Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package teleport for openSUSE:Factory checked in at 2026-05-04 12:51:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/teleport (Old) and /work/SRC/openSUSE:Factory/.teleport.new.30200 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "teleport" Mon May 4 12:51:44 2026 rev:171 rq:1350397 version:17.7.23 Changes: -------- --- /work/SRC/openSUSE:Factory/teleport/teleport.changes 2026-03-09 16:22:22.316280314 +0100 +++ /work/SRC/openSUSE:Factory/.teleport.new.30200/teleport.changes 2026-05-04 12:54:53.484873313 +0200 @@ -1,0 +2,106 @@ +Fri May 1 19:46:54 UTC 2026 - Johannes Kastl <[email protected]> + +- update to 17.7.23 (no releases between .20 and this): + * Security fixes + This patch addresses two security vulnerabilities. + Impacted users are recommended to upgrade their auth and + database services to the latest version. + For Teleport Cloud customers, your control plane has already + been upgraded to a patched release. + - [High] Cross-node session recording access + When checking system service access to session recordings and + audit logs, Teleport did not perform sufficient + authorization. This could allow a compromised Teleport SSH + node service to access audit events and session recordings + from other nodes in the cluster. + All users are advised to upgrade their Auth services to the + patched v17 release. + - [Medium] SSRF via AWS database access endpoint + Teleport did not sufficiently validate the connection + endpoint for AWS database access (DynamoDB, OpenSearch, + Keyspaces). This could allow a malicious actor with access to + Teleport configuration to steal database access credentials + by crafting a connection endpoint pointing to their domain. + All users that use Teleport to access AWS-hosted databases + (DynamoDB, OpenSearch, Keyspaces) are advised to upgrade + their auth and database services to the patched v17 release + * Other fixes and improvements + - Initialize keystore sign and decrypt metrics at startup. + #66109 + - Updated jackc/pgx packages to fix + CVE-2026-4427/CVE-2026-32286, CVE-2026-33815, CVE-2026-33816, + GHSA-j88v-2chj-qfwx. #66093 + - Added teleport_app_active_sessions Prometheus gauge with app + label for app access agent autoscaling. #66049 + - Fixed a "No such process" error that could happen on the very + first launch of VNet on macOS. #65968 + - Fixed a Teleport Connect issue on Windows where startup could + fail when HTTPS_PROXY is set. #65925 + - Initialize backend read and requests metrics to zero at + startup. #65901 + - Fixed Teleport not taking over an existing unmanaged host + user when configured to. #65837 + - Fixes potential race condition in dynamoDB backend which can + lead to missed events, resulting in a inconsistent cache + state. #65822 + - Fixed an issue in Teleport Connect on macOS where selecting + "Open Teleport Connect" from the menu bar would not reliably + open the app. #65773 + - Updated github.com/go-git/go-git/v5 to resolve + CVE-2026-34165. #65649 + - Updated OpenTelemetry dependencies to address CVE-2026-24051. + #65647 + - Update Go to v1.25.9. #65587 + - Fixed "tctl edit" bugs when editing multiple resources, or + resources with sub_kinds (for example, CAs). #65343 + - Removed expired Baltimore CyberTrust Root CA used for Azure + databases. #65328 + - Reimplemented how Teleport Connect handles deep links for + Device Trust auth and launching VNet from the Web UI. #65317 + - Fixed minor bug in Web UI and Connect where static and + dynamic labels with the same key are duplicated. #65295 + - Fixed a goroutine leak in the Teleport Connect MFA prompt + when both SSO MFA and Webauthn are available second factors. + #65230 + - Fixed an issue that allowed bypassing Resource Access + Requests' AllowedResourceIDs when creating app sessions. + #65117 + - Fixed an issue that allowed IP Pinning protections to be + bypassed via direct dial to a Teleport Node. #65095 + - Fixed an issue that allowed IP Pinning protections to be + bypassed via the WebUI. Also fix an issue with sporadic WebUI + connection errors when the Proxy sees an unexpected client IP + even though IP Pinning is not enforced. #65093 + - Fixed intermittent issues with VNet on Windows with NRPT + rules being wiped after Group Policy refresh. #65018 + - Device Trust is now accessible under Zero Trust Access in the + web UI. #65006 + - Fixed an issue with desktop directory sharing in Teleport + Connect that caused file modification times not to be + displayed. #64920 + - Fixed an issue preventing Teleport Connect from launching on + Windows when the OS username contains non-ASCII characters. + #64886 + - API rate limiting for authenticated per-session MFA requests + now follows the regular API rate limits, making the limit + unlikely to be hit during parallel SSH operations. #64776 + - Print a message indicating that tctl recordings download + <session_id> completed successfully. #64722 + - Updated github.com/docker/cli to v29.2.0+incompatible + (addresses CVE-2025-15558). #64608 + - Teleport Connect now displays the Message of the Day (MOTD) + before login. #64550 + - Fixed bug that causes Windows desktop connection errors on + EC2 joined nodes. #64546 + - Fixed tsh login --request-id to display up to date profile + information including the assumed access request and roles. + #64537 + - Fixed error handling around empty uploads to ensure upload + resources are consistently cleaned up. #64501 + - Update Go to v1.25.8. #64435 + - Fixed failures to record extra large session events in + synchronous recording modes. #64344 + - Fixed a rare race condition causing initial node heartbeats + to be missing an address. #64331 + +------------------------------------------------------------------- Old: ---- teleport-17.7.20.obscpio New: ---- teleport-17.7.23.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ teleport.spec ++++++ --- /var/tmp/diff_new_pack.eMEqjd/_old 2026-05-04 12:54:58.833093431 +0200 +++ /var/tmp/diff_new_pack.eMEqjd/_new 2026-05-04 12:54:58.833093431 +0200 @@ -17,7 +17,7 @@ Name: teleport -Version: 17.7.20 +Version: 17.7.23 Release: 0 Summary: Identity-aware, multi-protocol access proxy License: AGPL-3.0-only @@ -35,7 +35,7 @@ BuildRequires: cargo >= 1.88 BuildRequires: cargo-packaging BuildRequires: git-core -BuildRequires: go1.25 >= 1.25.7 +BuildRequires: go1.25 >= 1.25.9 BuildRequires: pam-devel BuildRequires: systemd-rpm-macros BuildRequires: zsh ++++++ _service ++++++ --- /var/tmp/diff_new_pack.eMEqjd/_old 2026-05-04 12:54:58.893095901 +0200 +++ /var/tmp/diff_new_pack.eMEqjd/_new 2026-05-04 12:54:58.905096395 +0200 @@ -4,7 +4,7 @@ <param name="scm">git</param> <param name="submodules">disable</param> <param name="exclude">.git</param> - <param name="revision">v17.7.20</param> + <param name="revision">v17.7.23</param> <param name="match-tag">v*</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v(.*)</param> ++++++ teleport-17.7.20.obscpio -> teleport-17.7.23.obscpio ++++++ /work/SRC/openSUSE:Factory/teleport/teleport-17.7.20.obscpio /work/SRC/openSUSE:Factory/.teleport.new.30200/teleport-17.7.23.obscpio differ: char 49, line 1 ++++++ teleport.obsinfo ++++++ --- /var/tmp/diff_new_pack.eMEqjd/_old 2026-05-04 12:54:58.969099029 +0200 +++ /var/tmp/diff_new_pack.eMEqjd/_new 2026-05-04 12:54:58.973099193 +0200 @@ -1,5 +1,5 @@ name: teleport -version: 17.7.20 -mtime: 1772821397 -commit: 27979100040cba4e568b6740d3e94f2eeaa180cb +version: 17.7.23 +mtime: 1777500178 +commit: e69ca99dff12b30fac61a0180fa2a5c65724b7e2 ++++++ vendor.tar.gz ++++++ /work/SRC/openSUSE:Factory/teleport/vendor.tar.gz /work/SRC/openSUSE:Factory/.teleport.new.30200/vendor.tar.gz differ: char 13, line 1 ++++++ vendor.tar.zst ++++++ ++++ 288375 lines of diff (skipped)
