Release 15.4.16

[fheinecke]

15.4.16 (08/23/24)

Security fix

[High] Stored XSS in SAML IdP

When registering a service provider with SAML IdP, Teleport did not sufficiently validate the ACS endpoint. This
could allow a Teleport administrator with permissions to write saml_idp_service_provider resources to configure
a malicious service provider with an XSS payload and compromise session of users who would access that
service provider.

Note: This vulnerability is only applicable when Teleport itself is acting as the identity provider. If you only use
SAML to connect to an upstream identity provider you are not impacted. You can use the tctl get
saml_idp_service_provider command to verify if you have any Service Provider applications registered and
Teleport acts as an IdP.

For self-hosted Teleport customers that use Teleport as SAML Identity Provider,
we recommend upgrading auth and proxy servers. Teleport agents (SSH, Kubernetes, desktop, application,
database and discovery) are not impacted and do not need to be updated.

Other fixes and improvements

• Fixed host user creation for tsh scp. #45681
• Fixed AWS access failing when the username is longer than 64 characters. #45656
• Permit setting a cluster wide SSH connection dial timeout. #45651
• Improved performance of host resolution performed via tsh ssh when connecting via labels or proxy templates. #45645
• Removed empty tcp app session recordings. #45642
• Fixed Teleport plugins images using the wrong entrypoint. #45618
• Added debug images for Teleport plugins. #45618
• Fixed FeatureHiding flag not hiding the "Access Management" section in the UI. #45613
• Fixed Host User Management deletes users that are not managed by Teleport. #45595
• Fixed a security vulnerability with PostgreSQL integration where a maliciously crafted startup packet with an empty database name can bypass the intended access control. #45555
• Fixed the debug service not being enabled by default when not using a configuration file. #45479
• Introduced support for Envoy SDS into the Machine ID spiffe-workload-api service. #45463
• Improved the output of tsh sessions ls to make it easier to understand what sessions are ongoing and what sessions are user can/should join as a moderator. #45453
• Fixed access entry handling permission error when EKS auto-discovery was set up in the Discover UI. #45443
• Fixed the web UI showing vague error messages when enrolling EKS clusters in the Discover UI. #45416
• Fixed the "Create A Bot" flow for GitHub Actions and SSH not correctly granting the bot the role created during the flow. #45410
• Fixed a panic caused by AWS STS client not being initialized when assuming an AWS Role. #45381
• Fixed teleport debug commands incorrectly handling an unset data directory in the Teleport config. #45342

Enterprise:

• Fixed Okta Sync spuriously deleting Okta Applications due to connectivity errors. #4886
• Fixed Okta Sync mistakenly removing Apps and Groups on connectivity failure. #4884
• Fixes the SAML IdP session preventing SAML IdP sessions from being consistently updated when users assumed a role or switched back from the role granted in the access request. #4879
• Fixed a security issue where a user who can create saml_idp_service_provider resources can compromise the sessions of more powerful users and perform actions on behalf of others. #4863
• Fixed the SAML IdP authentication middleware preventing users from signing into the service provider when an SAML authentication request was made with an HTTP-POST binding protocol and user's didn't already have an active session with Teleport. #4852