Skip to content

Teleport 4.2.12
Compare
Choose a tag to compare
@webvictim webvictim released this 01 Oct 03:22
· 17083 commits to master since this release
v4.2.12
12d07cb
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

This release of Teleport contains a security fix.

  • Mitigated CVE-2020-15216 by updating github.com/russellhaering/goxmldsig.

Details

A vulnerability was discovered in the github.com/russellhaering/goxmldsig library which is used by Teleport to validate the
signatures of XML files used to configure SAML 2.0 connectors. With a carefully crafted XML file, an attacker can completely
bypass XML signature validation and pass off an altered file as a signed one.

Actions

The goxmldsig library has been updated upstream and Teleport 4.2.12 includes the fix. Any Enterprise SSO users using Okta,
Active Directory, OneLogin or custom SAML connectors should upgrade their auth servers to version 4.2.12 and restart Teleport.

If you are unable to upgrade immediately, we suggest deleting SAML connectors for all clusters until the updates can be applied.

Download

Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.

Assets 2
Loading