Release 12.4.23

[camscale]

12.4.23 (10/18/23)

Security fixes

• Updated golang.org/x/net dependency. #33448
  • swift-nio-http2 vulnerable to HTTP/2 Stream Cancellation Attack: CVE-2023-44487
• Updated google.golang.org/grpc to v1.57.1. #33487
  • swift-nio-http2 vulnerable to HTTP/2 Stream Cancellation Attack: CVE-2023-44487
• Updated Go library dependencies. #33544
  • crewjam/saml vulnerable to Denial Of Service Via Deflate Decompression Bomb: CVE-2023-28119
  • Snowflake Golang Driver vulnerable to Command Injection: CVE-2023-34231
  • Docker Swarm encrypted overlay network may be unauthenticated: CVE-2023-28840
  • Docker Swarm encrypted overlay network traffic may be unencrypted: CVE-2023-28841
  • Docker Swarm encrypted overlay network with a single endpoint is unauthenticated: CVE-2023-28842
• Updated OpenTelemetry dependency. #33552
• OpenTelemetry-Go Contrib vulnerable to denial of service in otelhttp due to unbound cardinality metrics: CVE-2023-45142
• Updated JS dependencies. #33426 #33467
  • Regular Expression Denial of Service in trim: CVE-2020-7753
  • semver vulnerable to Regular Expression Denial of Service: CVE-2022-25883
  • word-wrap vulnerable to Regular Expression Denial of Service: CVE-2023-26115
  • xmldom allows multiple root nodes in a DOM: CVE-2022-39353
  • loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS): CVE-2022-37599
  • Prototype pollution in webpack loader-utils: CVE-2022-37601
  • loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable: CVE-2022-37603
  • Prototype pollution in Plist before 3.0.5 can cause denial of service: CVE-2022-22912
  • decode-uri-component vulnerable to Denial of Service (DoS): CVE-2022-38900
  • Cross-realm object access in Webpack 5: CVE-2023-28154
  • Prototype Pollution in JSON5 via Parse Method: CVE-2022-46175
  • http-cache-semantics vulnerable to Regular Expression Denial of Service: CVE-2022-25881
  • Exposure of sensitive information in follow-redirects: CVE-2022-0155
  • node-fetch forwards secure headers to untrusted sites: CVE-2022-0235
  • Exposure of Sensitive Information to an Unauthorized Actor in nanoid: CVE-2021-23566
  • Terser insecure use of regular expressions leads to ReDoS: CVE-2022-25858
• Updated babel/core to 7.3.2. #33445
  • Arbitrary code execution when compiling specifically crafted malicious code: CVE-2023-45133

Other fixes and improvements

• Fixed failure to connect to OpenSSH nodes when tracing is enabled. #33594
• Web SSH sessions are terminated right away when a user closes the tab. #33535
• Added support for Windows AD root domain for PKI operations. #33395

Ignored

• Docs
  • [v12] Remove "Preview" from Resource Access Request page #33662
  • [v12] docs: include all db protocols in faq and config #33643
  • [v12] [docs] clarify RDS/Aurora databases getting modified #33412
  • [v12] docs: Fix a couple of typos and reword scenario descriptions #33399
  • [v12] docs: Add Docker to Mattermost access request plugin #33388
  • [v12] docs: Add Docker to MSFT teams plugin #33385
  • [v12] Add pcscd install instructions for hardware key support #33378
  • [v12] docs: update macos app remove command to delete dir and correct fips debug container address #33369
  • [auto] docs: Update version to v12.4.22 #33359
  • [v12] docs: Add Docker to email access request plugin #33319
  • [v12] Add Docker to Slack access request plugin #33391
• Examples
  • [v12] Select examples api dependency update #33600
• Trivial user-visible changes
  • [v12] allow https:// in proxy parameter in tsh #33649
• No user-visible changes
  • [v12] Removed deprecated Aurora MySQL version 1 from Database discovery. #33235
• Previous release
  • Release 12.4.22 #33295