Skip to content

Releases: gravitational/teleport

Teleport 15.4.29

15 Feb 00:52
@camscale camscale
v15.4.29
8ff49d6
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Teleport 15.4.29

Description

Security Fixes

  • Fixed security issue with arbitrary file reads on SSH nodes. #52138
  • Verify that cluster name of TLS peer certs matches the cluster name of the CA that issued it to prevent Auth bypasses. #52132

Other fixes and improvements

  • Removed the ability of tctl to load the default configuration file on Windows. #52190
  • Moved PostgreSQL auto provisioning users procedures to pg_temp schema. #52150
  • Applied TELEPORT_UNSTABLE_DISABLE_AWS_FIPS to IAM and STS credentials. #52134
  • Fixed graceful closing of networking subprocesses when the Teleport parent process is gracefully closed (SIGQUIT). #52117
  • Updated Go to 1.23.6. #52087
  • Updated OpenSSL to 3.0.16. #52039
  • Reduced CPU consumption required to map roles between clusters and perform trait to role resolution. #51941
  • Client tools managed updates require a base URL for the open-source build type. #51934
  • Added an escape hatch to allow non-FIPS AWS endpoints on FIPS binaries (TELEPORT_UNSTABLE_DISABLE_AWS_FIPS=yes). #51932
  • Added securityContext value to the tbot Helm chart. #51909
  • Teleport agents always create the debug.sock UNIX socket. The configuration field debug_service.enabled now controls if the debug and metrics endpoints are available via the UNIX socket. #51890
  • Updated Go to 1.22.12. #51837
  • Improved instance.join event error messaging. #51781
  • Added support for caching Microsoft Remote Desktop Services licenses. #51686
  • Added Audit Log statistics to tctl top. #51656
  • Fixed an issue where the Postgres backend would drop App Access events. #51645
  • Fixed a rare crash that can happen with malformed SAML connector. #51636
  • Fixed occasional Web UI session renewal issues (reverts "Avoid tight renewals for sessions with short TTL"). #51604
  • Quoted the KUBECONFIG environment variable output by the tsh proxy kube command. #51525
  • Added support for customizing the base URL for downloading Teleport packages used in client tools managed updates. #51482
  • Added support for continuous profile collection with Pyroscope. #51480
  • Improved handling of client session termination during Kubernetes Exec sessions. The disconnection reason is now accurately returned for cases such as certificate expiration, forced lock activation, or idle timeout. #51456
  • Fixed an issue that prevented IPs provided in the X-Forwarded-For header from being honored in some scenarios when TrustXForwardedFor is enabled. #51425
  • Added support for multiple active CAs in the /auth/export endpoint. #51420
  • Fixed a bug in GKE auto-discovery where the process failed to discover any clusters if the identity lacked permissions for one or more detected GCP project IDs. #51401
  • Added support for multiple active CAs in tctl auth export. #51377
  • Added more granular audit logging surrounding SSH port forwarding. #51327

Enterprise:

  • Removed Desktop Access support in arm64 FIPS builds.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

labels: security-patch=yes,security-patch-alts=v15.4.27

Assets 2
Loading

Teleport 17.2.7

14 Feb 03:36
@camscale camscale
v17.2.7
0f26fcd
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Teleport 17.2.7 Latest
Latest

Description

Security Fixes

  • Fixed security issue with arbitrary file reads on SSH nodes. #52136
  • Verify that cluster name of TLS peer certs matches the cluster name of the CA that issued it to prevent Auth bypasses. #52130
  • Reject authentication attempts from remote identities in the git forwarder. #52126

Other fixes and improvements

  • Added an escape hatch to allow non-FIPS AWS endpoints on FIPS binaries (TELEPORT_UNSTABLE_DISABLE_AWS_FIPS=yes). #52069
  • Fixed Postgres database access control privileges auto-provisioning to grant USAGE on schemas as needed for table privileges and fixed an issue that prevented user privileges from being revoked at the end of their session in some cases. #52047
  • Updated OpenSSL to 3.0.16. #52037
  • Added ability to disable path-style S3 access for third-party endpoints. #52009
  • Fixed displaying Access List form when request reason is required. #51998
  • Fixed a bug in the WebUI where file transfers would always prompt for MFA, even when not required. #51962
  • Reduced CPU consumption required to map roles between clusters and perform trait to role resolution. #51935
  • Client tools managed updates require a base URL for the open-source build type. #51931
  • Fixed an issue leaf AWS console app shows "not found" error when root cluster has an app of the same name. #51928
  • Added securityContext value to the tbot Helm chart. #51907
  • Fixed an issue where required apps wouldn't be authenticated when launching an application from outside the Teleport Web UI. #51873
  • Prevent Teleport proxy failing to initialize when listener address's host component is empty. #51864
  • Fixed connecting to Apps in a leaf cluster when Per-session MFA is enabled. #51853
  • Updated Go to 1.23.6. #51835
  • Fixed bug where role max_duration is not respected unless request max_duration is set. #51821
  • Improved instance.join event error messaging. #51779
  • Teleport agents always create the debug.sock UNIX socket. The configuration field debug_service.enabled now controls if the debug and metrics endpoints are available via the UNIX socket. #51771
  • Backport new Azure integration functionality to v17, which allows the Discovery Service to fetch Azure resources and send them to the Access Graph. #51725
  • Added support for caching Microsoft Remote Desktop Services licenses. #51684
  • Added Audit Log statistics to tctl top. #51655
  • Redesigned the profile switcher in Teleport Connect for a more intuitive experience. Clusters now have distinct colors for easier identification, and readability is improved by preventing truncation of long user and cluster names. #51654
  • Fixed a regression that caused the Kubernetes Service to reuse expired tokens when accessing EKS, GKE and AKS clusters using dynamic credentials. #51652
  • Fixes issue where the Postgres backend would drop App Access events. #51643
  • Fixed a rare crash that can happen with malformed SAML connector. #51634
  • Fixed occasional Web UI session renewal issues (reverts "Avoid tight renewals for sessions with short TTL"). #51601
  • Introduced tsh workload-identity issue-x509 as the replacement to tsh svid issue and which is compatible with the new WorkloadIdentity resource. #51597
  • Machine ID's new kubernetes/v2 service supports access to multiple Kubernetes clusters by name or label without needing to issue new identities. #51535
  • Quoted the KUBECONFIG environment variable output by the tsh proxy kube command. #51523
  • Fixed a bug where performing an admin action in the WebUI would hang indefinitely instead of getting an actionable error if the user has no MFA devices registered. #51513
  • Added support for continuous profile collection with Pyroscope. #51477
  • Added support for customizing the base URL for downloading Teleport packages used in client tools managed updates. #51476
  • Improved handling of client session termination during Kubernetes Exec sessions. The disconnection reason is now accurately returned for cases such as certificate expiration, forced lock activation, or idle timeout. #51454
  • Fixed an issue that prevented IPs provided in the X-Forwarded-For header from being honored in some scenarios when TrustXForwardedFor is enabled. #51416
  • Added support for multiple active CAs in the /auth/export endpoint. #51415
  • Fixed integrations status page in WebUI. #51404
  • Fixed a bug in GKE auto-discovery where the process failed to discover any clusters if the identity lacked permissions for one or more detected GCP project IDs. #51399
  • Introduced the new workload_identity resource for configuring Teleport Workload Identity. #51288

Enterprise:

  • Fixed a regression in the Web UI that prevented Access List members to view the Access List's they are member of.
  • Fixed an issue with recreating Teleport resources for Okta applications with multiple embed links.
  • Fixed an issue in the Identity Center principal assignment service that incorrectly reported a successful permission assignment delete request as a failed one.
  • Fixed an issue in the Identity Center group import service which incorrectly handled import error event.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

labels: security-patch=v17.1.2|v17.1.3|v17.1.6

Assets 2
Loading

Teleport 16.4.16

14 Feb 03:28
@camscale camscale
v16.4.16
e873067
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Teleport 16.4.16

Description

Security Fixes

  • Fixed security issue with arbitrary file reads on SSH nodes. #52137
  • Verify that cluster name of TLS peer certs matches the cluster name of the CA that issued it to prevent Auth bypasses. #52131

Other fixes and improvements

  • Fixed Postgres database access control privileges auto-provisioning to grant USAGE on schemas as needed for table privileges and fixed an issue that prevented user privileges from being revoked at the end of their session in some cases. #52100
  • Updated Go to 1.23.6. #52083
  • Added an escape hatch to allow non-FIPS AWS endpoints on FIPS binaries (TELEPORT_UNSTABLE_DISABLE_AWS_FIPS=yes). #52082
  • Updated OpenSSL to 3.0.16. #52038
  • Reduced CPU consumption required to map roles between clusters and perform trait to role resolution. #51940
  • Client tools managed updates require a base URL for the open-source build type. #51933
  • Added securityContext value to the tbot Helm chart. #51910
  • Teleport agents always create the debug.sock UNIX socket. The configuration field debug_service.enabled now controls if the debug and metrics endpoints are available via the UNIX socket. #51888
  • Fixed connecting to Apps in a leaf cluster when Per-session MFA is enabled. #51854
  • Fixed bug where role max_duration is not respected unless request max_duration is set. #51828
  • Improved instance.join event error messaging. #51780
  • Include the format (indicates which format the session was accessed in) and session_type (represents the type of the recording, for example, ssh) fields for the session.recording.access audit event. #51695
  • Added support for caching Microsoft Remote Desktop Services licenses. #51685
  • Added Audit Log statistics to tctl top. #51657
  • Fixed an issue where the Postgres backend would drop App Access events. #51644
  • Fixed a rare crash that can happen with malformed SAML connector. #51635
  • Introduced tsh workload-identity issue-x509 as the replacement to tsh svid issue and which is compatible with the new WorkloadIdentity resource. #51607
  • Fixed occasional Web UI session renewal issues (reverts "Avoid tight renewals for sessions with short TTL"). #51602
  • Quoted the KUBECONFIG environment variable output by the tsh proxy kube command. #51524
  • Added support for continuous profile collection with Pyroscope. #51479
  • Added support for customizing the base URL for downloading Teleport packages used in client tools managed updates. #51478
  • Improved handling of client session termination during Kubernetes Exec sessions. The disconnection reason is now accurately returned for cases such as certificate expiration, forced lock activation, or idle timeout. #51455
  • Fixed an issue that prevented IPs provided in the X-Forwarded-For header from being honored in some scenarios when TrustXForwardedFor is enabled. #51424
  • Added support for multiple active CAs in the /auth/export endpoint. #51418
  • Fixed a bug in GKE auto-discovery where the process failed to discover any clusters if the identity lacked permissions for one or more detected GCP project IDs. #51400
  • Added support for multiple active CAs in tctl auth export. #51376
  • Added ability to disable path-style S3 access for third-party endpoints. #51360
  • Added wildcard-workload-identity-issuer preset role to improve Day 0 experience with configuring Teleport Workload Identity. #51346
  • Improved Azure join validation by verifying subscription ID. #51329
  • Added more granular audit logging surrounding SSH port forwarding. #51326
  • Fixes a bug causing the terraform-provider preset role to not automatically allow newly supported resources. #51321
  • Introduced the new workload_identity resource for configuring Teleport Workload Identity. #51289

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

labels: security-patch=yes,security-patch-alts=v16.4.15

Assets 2
Loading

Teleport 14.3.36

14 Feb 02:39
@camscale camscale
v14.3.36
d35a2f9
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Teleport 14.3.36

Description

Security Fixes

  • Fixed security issue with arbitrary file reads on SSH nodes. #52139
  • Verify that cluster name of TLS peer certs matches the cluster name of the CA that issued it to prevent Auth bypasses. #52133
  • Updated golang.org/x/crypto to v0.31.0 (CVE-2024-45337). #50081

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

labels: security-patch=yes,security-patch-alts=v14.3.35

Assets 2
Loading

Teleport 17.2.1

23 Jan 02:15
@camscale camscale
v17.2.1
1d267b0
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Teleport 17.2.1

Description

Security Fixes

  • Improve Azure join validation by verifying subscription ID. #51328

Other Improvements and Fixes

  • Added support for multiple active CAs in tctl auth export. #51375
  • Teleport Connect now shows a resource name in the status bar. #51374
  • Role presets now include default values for github_permissions and the git_server resource kind. github_permissions now supports traits. #51369
  • Fix backwards compatibility error where users were unable to login with Teleport Connect if Connect version is below v17.2.0 with Teleport cluster version v17.2.0. #51368
  • Added wildcard-workload-identity-issuer preset role to improve Day 0 experience with configuring Teleport Workload Identity. #51341
  • Added more granular audit logging surrounding SSH port forwarding. #51325
  • FIxes a bug causing the terraform-provider preset role to not automatically allow newly supported resources. #51320
  • GitHub server resource now shows in Web UI. #51303

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

labels: security-patch=yes

Assets 2
Loading

Teleport 17.2.0

22 Jan 04:37
@camscale camscale
v17.2.0
43a9972
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Teleport 17.2.0

Description

Per-session MFA via IdP

Teleport users can now satisfy per-session MFA checks by authenticating with an
external identity provider as an alternative to using second factors registered
with Teleport.

GitHub access

Teleport now natively supports GitHub access allowing users to transparently
interact with GitHub with RBAC and audit logging support.

Oracle Toad client support

Oracle Database Access users can now use the Toad GUI client.

Trusted clusters support for Kubernetes operator

Kubernetes operator users can now create trusted clusters using Kubernetes
custom resources.

Other improvements and fixes

  • Fixed WebAuthn attestation for Windows Hello. #51247
  • Include invited and reason fields in SessionStartEvents. #51175
  • Updated Go to 1.23.5. #51172
  • Fixed client tools auto-updates executed by aliases (causes recursive alias error). #51154
  • Support proxying Git commands for github.com. #51086
  • Assuming an Access Request in Teleport Connect now propagates elevated permissions to already opened Kubernetes tabs. #51055
  • Fixed AWS SigV4 parse errors in app access when the application omits the optional spaces between the SigV4 components. #51043
  • Fixed a Database Service bug where db_service.resources.aws.assume_role_arn settings could affect non-AWS dynamic databases or incorrectly override db_service.aws.assume_role_arn settings. #51039
  • Adds support for defining labels in the web UI Discover flows for single resource enroll (server, AWS and web applications, Kubernetes, EKS, RDS). #51038
  • Added support for using multi-port TCP apps in Teleport Connect without VNet. #51014
  • Fix naming conflict of DynamoDB audit event auto scaling policy. #50990
  • Prevent routing issues for agentless nodes that are created with non-UUID metadata.name fields. #50924
  • Honor the cluster routing strategy when client initiated host resolution via proxy templates or label matching is ambiguous. #50799
  • Emit audit events on access request expiry. #50775
  • Add full SSO MFA support for the WebUI. #50529

Enterprise:

  • Oracle: accept database certificates configuration used by Teleport Connect.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Assets 2
Loading

Teleport 16.4.14

21 Jan 20:48
@camscale camscale
v16.4.14
3553a42
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Teleport 16.4.14

Description

  • Fixed WebAuthn attestation for Windows Hello. #51248
  • Fixed client tools auto-updates executed by aliases (causes recursive alias error). #51182
  • Include invited and reason fields in SessionStartEvents. #51176
  • Updated Go to 1.22.11. #51137
  • Assuming an Access Request in Teleport Connect now propagates elevated permissions to already opened Kubernetes tabs. #51056
  • Fixed AWS SigV4 parse errors in app access when the application omits the optional spaces between the SigV4 components. #51044
  • Fixed a Database Service bug where db_service.resources.aws.assume_role_arn settings could affect non-AWS dynamic databases or incorrectly override db_service.aws.assume_role_arn settings. #51041
  • Prevent routing issues for agentless nodes that are created with non-UUID metadata.name fields. #50925
  • Honor the cluster routing strategy when client initiated host resolution via proxy templates or label matching is ambiguous. #50800

Enterprise:

  • Okta: Fixed web UI status display for SSO-only integration.

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Assets 2
Loading

Teleport 15.4.26

21 Jan 22:56
@camscale camscale
v15.4.26
b9e73d5
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Teleport 15.4.26

Description

  • Fixed WebAuthn attestation for Windows Hello. #51249
  • Fixed client tools auto-updates executed by aliases (causes recursive alias error). #51183
  • Include invited and reason fields in SessionStartEvents. #51177
  • Updated Go to 1.22.11. #51138
  • Assuming an Access Request in Teleport Connect now propagates elevated permissions to already opened Kubernetes tabs. #51057
  • Fixed AWS SigV4 parse errors in app access when the application omits the optional spaces between the SigV4 components. #51045
  • Fixed a Database Service bug where db_service.resources.aws.assume_role_arn settings could affect non-AWS dynamic databases or incorrectly override db_service.aws.assume_role_arn settings. #51042
  • Prevent routing issues for agentless nodes that are created with non-UUID metadata.name fields. #50926

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Assets 2
Loading

Teleport 17.1.6

14 Jan 02:14
@camscale camscale
v17.1.6
b806725
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Teleport 17.1.6

Description

  • Fix panic in EKS Auto Discovery. #50998
  • Add trusted clusters support to Kubernetes operator. #50995

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Assets 2
Loading

Teleport 17.1.5

10 Jan 21:41
@doggydogworld doggydogworld
v17.1.5
ee1532a
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
Teleport 17.1.5

Description

  • Fixes an issue causing Azure join method to fail due to throttling. #50928
  • Fix Teleport Connect Oracle support. Requires updated Teleport database agents (v17.1.5+). #50922
  • Prevent quoting errors in log messages. #50821
  • Fixed an issue that could cause teleport event handlers to become stuck in an error loop upon upgrading to v17 (fix requires upgrading auth server). #50820
  • Add user_agent field to db.session.start audit events. #50806
  • Fix an issue "tsh aws ssm start-session" fails when KMS encryption is enabled. #50796
  • Support wider range of Oracle clients and simplified configuration. #50740
  • Added support for multi-port TCP apps to tsh proxy app. #50691

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Assets 2
Loading