Skip to content

Release 16.5.13#56387

Merged
fheinecke merged 2 commits intobranch/v16from
release/16.5.13
Jul 2, 2025
Merged

Release 16.5.13#56387
fheinecke merged 2 commits intobranch/v16from
release/16.5.13

Conversation

@fheinecke
Copy link
Copy Markdown
Contributor

@fheinecke fheinecke commented Jul 2, 2025
edited
Loading

Security fixes

This release also includes fixes for the following security issues:

[Critical] Remote authentication bypass

  • Removed special handling for *ssh.Certificate authorities in the IsHostAuthority and IsUserAuthority callbacks used by x/crypto/ssh.CertChecker. #56253

Resolved an issue that allowed remote SSH authentication bypass on servers with Teleport SSH agents, OpenSSH-integrated deployments and Teleport Git proxy deployments. CVE-2025-49825. Refer to the RCA for the full details.

Other fixes and improvements

  • Trait role templating is now supported in the workload_identity_labels Role resource field. #56298
  • Updated the WindowsDesktop and WindowsDesktopService APIs to use pagination to avoid exceeding message size limitations. #56233
  • Fixed duplicated entries in tctl inventory list when using DynamoDB as cluster state storage. #56183
  • Fixed an issue that could prevent Windows desktop sessions from terminating when the idle timeout was exceeded. #56049
  • Added the the teleport-update status --is-up-to-date flag to change the return code based on the update status. #55951
  • Fixed Hardware Key Support for YubiKey firmware versions 5.7.x. #55902
  • Fixed an error when creating or updating join tokens in the web UI when admin action is enabled (second_factor set to webauthn). #55852
  • Fixes a memory leak in Kubernetes Access caused by resources not being cleaned up when clients terminate watch streams. #55768
  • Fixed a bug that could cause Kubernetes exec requests to fail when the Kubernetes cluster had the WebSocket-based exec protocol disabled. #55733
  • Fixed an issue where the output from tctl sso configure github could not be used with tctl create -f in OSS Teleport. #55728
  • Fixed an issue that prevented changes to default shell from propagating for host users and static host users. #55649
  • Updated Go to 1.23.10. #55603
  • Fixed updating the default PIN and PUK for hardware key support in Teleport Connect. #55509
  • The tbot client now ensures the O_CLOEXEC flag is used when opening files on Linux hosts. #55504

@fheinecke fheinecke added the no-changelog Indicates that a PR does not require a changelog entry label Jul 2, 2025
@fheinecke fheinecke self-assigned this Jul 2, 2025
@fheinecke fheinecke added the no-changelog Indicates that a PR does not require a changelog entry label Jul 2, 2025
@fheinecke fheinecke requested review from camscale, r0mant, tcsc and zmb3 July 2, 2025 20:45
@fheinecke fheinecke enabled auto-merge July 2, 2025 20:45
@github-actions github-actions Bot requested a review from rosstimothy July 2, 2025 20:45
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jul 2, 2025
edited
Loading

Amplify deployment status

Branch Commit Job ID Status Preview Updated (UTC)
release/16.5.13 HEAD 1 ✅SUCCEED release-16-5-13 2025-07-02 21:30:25

@fheinecke fheinecke added this pull request to the merge queue Jul 2, 2025
Merged via the queue into branch/v16 with commit cc5ccd9 Jul 2, 2025
42 checks passed
@fheinecke fheinecke deleted the release/16.5.13 branch July 2, 2025 22:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zmb3 zmb3 zmb3 approved these changes

@doggydogworld doggydogworld doggydogworld approved these changes

Assignees

@fheinecke fheinecke

Labels

backport helm no-changelog Indicates that a PR does not require a changelog entry size/sm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@fheinecke @zmb3 @doggydogworld