Release 16.5.13

CHANGELOG.md

@@ -1,5 +1,34 @@
 # Changelog
 
+## 16.5.13 (07/02/25)
+
+### Security fixes
+
+This release also includes fixes for the following security issues:
+
+#### [Critical] Remote authentication bypass
+
+* Removed special handling for `*ssh.Certificate` authorities in the `IsHostAuthority` and `IsUserAuthority` callbacks used by `x/crypto/ssh.CertChecker`. [#56253](https://github.com/gravitational/teleport/pull/56253)
+
+Resolved an issue that allowed remote SSH authentication bypass on servers with Teleport SSH agents, OpenSSH-integrated deployments and Teleport Git proxy deployments.  [CVE-2025-49825](https://github.com/gravitational/teleport/security/advisories/GHSA-8cqv-pj7f-pwpc). Refer to the [RCA](https://trust.goteleport.com/resources?s=32t147ja8aawd6px7irxat&name=cve-2025-49825-rca) for the full details.
+
+### Other fixes and improvements
+
+* Trait role templating is now supported in the `workload_identity_labels` Role resource field. [#56298](https://github.com/gravitational/teleport/pull/56298)
+* Updated the WindowsDesktop and WindowsDesktopService APIs to use pagination to avoid exceeding message size limitations. [#56233](https://github.com/gravitational/teleport/pull/56233)
+* Fixed duplicated entries in `tctl inventory list` when using DynamoDB as cluster state storage. [#56183](https://github.com/gravitational/teleport/pull/56183)
+* Fixed an issue that could prevent Windows desktop sessions from terminating when the idle timeout was exceeded. [#56049](https://github.com/gravitational/teleport/pull/56049)
+* Added the the `teleport-update status --is-up-to-date` flag to change the return code based on the update status. [#55951](https://github.com/gravitational/teleport/pull/55951)
+* Fixed Hardware Key Support for YubiKey firmware versions 5.7.x. [#55902](https://github.com/gravitational/teleport/pull/55902)
+* Fixed an error when creating or updating join tokens in the web UI when admin action is enabled (second_factor set to webauthn). [#55852](https://github.com/gravitational/teleport/pull/55852)
+* Fixes a memory leak in Kubernetes Access caused by resources not being cleaned up when clients terminate watch streams. [#55768](https://github.com/gravitational/teleport/pull/55768)
+* Fixed a bug that could cause Kubernetes exec requests to fail when the Kubernetes cluster had the WebSocket-based exec protocol disabled. [#55733](https://github.com/gravitational/teleport/pull/55733)
+* Fixed an issue where the output from `tctl sso configure github` could not be used with `tctl create -f` in OSS Teleport. [#55728](https://github.com/gravitational/teleport/pull/55728)
+* Fixed an issue that prevented changes to default shell from propagating for host users and static host users. [#55649](https://github.com/gravitational/teleport/pull/55649)
+* Updated Go to 1.23.10. [#55603](https://github.com/gravitational/teleport/pull/55603)
+* Fixed updating the default PIN and PUK for hardware key support in Teleport Connect. [#55509](https://github.com/gravitational/teleport/pull/55509)
+* The `tbot` client now ensures the `O_CLOEXEC` flag is used when opening files on Linux hosts. [#55504](https://github.com/gravitational/teleport/pull/55504)
+
 ## 16.5.11 (06/05/25)
 
 ### Security fixes

Makefile

@@ -11,7 +11,7 @@
 #   Stable releases:   "1.0.0"
 #   Pre-releases:      "1.0.0-alpha.1", "1.0.0-beta.2", "1.0.0-rc.3"
 #   Master/dev branch: "1.0.0-dev"
-VERSION=16.5.11
+VERSION=16.5.13
 
 DOCKER_IMAGE ?= teleport
 

build.assets/macos/tsh/tsh.app/Contents/Info.plist

@@ -19,13 +19,13 @@
 		<key>CFBundlePackageType</key>
 		<string>APPL</string>
 		<key>CFBundleShortVersionString</key>
-		<string>16.5.11</string>
+		<string>16.5.13</string>
 		<key>CFBundleSupportedPlatforms</key>
 		<array>
 			<string>MacOSX</string>
 		</array>
 		<key>CFBundleVersion</key>
-		<string>16.5.11</string>
+		<string>16.5.13</string>
 		<key>DTCompiler</key>
 		<string>com.apple.compilers.llvm.clang.1_0</string>
 		<key>DTPlatformBuild</key>

build.assets/macos/tshdev/tsh.app/Contents/Info.plist

@@ -17,13 +17,13 @@
 		<key>CFBundlePackageType</key>
 		<string>APPL</string>
 		<key>CFBundleShortVersionString</key>
-		<string>16.5.11</string>
+		<string>16.5.13</string>
 		<key>CFBundleSupportedPlatforms</key>
 		<array>
 			<string>MacOSX</string>
 		</array>
 		<key>CFBundleVersion</key>
-		<string>16.5.11</string>
+		<string>16.5.13</string>
 		<key>DTCompiler</key>
 		<string>com.apple.compilers.llvm.clang.1_0</string>
 		<key>DTPlatformBuild</key>

docs/cspell.json

@@ -160,6 +160,8 @@
     "NOPASSWD",
     "NVGJ",
     "Näme",
+    "O_CLOEXEC",
+    "OCID",
     "ODBC",
     "OIDC",
     "OTLP",

examples/chart/access/datadog/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "16.5.11"
+.version: &version "16.5.13"
 
 apiVersion: v2
 name: teleport-plugin-datadog

examples/chart/access/datadog/tests/__snapshot__/configmap_test.yaml.snap

@@ -26,6 +26,6 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-datadog
-        app.kubernetes.io/version: 16.5.11
-        helm.sh/chart: teleport-plugin-datadog-16.5.11
+        app.kubernetes.io/version: 16.5.13
+        helm.sh/chart: teleport-plugin-datadog-16.5.13
       name: RELEASE-NAME-teleport-plugin-datadog

examples/chart/access/datadog/tests/__snapshot__/deployment_test.yaml.snap

@@ -7,8 +7,8 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-datadog
-        app.kubernetes.io/version: 16.5.11
-        helm.sh/chart: teleport-plugin-datadog-16.5.11
+        app.kubernetes.io/version: 16.5.13
+        helm.sh/chart: teleport-plugin-datadog-16.5.13
       name: RELEASE-NAME-teleport-plugin-datadog
     spec:
       replicas: 1
@@ -22,8 +22,8 @@ should match the snapshot:
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-datadog
-            app.kubernetes.io/version: 16.5.11
-            helm.sh/chart: teleport-plugin-datadog-16.5.11
+            app.kubernetes.io/version: 16.5.13
+            helm.sh/chart: teleport-plugin-datadog-16.5.13
         spec:
           containers:
           - command:

examples/chart/access/discord/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "16.5.11"
+.version: &version "16.5.13"
 
 apiVersion: v2
 name: teleport-plugin-discord

examples/chart/access/discord/tests/__snapshot__/configmap_test.yaml.snap

@@ -24,6 +24,6 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-discord
-        app.kubernetes.io/version: 16.5.11
-        helm.sh/chart: teleport-plugin-discord-16.5.11
+        app.kubernetes.io/version: 16.5.13
+        helm.sh/chart: teleport-plugin-discord-16.5.13
       name: RELEASE-NAME-teleport-plugin-discord

examples/chart/access/discord/tests/__snapshot__/deployment_test.yaml.snap

@@ -7,8 +7,8 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-discord
-        app.kubernetes.io/version: 16.5.11
-        helm.sh/chart: teleport-plugin-discord-16.5.11
+        app.kubernetes.io/version: 16.5.13
+        helm.sh/chart: teleport-plugin-discord-16.5.13
       name: RELEASE-NAME-teleport-plugin-discord
     spec:
       replicas: 1
@@ -22,8 +22,8 @@ should match the snapshot:
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-discord
-            app.kubernetes.io/version: 16.5.11
-            helm.sh/chart: teleport-plugin-discord-16.5.11
+            app.kubernetes.io/version: 16.5.13
+            helm.sh/chart: teleport-plugin-discord-16.5.13
         spec:
           containers:
           - command:

examples/chart/access/email/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "16.5.11"
+.version: &version "16.5.13"
 
 apiVersion: v2
 name: teleport-plugin-email

examples/chart/access/email/tests/__snapshot__/configmap_test.yaml.snap

@@ -26,8 +26,8 @@ should match the snapshot (mailgun on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.5.11
-        helm.sh/chart: teleport-plugin-email-16.5.11
+        app.kubernetes.io/version: 16.5.13
+        helm.sh/chart: teleport-plugin-email-16.5.13
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on):
   1: |
@@ -59,8 +59,8 @@ should match the snapshot (smtp on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.5.11
-        helm.sh/chart: teleport-plugin-email-16.5.11
+        app.kubernetes.io/version: 16.5.13
+        helm.sh/chart: teleport-plugin-email-16.5.13
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, no starttls):
   1: |
@@ -92,8 +92,8 @@ should match the snapshot (smtp on, no starttls):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.5.11
-        helm.sh/chart: teleport-plugin-email-16.5.11
+        app.kubernetes.io/version: 16.5.13
+        helm.sh/chart: teleport-plugin-email-16.5.13
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, password file):
   1: |
@@ -125,8 +125,8 @@ should match the snapshot (smtp on, password file):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.5.11
-        helm.sh/chart: teleport-plugin-email-16.5.11
+        app.kubernetes.io/version: 16.5.13
+        helm.sh/chart: teleport-plugin-email-16.5.13
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, roleToRecipients set):
   1: |
@@ -161,8 +161,8 @@ should match the snapshot (smtp on, roleToRecipients set):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.5.11
-        helm.sh/chart: teleport-plugin-email-16.5.11
+        app.kubernetes.io/version: 16.5.13
+        helm.sh/chart: teleport-plugin-email-16.5.13
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, starttls disabled):
   1: |
@@ -194,6 +194,6 @@ should match the snapshot (smtp on, starttls disabled):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 16.5.11
-        helm.sh/chart: teleport-plugin-email-16.5.11
+        app.kubernetes.io/version: 16.5.13
+        helm.sh/chart: teleport-plugin-email-16.5.13
       name: RELEASE-NAME-teleport-plugin-email