Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Release 16.4.6 #47846

Merged
merged 1 commit into from
Oct 23, 2024
Merged

Release 16.4.6 #47846

merged 1 commit into from
Oct 23, 2024

Conversation

doggydogworld
Copy link
Contributor

@doggydogworld doggydogworld commented Oct 23, 2024

Security Fixes

[High] Privilege persistence in Okta SCIM-only integration

When Okta SCIM-only integration is enabled, in certain cases Teleport could
calculate the effective set of permission based on SSO user's stale traits. This
could allow a user who was unassigned from an Okta group to log into a Teleport
cluster once with a role granted by the unassigned group being present in their
effective role set.

Note: This issue only affects Teleport clusters that have installed a SCIM-only
Okta integration as described in this guide. If you have an Okta integration
with user sync enabled or only using Okta SSO auth connector to log into your
Teleport cluster without SCIM integration configured, you're unaffected. To
verify your configuration:

  • Use tctl get plugins/okta --format=json | jq ".[].spec.Settings.okta.sync_settings.sync_users"
    command to check if you have Okta integration with user sync enabled. If it
    outputs null or false, you may be affected and should upgrade.
  • Check SCIM provisioning settings for the Okta application you created or
    updated while following the SCIM-only setup guide. If SCIM provisioning is
    enabled, you may be affected and should upgrade.

We strongly recommend customers who use Okta SCIM integration to upgrade their
auth servers to version 16.3.0 or later. Teleport services other than auth
(proxy, SSH, Kubernetes, desktop, application, database and discovery) are not
impacted and do not need to be updated.

Other improvements and fixes

  • Added a new teleport_roles_total metric that exposes the number of roles which exist in a cluster. #47812
  • Teleport's Windows Desktop Service now filters domain-joined Linux hosts out during LDAP discovery. #47773
  • The join_token.create audit event has been enriched with additional metadata. #47765
  • Propagate resources configured in teleport-kube-agent chart values to post-install and post-delete hooks. #47743
  • Add support for the Datadog Incident Management plugin helm chart. #47727
  • Automatic device enrollment may be locally disabled using the TELEPORT_DEVICE_AUTO_ENROLL_DISABLED=1 environment variable. #47720
  • Fixed the Machine ID and GitHub Actions wizard. #47708
  • Added migration to update the old import_all_objects database object import rule to the new preset. #47707
  • Alter ServiceAccounts in the teleport-cluster Helm chart to automatically disable mounting of service account tokens on newer Kubernetes distributions, helping satisfy security linters. #47703
  • Avoid tsh auto-enroll escalation in machines without a TPM. #47695
  • Fixed a bug that prevented users from canceling tsh scan keys executions. #47658
  • Postgres database session start events now include the Postgres backend PID for the session. #47643
  • Reworked the teleport-event-handler integration to significantly improve performance, especially when running with larger --concurrency values. #47633
  • Fixes a bug where Let's Encrypt certificate renewal failed in AMI and HA deployments due to insufficient disk space caused by syncing audit logs. #47622
  • Adds support for custom SQS consumer lock name and disabling a consumer. #47614
  • Fixed an issue that prevented RDS Aurora discovery configuration in the AWS OIDC enrollment wizard when any cluster existed without member instances. #47605
  • Extend the Datadog plugin to support automatic approvals. #47602
  • Allow using a custom database for Firestore backends. #47583
  • Include host name instead of host uuid in error messages when SSH connections are prevented due to an invalid login. #47578
  • Fix the example Terraform code to support the new larger Teleport Enterprise licenses and updates output of web address to use fqdn when ACM is disabled. #47512
  • Add new tctl subcommands to manage bot instances. #47225

Enterprise:

  • Device auto-enroll failures are now recorded in the audit log.
  • Fixed possible panic when processing Okta assignments.

@doggydogworld doggydogworld added the no-changelog Indicates that a PR does not require a changelog entry label Oct 23, 2024
@github-actions github-actions bot added the helm label Oct 23, 2024
Copy link

This pull request is automatically being deployed by Amplify Hosting (learn more).

Access this pull request here: https://pr-47846.d212ksyjt6y4yg.amplifyapp.com

@doggydogworld doggydogworld added this pull request to the merge queue Oct 23, 2024
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Oct 23, 2024
@doggydogworld doggydogworld added this pull request to the merge queue Oct 23, 2024
Merged via the queue into branch/v16 with commit 3104d1a Oct 23, 2024
45 of 47 checks passed
@doggydogworld doggydogworld deleted the release/16.4.6 branch October 23, 2024 15:27
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
backport helm no-changelog Indicates that a PR does not require a changelog entry size/sm
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants