Release 15.4.29

[camscale]

15.4.29 (02/14/25)

Security Fixes

• Fixed security issue with arbitrary file reads on SSH nodes. #52138
• Verify that cluster name of TLS peer certs matches the cluster name of the CA that issued it to prevent Auth bypasses. #52132

Other fixes and improvements

• Removed the ability of tctl to load the default configuration file on Windows. #52190
• Moved PostgreSQL auto provisioning users procedures to pg_temp schema. #52150
• Applied TELEPORT_UNSTABLE_DISABLE_AWS_FIPS to IAM and STS credentials. #52134
• Fixed graceful closing of networking subprocesses when the Teleport parent process is gracefully closed (SIGQUIT). #52117
• Updated Go to 1.23.6. #52087
• Updated OpenSSL to 3.0.16. #52039
• Reduced CPU consumption required to map roles between clusters and perform trait to role resolution. #51941
• Client tools managed updates require a base URL for the open-source build type. #51934
• Added an escape hatch to allow non-FIPS AWS endpoints on FIPS binaries (TELEPORT_UNSTABLE_DISABLE_AWS_FIPS=yes). #51932
• Added securityContext value to the tbot Helm chart. #51909
• Teleport agents always create the debug.sock UNIX socket. The configuration field debug_service.enabled now controls if the debug and metrics endpoints are available via the UNIX socket. #51890
• Updated Go to 1.22.12. #51837
• Improved instance.join event error messaging. #51781
• Added support for caching Microsoft Remote Desktop Services licenses. #51686
• Added Audit Log statistics to tctl top. #51656
• Fixed an issue where the Postgres backend would drop App Access events. #51645
• Fixed a rare crash that can happen with malformed SAML connector. #51636
• Fixed occasional Web UI session renewal issues (reverts "Avoid tight renewals for sessions with short TTL"). #51604
• Quoted the KUBECONFIG environment variable output by the tsh proxy kube command. #51525
• Added support for customizing the base URL for downloading Teleport packages used in client tools managed updates. #51482
• Added support for continuous profile collection with Pyroscope. #51480
• Improved handling of client session termination during Kubernetes Exec sessions. The disconnection reason is now accurately returned for cases such as certificate expiration, forced lock activation, or idle timeout. #51456
• Fixed an issue that prevented IPs provided in the X-Forwarded-For header from being honored in some scenarios when TrustXForwardedFor is enabled. #51425
• Added support for multiple active CAs in the /auth/export endpoint. #51420
• Fixed a bug in GKE auto-discovery where the process failed to discover any clusters if the identity lacked permissions for one or more detected GCP project IDs. #51401
• Added support for multiple active CAs in tctl auth export. #51377
• Added more granular audit logging surrounding SSH port forwarding. #51327

Enterprise:

• Removed Desktop Access support in arm64 FIPS builds.

---

Note: Release 15.4.28 was scrubbed due to build failures.