Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Release 4.3.7 #4415

Merged
merged 4 commits into from
Oct 1, 2020
Merged

Release 4.3.7 #4415

merged 4 commits into from
Oct 1, 2020

Conversation

webvictim
Copy link
Contributor

@webvictim webvictim commented Sep 30, 2020
edited
Loading

4.3.7

This release of Teleport contains a security fix and a bug fix.

  • Mitigated CVE-2020-15216 by updating github.com/russellhaering/goxmldsig.

Details

A vulnerability was discovered in the github.com/russellhaering/goxmldsig library which is used by Teleport to validate the
signatures of XML files used to configure SAML 2.0 connectors. With a carefully crafted XML file, an attacker can completely
bypass XML signature validation and pass off an altered file as a signed one.

Actions

The goxmldsig library has been updated upstream and Teleport 4.3.7 includes the fix. Any Enterprise SSO users using Okta,
Active Directory, OneLogin or custom SAML connectors should upgrade their auth servers to version 4.3.7 and restart Teleport.

If you are unable to upgrade immediately, we suggest deleting SAML connectors for all clusters until the updates can be applied.

  • Fixed an issue where DynamoDB connections made by Teleport would not respect the HTTP_PROXY or HTTPS_PROXY environment variables. #4271

@webvictim webvictim self-assigned this Sep 30, 2020
russjones
russjones reviewed Sep 30, 2020
View reviewed changes
Copy link
Contributor

@russjones russjones left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need some notes what that threat is and what components need to be upgraded. Here is an example: https://github.com/gravitational/teleport/releases/tag/v4.1.10

@webvictim webvictim requested a review from russjones September 30, 2020 18:09
@webvictim
Copy link
Contributor Author

retest this please

@webvictim webvictim merged commit 3687d39 into branch/4.3 Oct 1, 2020
@webvictim webvictim deleted the gus/4.3/4.3.7 branch October 1, 2020 00:11
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@klizhentas klizhentas klizhentas approved these changes

@benarent benarent benarent approved these changes

@awly awly Awaiting requested review from awly

@fspmarshall fspmarshall Awaiting requested review from fspmarshall fspmarshall is a code owner

@russjones russjones Awaiting requested review from russjones russjones is a code owner

Assignees

@webvictim webvictim

Labels
release-engineering
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@webvictim @klizhentas @benarent @russjones