/Makefile index 09391e5d76b58..ab341f088c435 100644 --- a/Makefile +++ b/Makefile @@ -11,7 +11,7 @@ # Stable releases: "1.0.0" # Pre-releases: "1.0.0-alpha.1", "1.0.0-beta.2", "1.0.0-rc.3" # Master/dev branch: "1.0.0-dev" -VERSION=12.4.14 +VERSION=12.4.15 DOCKER_IMAGE ?= teleport diff --git a/api/version.go b/api/version.go index ffef70c6f1c99..77d13694aa1a3 100644 --- a/api/version.go +++ b/api/version.go @@ -1,7 +1,7 @@ // Code generated by "make version". DO NOT EDIT. package api -const Version = "12.4.14" +const Version = "12.4.15" // Gitref is set to the output of "git describe" during the build process. var Gitref string diff --git a/build.assets/macos/tsh/tsh.app/Contents/Info.plist b/build.assets/macos/tsh/tsh.app/Contents/Info.plist index 2fbda97759e0b..a9ed736133710 100644 --- a/build.assets/macos/tsh/tsh.app/Contents/Info.plist +++ b/build.assets/macos/tsh/tsh.app/Contents/Info.plist @@ -19,13 +19,13 @@ CFBundlePackageType APPL CFBundleShortVersionString - 12.4.14 + 12.4.15 CFBundleSupportedPlatforms MacOSX CFBundleVersion - 12.4.14 + 12.4.15 DTCompiler com.apple.compilers.llvm.clang.1_0 DTPlatformBuild diff --git a/build.assets/macos/tshdev/tsh.app/Contents/Info.plist b/build.assets/macos/tshdev/tsh.app/Contents/Info.plist index cf9c806a8a549..184afc321c2c3 100644 --- a/build.assets/macos/tshdev/tsh.app/Contents/Info.plist +++ b/build.assets/macos/tshdev/tsh.app/Contents/Info.plist @@ -17,13 +17,13 @@ CFBundlePackageType APPL CFBundleShortVersionString - 12.4.14 + 12.4.15 CFBundleSupportedPlatforms MacOSX CFBundleVersion - 12.4.14 + 12.4.15 DTCompiler com.apple.compilers.llvm.clang.1_0 DTPlatformBuild diff --git a/docs/cspell.json b/docs/cspell.json index 56511a7181d23..f5c7a406a5c2c 100644 --- a/docs/cspell.json +++ b/docs/cspell.json @@ -36,6 +36,7 @@ "CLOUDSDK", "CTAP", "Cgajq", + "Cygwin", "DBSIZE", "DEBU", "DHDR", @@ -796,4 +797,4 @@ "flagWords": [ "hte" ] -} \ No newline at end of file +} diff --git a/examples/chart/teleport-cluster/Chart.yaml b/examples/chart/teleport-cluster/Chart.yaml index 6bca296635c16..bb451adc2fe3d 100644 --- a/examples/chart/teleport-cluster/Chart.yaml +++ b/examples/chart/teleport-cluster/Chart.yaml @@ -1,4 +1,4 @@ -.version: &version "12.4.14" +.version: &version "12.4.15" name: teleport-cluster apiVersion: v2 diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/Chart.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/Chart.yaml index a1996d2d26cf7..eed9d4e3745d9 100644 --- a/examples/chart/teleport-cluster/charts/teleport-operator/Chart.yaml +++ b/examples/chart/teleport-cluster/charts/teleport-operator/Chart.yaml @@ -1,4 +1,4 @@ -.version: &version "12.4.14" +.version: &version "12.4.15" name: teleport-operator apiVersion: v2 diff --git a/examples/chart/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap b/examples/chart/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap index 411711be8697e..fec2fa9d5ce51 100644 --- a/examples/chart/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap +++ b/examples/chart/teleport-cluster/tests/__snapshot__/auth_deployment_test.yaml.snap @@ -1,6 +1,6 @@ should add an operator side-car when operator is enabled: 1: | - image: public.ecr.aws/gravitational/teleport-operator:12.4.14 + image: public.ecr.aws/gravitational/teleport-operator:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: httpGet: @@ -30,7 +30,7 @@ should add an operator side-car when operator is enabled: - args: - --diag-addr=0.0.0.0:3000 - --apply-on-startup=/etc/teleport/apply-on-startup.yaml - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -138,7 +138,7 @@ should set nodeSelector when set in values: - args: - --diag-addr=0.0.0.0:3000 - --apply-on-startup=/etc/teleport/apply-on-startup.yaml - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -216,7 +216,7 @@ should set resources when set in values: - args: - --diag-addr=0.0.0.0:3000 - --apply-on-startup=/etc/teleport/apply-on-startup.yaml - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -283,7 +283,7 @@ should set securityContext when set in values: - args: - --diag-addr=0.0.0.0:3000 - --apply-on-startup=/etc/teleport/apply-on-startup.yaml - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent lifecycle: preStop: diff --git a/examples/chart/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap b/examples/chart/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap index 217dabcbec65a..1aa27f780657d 100644 --- a/examples/chart/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap +++ b/examples/chart/teleport-cluster/tests/__snapshot__/proxy_deployment_test.yaml.snap @@ -5,7 +5,7 @@ should provision initContainer correctly when set in values: - wait - no-resolve - RELEASE-NAME-auth-v11.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 name: wait-auth-update - args: - echo test @@ -61,7 +61,7 @@ should set nodeSelector when set in values: containers: - args: - --diag-addr=0.0.0.0:3000 - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -119,7 +119,7 @@ should set nodeSelector when set in values: - wait - no-resolve - RELEASE-NAME-auth-v11.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 name: wait-auth-update nodeSelector: environment: security @@ -154,7 +154,7 @@ should set resources when set in values: containers: - args: - --diag-addr=0.0.0.0:3000 - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -219,7 +219,7 @@ should set resources when set in values: - wait - no-resolve - RELEASE-NAME-auth-v11.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 name: wait-auth-update serviceAccountName: RELEASE-NAME-proxy terminationGracePeriodSeconds: 60 @@ -236,7 +236,7 @@ should set securityContext for initContainers when set in values: containers: - args: - --diag-addr=0.0.0.0:3000 - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -301,7 +301,7 @@ should set securityContext for initContainers when set in values: - wait - no-resolve - RELEASE-NAME-auth-v11.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 name: wait-auth-update securityContext: allowPrivilegeEscalation: false @@ -325,7 +325,7 @@ should set securityContext when set in values: containers: - args: - --diag-addr=0.0.0.0:3000 - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent lifecycle: preStop: @@ -390,7 +390,7 @@ should set securityContext when set in values: - wait - no-resolve - RELEASE-NAME-auth-v11.NAMESPACE.svc.cluster.local - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 name: wait-auth-update securityContext: allowPrivilegeEscalation: false diff --git a/examples/chart/teleport-kube-agent/Chart.yaml b/examples/chart/teleport-kube-agent/Chart.yaml index 3a73259c40464..2e36457f6c8aa 100644 --- a/examples/chart/teleport-kube-agent/Chart.yaml +++ b/examples/chart/teleport-kube-agent/Chart.yaml @@ -1,4 +1,4 @@ -.version: &version "12.4.14" +.version: &version "12.4.15" name: teleport-kube-agent apiVersion: v2 diff --git a/examples/chart/teleport-kube-agent/tests/__snapshot__/deployment_test.yaml.snap b/examples/chart/teleport-kube-agent/tests/__snapshot__/deployment_test.yaml.snap index c7dc1906ee53d..da666a621fd78 100644 --- a/examples/chart/teleport-kube-agent/tests/__snapshot__/deployment_test.yaml.snap +++ b/examples/chart/teleport-kube-agent/tests/__snapshot__/deployment_test.yaml.snap @@ -30,7 +30,7 @@ sets Deployment annotations when specified if action is Upgrade: env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -101,7 +101,7 @@ sets Deployment labels when specified if action is Upgrade: env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -159,7 +159,7 @@ sets Pod annotations when specified if action is Upgrade: env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -217,7 +217,7 @@ sets Pod labels when specified if action is Upgrade: env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -292,7 +292,7 @@ should add emptyDir for data when existingDataVolume is not set if action is Upg env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -351,7 +351,7 @@ should add insecureSkipProxyTLSVerify to args when set in values if action is Up env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -409,7 +409,7 @@ should correctly configure existingDataVolume when set if action is Upgrade: env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -465,7 +465,7 @@ should expose diag port if action is Upgrade: env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -535,7 +535,7 @@ should have multiple replicas when replicaCount is set (using .replicaCount, dep env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -605,7 +605,7 @@ should have multiple replicas when replicaCount is set (using highAvailability.r env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -663,7 +663,7 @@ should have one replica when replicaCount is not set if action is Upgrade: env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -721,7 +721,7 @@ should mount extraVolumes and extraVolumeMounts if action is Upgrade: env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -786,7 +786,7 @@ should mount tls.existingCASecretName and set environment when set in values if value: "true" - name: SSL_CERT_FILE value: /etc/teleport-tls-ca/ca.pem - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -854,7 +854,7 @@ should mount tls.existingCASecretName and set extra environment when set in valu value: http://username:password@my.proxy.host:3128 - name: SSL_CERT_FILE value: /etc/teleport-tls-ca/ca.pem - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -918,7 +918,7 @@ should provision initContainer correctly when set in values if action is Upgrade env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -1012,7 +1012,7 @@ should set SecurityContext if action is Upgrade: env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -1090,7 +1090,7 @@ should set affinity when set in values if action is Upgrade: env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -1148,7 +1148,7 @@ should set default serviceAccountName when not set in values if action is Upgrad env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -1219,7 +1219,7 @@ should set environment when extraEnv set in values if action is Upgrade: value: "true" - name: HTTPS_PROXY value: http://username:password@my.proxy.host:3128 - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -1335,7 +1335,7 @@ should set imagePullPolicy when set in values if action is Upgrade: env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: Always livenessProbe: failureThreshold: 6 @@ -1393,7 +1393,7 @@ should set nodeSelector if set in values if action is Upgrade: env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -1453,7 +1453,7 @@ should set not set priorityClassName when not set in values if action is Upgrade env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -1523,7 +1523,7 @@ should set preferred affinity when more than one replica is used if action is Up env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -1581,7 +1581,7 @@ should set priorityClassName when set in values if action is Upgrade: env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -1640,7 +1640,7 @@ should set probeTimeoutSeconds when set in values if action is Upgrade: env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -1708,7 +1708,7 @@ should set required affinity when highAvailability.requireAntiAffinity is set if env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -1766,7 +1766,7 @@ should set resources when set in values if action is Upgrade: env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -1831,7 +1831,7 @@ should set serviceAccountName when set in values if action is Upgrade: env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -1889,7 +1889,7 @@ should set tolerations when set in values if action is Upgrade: env: - name: TELEPORT_INSTALL_METHOD_HELM_KUBE_AGENT value: "true" - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 diff --git a/examples/chart/teleport-kube-agent/tests/__snapshot__/statefulset_test.yaml.snap b/examples/chart/teleport-kube-agent/tests/__snapshot__/statefulset_test.yaml.snap index f2ed9b34cec1b..55ee076396134 100644 --- a/examples/chart/teleport-kube-agent/tests/__snapshot__/statefulset_test.yaml.snap +++ b/examples/chart/teleport-kube-agent/tests/__snapshot__/statefulset_test.yaml.snap @@ -16,7 +16,7 @@ sets Pod annotations when specified: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -84,7 +84,7 @@ sets Pod labels when specified: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -176,7 +176,7 @@ sets StatefulSet labels when specified: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -272,7 +272,7 @@ should add insecureSkipProxyTLSVerify to args when set in values: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -340,7 +340,7 @@ should add volumeClaimTemplate for data volume when using StatefulSet and action fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -428,7 +428,7 @@ should add volumeClaimTemplate for data volume when using StatefulSet and is Fre fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -506,7 +506,7 @@ should add volumeMount for data volume when using StatefulSet: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -574,7 +574,7 @@ should expose diag port: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -642,7 +642,7 @@ should generate Statefulset when storage is disabled and mode is a Upgrade: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -724,7 +724,7 @@ should have multiple replicas when replicaCount is set (using .replicaCount, dep fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -804,7 +804,7 @@ should have multiple replicas when replicaCount is set (using highAvailability.r fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -872,7 +872,7 @@ should have one replica when replicaCount is not set: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -940,7 +940,7 @@ should install Statefulset when storage is disabled and mode is a Fresh Install: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -1010,7 +1010,7 @@ should mount extraVolumes and extraVolumeMounts: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -1085,7 +1085,7 @@ should mount tls.existingCASecretName and set environment when set in values: value: RELEASE-NAME - name: SSL_CERT_FILE value: /etc/teleport-tls-ca/ca.pem - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -1165,7 +1165,7 @@ should mount tls.existingCASecretName and set extra environment when set in valu value: /etc/teleport-tls-ca/ca.pem - name: HTTPS_PROXY value: http://username:password@my.proxy.host:3128 - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -1241,7 +1241,7 @@ should not add emptyDir for data when using StatefulSet: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -1309,7 +1309,7 @@ should provision initContainer correctly when set in values: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -1413,7 +1413,7 @@ should set SecurityContext: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -1501,7 +1501,7 @@ should set affinity when set in values: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -1569,7 +1569,7 @@ should set default serviceAccountName when not set in values: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -1650,7 +1650,7 @@ should set environment when extraEnv set in values: value: RELEASE-NAME - name: HTTPS_PROXY value: http://username:password@my.proxy.host:3128 - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -1786,7 +1786,7 @@ should set imagePullPolicy when set in values: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: Always livenessProbe: failureThreshold: 6 @@ -1854,7 +1854,7 @@ should set nodeSelector if set in values: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -1936,7 +1936,7 @@ should set preferred affinity when more than one replica is used: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -2004,7 +2004,7 @@ should set probeTimeoutSeconds when set in values: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -2082,7 +2082,7 @@ should set required affinity when highAvailability.requireAntiAffinity is set: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -2150,7 +2150,7 @@ should set resources when set in values: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -2225,7 +2225,7 @@ should set serviceAccountName when set in values: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -2293,7 +2293,7 @@ should set storage.requests when set in values and action is an Upgrade: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -2361,7 +2361,7 @@ should set storage.storageClassName when set in values and action is an Upgrade: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 @@ -2429,7 +2429,7 @@ should set tolerations when set in values: fieldPath: metadata.namespace - name: RELEASE_NAME value: RELEASE-NAME - image: public.ecr.aws/gravitational/teleport:12.4.14 + image: public.ecr.aws/gravitational/teleport:12.4.15 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 diff --git a/version.go b/version.go index 55b26297a331d..830a98761900b 100644 --- a/version.go +++ b/version.go @@ -1,7 +1,7 @@ // Code generated by "make version". DO NOT EDIT. package teleport -const Version = "12.4.14" +const Version = "12.4.15" // Gitref is set to the output of "git describe" during the build process. var Gitref string From b3ce7b87ff8648f47cf8c473bf670f6597e08091 Mon Sep 17 00:00:00 2001 From: Mike Jensen Date: Tue, 22 Aug 2023 18:03:32 -0600 Subject: [PATCH 2/3] Json Unmarshal Panic fix From recent fuzzing work a new panic was discovered where a pointer is allocated then a pointer to the pointer is passed into json.Unmarshal. It is then possible for this original pointer to remain a `nil` reference. This pattern looks unexpected, so all cases of double pointers being passed into json.Unmarshal were changed to the more standard empty struct pointer style to avoid potential nil reference panics. --- lib/auth/http_client.go | 4 ++-- lib/auth/trustedcluster.go | 2 +- lib/client/redirect.go | 8 ++++---- lib/client/weblogin.go | 8 ++++---- lib/srv/desktop/tdp/proto.go | 11 ++++++----- lib/web/apiserver.go | 6 +++--- lib/web/command.go | 2 +- lib/web/cookie.go | 4 ++-- 8 files changed, 23 insertions(+), 22 deletions(-) diff --git a/lib/auth/http_client.go b/lib/auth/http_client.go index 9356d15c027f6..d56991479696e 100644 --- a/lib/auth/http_client.go +++ b/lib/auth/http_client.go @@ -851,7 +851,7 @@ func (c *HTTPClient) ValidateOIDCAuthCallback(ctx context.Context, q url.Values) if err != nil { return nil, trace.Wrap(err) } - var rawResponse *OIDCAuthRawResponse + var rawResponse OIDCAuthRawResponse if err := json.Unmarshal(out.Bytes(), &rawResponse); err != nil { return nil, trace.Wrap(err) } @@ -889,7 +889,7 @@ func (c *HTTPClient) ValidateSAMLResponse(ctx context.Context, re string, connec if err != nil { return nil, trace.Wrap(err) } - var rawResponse *SAMLAuthRawResponse + var rawResponse SAMLAuthRawResponse if err := json.Unmarshal(out.Bytes(), &rawResponse); err != nil { return nil, trace.Wrap(err) } diff --git a/lib/auth/trustedcluster.go b/lib/auth/trustedcluster.go index 8793a5edcd003..ef1087d1665c0 100644 --- a/lib/auth/trustedcluster.go +++ b/lib/auth/trustedcluster.go @@ -664,7 +664,7 @@ func (a *Server) sendValidateRequestToProxy(host string, validateRequest *Valida return nil, trace.Wrap(err) } - var validateResponseRaw *ValidateTrustedClusterResponseRaw + var validateResponseRaw ValidateTrustedClusterResponseRaw err = json.Unmarshal(out.Bytes(), &validateResponseRaw) if err != nil { return nil, trace.Wrap(err) diff --git a/lib/client/redirect.go b/lib/client/redirect.go index cb92e5206e24a..e5f3fb82fa388 100644 --- a/lib/client/redirect.go +++ b/lib/client/redirect.go @@ -196,13 +196,13 @@ func (rd *Redirector) issueSSOLoginConsoleRequest(req SSOLoginConsoleReq) (*SSOL return nil, trace.Wrap(err) } - var re *SSOLoginConsoleResponse + var re SSOLoginConsoleResponse err = json.Unmarshal(out.Bytes(), &re) if err != nil { return nil, trace.Wrap(err) } - return re, nil + return &re, nil } // Done is called when redirector is closed @@ -247,13 +247,13 @@ func (rd *Redirector) callback(w http.ResponseWriter, r *http.Request) (*auth.SS return nil, trace.BadParameter("failed to decrypt response: in %v, err: %v", r.URL.String(), err) } - var re *auth.SSHLoginResponse + var re auth.SSHLoginResponse err = json.Unmarshal(plaintext, &re) if err != nil { return nil, trace.BadParameter("failed to decrypt response: in %v, err: %v", r.URL.String(), err) } - return re, nil + return &re, nil } // Close closes redirector and releases all resources diff --git a/lib/client/weblogin.go b/lib/client/weblogin.go index e408dc2692cf0..85f976c3106de 100644 --- a/lib/client/weblogin.go +++ b/lib/client/weblogin.go @@ -449,13 +449,13 @@ func SSHAgentLogin(ctx context.Context, login SSHLoginDirect) (*auth.SSHLoginRes return nil, trace.Wrap(err) } - var out *auth.SSHLoginResponse + var out auth.SSHLoginResponse err = json.Unmarshal(re.Bytes(), &out) if err != nil { return nil, trace.Wrap(err) } - return out, nil + return &out, nil } // SSHAgentHeadlessLogin begins the headless login ceremony, returning new user certificates if successful. @@ -482,13 +482,13 @@ func SSHAgentHeadlessLogin(ctx context.Context, login SSHLoginHeadless) (*auth.S return nil, trace.Wrap(err) } - var out *auth.SSHLoginResponse + var out auth.SSHLoginResponse err = json.Unmarshal(re.Bytes(), &out) if err != nil { return nil, trace.Wrap(err) } - return out, nil + return &out, nil } // SSHAgentPasswordlessLogin requests a passwordless MFA challenge via the proxy. diff --git a/lib/srv/desktop/tdp/proto.go b/lib/srv/desktop/tdp/proto.go index a35fdba3997f3..836c0b545e13d 100644 --- a/lib/srv/desktop/tdp/proto.go +++ b/lib/srv/desktop/tdp/proto.go @@ -590,6 +590,8 @@ func DecodeMFA(in byteReader) (*MFA, error) { if length > maxMFADataLength { _, _ = io.CopyN(io.Discard, in, int64(length)) return nil, mfaDataMaxLenErr + } else if length == 0 { + return nil, trace.BadParameter("mfa data missing") } b := make([]byte, int(length)) @@ -630,6 +632,8 @@ func DecodeMFAChallenge(in byteReader) (*MFA, error) { if length > maxMFADataLength { return nil, trace.BadParameter("mfa challenge data exceeds maximum length") + } else if length == 0 { + return nil, trace.BadParameter("mfa challenge data missing") } b := make([]byte, int(length)) @@ -637,17 +641,14 @@ func DecodeMFAChallenge(in byteReader) (*MFA, error) { return nil, trace.Wrap(err) } - var req *client.MFAAuthenticateChallenge + var req client.MFAAuthenticateChallenge if err := json.Unmarshal(b, &req); err != nil { return nil, trace.Wrap(err) } - if err != nil { - return nil, trace.Wrap(err) - } return &MFA{ Type: mt, - MFAAuthenticateChallenge: req, + MFAAuthenticateChallenge: &req, }, nil } diff --git a/lib/web/apiserver.go b/lib/web/apiserver.go index 3981c946fcaf3..967b7860e57d6 100644 --- a/lib/web/apiserver.go +++ b/lib/web/apiserver.go @@ -2512,7 +2512,7 @@ func (h *Handler) siteNodeConnect( if params == "" { return nil, trace.BadParameter("missing params") } - var req *TerminalRequest + var req TerminalRequest if err := json.Unmarshal([]byte(params), &req); err != nil { return nil, trace.Wrap(err) } @@ -2539,13 +2539,13 @@ func (h *Handler) siteNodeConnect( if req.SessionID.IsZero() { // An existing session ID was not provided so we need to create a new one. - sessionData, err = h.generateSession(ctx, clt, req, clusterName, sessionCtx) + sessionData, err = h.generateSession(ctx, clt, &req, clusterName, sessionCtx) if err != nil { h.log.WithError(err).Debug("Unable to generate new ssh session.") return nil, trace.Wrap(err) } } else { - sessionData, displayLogin, err = h.fetchExistingSession(ctx, clt, req, clusterName) + sessionData, displayLogin, err = h.fetchExistingSession(ctx, clt, &req, clusterName) if err != nil { return nil, trace.Wrap(err) } diff --git a/lib/web/command.go b/lib/web/command.go index f229d39574c44..4896d37fa16d8 100644 --- a/lib/web/command.go +++ b/lib/web/command.go @@ -102,7 +102,7 @@ func (h *Handler) executeCommand( if params == "" { return nil, trace.BadParameter("missing params") } - var req *CommandRequest + var req CommandRequest if err := json.Unmarshal([]byte(params), &req); err != nil { return nil, trace.BadParameter("failed to read JSON message: %v", err) } diff --git a/lib/web/cookie.go b/lib/web/cookie.go index d84d567e65baf..ec50218ace9c4 100644 --- a/lib/web/cookie.go +++ b/lib/web/cookie.go @@ -42,11 +42,11 @@ func DecodeCookie(b string) (*SessionCookie, error) { if err != nil { return nil, err } - var c *SessionCookie + var c SessionCookie if err := json.Unmarshal(bytes, &c); err != nil { return nil, err } - return c, nil + return &c, nil } func SetSessionCookie(w http.ResponseWriter, user, sid string) error { From bdd83432ff595257c3b3ec6bc1c6c23f7370f52a Mon Sep 17 00:00:00 2001 From: Cam Hutchison Date: Wed, 23 Aug 2023 11:40:49 +1000 Subject: [PATCH 3/3] Add changelog entry for security fix --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4b8140ab5ab36..5f56c955c33cd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -28,7 +28,7 @@ ### Security fix -* TODO(jent): Update this when security fix lands +* Security improvements with possible `medium` severity DoS conditions through protocol level attacks. [#30854](https://github.com/gravitational/teleport/pull/30854) ## 12.4.14 (08/03/23)