Release 15.4.28 (#52153)

* Release 15.4.28

* docs: Add "Pyroscope" to cspell dictionary

CHANGELOG.md

@@ -1099,7 +1099,7 @@ platforms, the default shortcuts have been changed to a combination of
 Ctrl+Shift+*.
 
 On macOS, the default shortcut to open a new terminal has been changed to
-Ctrl+Shift+`.
+Ctrl+Shift+\`.
 
 See the [configuration guide](https://github.com/gravitational/teleport/blob/branch/v16/docs/pages/connect-your-client/teleport-connect.mdx#configuration)
 for a list of updated keyboard shortcuts.
@@ -1123,6 +1123,40 @@ follow the manual setup guide.
 All Teleport Assist functionality and OpenAI integration has been removed from
 Teleport.
 
+## 15.4.28 (02/13/25)
+
+### Security Fixes
+
+* Fixed security issue with arbitrary file reads on SSH nodes. [#52138](https://github.com/gravitational/teleport/pull/52138)
+* Verify that cluster name of TLS peer certs matches the cluster name of the CA that issued it to prevent Auth bypasses. [#52132](https://github.com/gravitational/teleport/pull/52132)
+
+### Other fixes and improvements
+
+* Fixed graceful closing of networking subprocesses when the Teleport parent process is gracefully closed (SIGQUIT). [#52117](https://github.com/gravitational/teleport/pull/52117)
+* Updated Go to 1.23.6. [#52087](https://github.com/gravitational/teleport/pull/52087)
+* Updated OpenSSL to 3.0.16. [#52039](https://github.com/gravitational/teleport/pull/52039)
+* Reduced CPU consumption required to map roles between clusters and perform trait to role resolution. [#51941](https://github.com/gravitational/teleport/pull/51941)
+* Client tools managed updates require a base URL for the open-source build type. [#51934](https://github.com/gravitational/teleport/pull/51934)
+* Added an escape hatch to allow non-FIPS AWS endpoints on FIPS binaries (`TELEPORT_UNSTABLE_DISABLE_AWS_FIPS=yes`). [#51932](https://github.com/gravitational/teleport/pull/51932)
+* Added securityContext value to the tbot Helm chart. [#51909](https://github.com/gravitational/teleport/pull/51909)
+* Teleport agents always create the `debug.sock` UNIX socket. The configuration field `debug_service.enabled` now controls if the debug and metrics endpoints are available via the UNIX socket. [#51890](https://github.com/gravitational/teleport/pull/51890)
+* Updated Go to 1.22.12. [#51837](https://github.com/gravitational/teleport/pull/51837)
+* Improved instance.join event error messaging. [#51781](https://github.com/gravitational/teleport/pull/51781)
+* Added support for caching Microsoft Remote Desktop Services licenses. [#51686](https://github.com/gravitational/teleport/pull/51686)
+* Added Audit Log statistics to `tctl top`. [#51656](https://github.com/gravitational/teleport/pull/51656)
+* Fixed an issue where the Postgres backend would drop App Access events. [#51645](https://github.com/gravitational/teleport/pull/51645)
+* Fixed a rare crash that can happen with malformed SAML connector. [#51636](https://github.com/gravitational/teleport/pull/51636)
+* Fixed occasional Web UI session renewal issues (reverts "Avoid tight renewals for sessions with short TTL"). [#51604](https://github.com/gravitational/teleport/pull/51604)
+* Quoted the `KUBECONFIG` environment variable output by the `tsh proxy kube` command. [#51525](https://github.com/gravitational/teleport/pull/51525)
+* Added support for customizing the base URL for downloading Teleport packages used in client tools managed updates. [#51482](https://github.com/gravitational/teleport/pull/51482)
+* Added support for continuous profile collection with Pyroscope. [#51480](https://github.com/gravitational/teleport/pull/51480)
+* Improved handling of client session termination during Kubernetes Exec sessions. The disconnection reason is now accurately returned for cases such as certificate expiration, forced lock activation, or idle timeout. [#51456](https://github.com/gravitational/teleport/pull/51456)
+* Fixed an issue that prevented IPs provided in the `X-Forwarded-For` header from being honored in some scenarios when `TrustXForwardedFor` is enabled. [#51425](https://github.com/gravitational/teleport/pull/51425)
+* Added support for multiple active CAs in the /auth/export endpoint. [#51420](https://github.com/gravitational/teleport/pull/51420)
+* Fixed a bug in GKE auto-discovery where the process failed to discover any clusters if the identity lacked permissions for one or more detected GCP project IDs. [#51401](https://github.com/gravitational/teleport/pull/51401)
+* Added support for multiple active CAs in tctl auth export. [#51377](https://github.com/gravitational/teleport/pull/51377)
+* Added more granular audit logging surrounding SSH port forwarding. [#51327](https://github.com/gravitational/teleport/pull/51327)
+
 ## 15.4.26 (01/21/2025)
 
 * Fixed WebAuthn attestation for Windows Hello. [#51249](https://github.com/gravitational/teleport/pull/51249)

Makefile

@@ -11,7 +11,7 @@
 #   Stable releases:   "1.0.0"
 #   Pre-releases:      "1.0.0-alpha.1", "1.0.0-beta.2", "1.0.0-rc.3"
 #   Master/dev branch: "1.0.0-dev"
-VERSION=15.4.26
+VERSION=15.4.28
 
 DOCKER_IMAGE ?= teleport
 

build.assets/macos/tsh/tsh.app/Contents/Info.plist

@@ -19,13 +19,13 @@
 		<key>CFBundlePackageType</key>
 		<string>APPL</string>
 		<key>CFBundleShortVersionString</key>
-		<string>15.4.26</string>
+		<string>15.4.28</string>
 		<key>CFBundleSupportedPlatforms</key>
 		<array>
 			<string>MacOSX</string>
 		</array>
 		<key>CFBundleVersion</key>
-		<string>15.4.26</string>
+		<string>15.4.28</string>
 		<key>DTCompiler</key>
 		<string>com.apple.compilers.llvm.clang.1_0</string>
 		<key>DTPlatformBuild</key>

build.assets/macos/tshdev/tsh.app/Contents/Info.plist

@@ -17,13 +17,13 @@
 		<key>CFBundlePackageType</key>
 		<string>APPL</string>
 		<key>CFBundleShortVersionString</key>
-		<string>15.4.26</string>
+		<string>15.4.28</string>
 		<key>CFBundleSupportedPlatforms</key>
 		<array>
 			<string>MacOSX</string>
 		</array>
 		<key>CFBundleVersion</key>
-		<string>15.4.26</string>
+		<string>15.4.28</string>
 		<key>DTCompiler</key>
 		<string>com.apple.compilers.llvm.clang.1_0</string>
 		<key>DTPlatformBuild</key>

docs/cspell.json

@@ -179,6 +179,7 @@
     "Pbbd",
     "Pluggable",
     "Println",
+    "Pyroscope",
     "Quickstart",
     "Quicktime's",
     "REDISCLI",

examples/chart/access/discord/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "15.4.26"
+.version: &version "15.4.28"
 
 apiVersion: v2
 name: teleport-plugin-discord

examples/chart/access/discord/tests/__snapshot__/configmap_test.yaml.snap

@@ -24,6 +24,6 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-discord
-        app.kubernetes.io/version: 15.4.26
-        helm.sh/chart: teleport-plugin-discord-15.4.26
+        app.kubernetes.io/version: 15.4.28
+        helm.sh/chart: teleport-plugin-discord-15.4.28
       name: RELEASE-NAME-teleport-plugin-discord

examples/chart/access/discord/tests/__snapshot__/deployment_test.yaml.snap

@@ -7,8 +7,8 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-discord
-        app.kubernetes.io/version: 15.4.26
-        helm.sh/chart: teleport-plugin-discord-15.4.26
+        app.kubernetes.io/version: 15.4.28
+        helm.sh/chart: teleport-plugin-discord-15.4.28
       name: RELEASE-NAME-teleport-plugin-discord
     spec:
       replicas: 1
@@ -22,8 +22,8 @@ should match the snapshot:
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-discord
-            app.kubernetes.io/version: 15.4.26
-            helm.sh/chart: teleport-plugin-discord-15.4.26
+            app.kubernetes.io/version: 15.4.28
+            helm.sh/chart: teleport-plugin-discord-15.4.28
         spec:
           containers:
           - command:

examples/chart/access/email/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "15.4.26"
+.version: &version "15.4.28"
 
 apiVersion: v2
 name: teleport-plugin-email

examples/chart/access/email/tests/__snapshot__/configmap_test.yaml.snap

@@ -26,8 +26,8 @@ should match the snapshot (mailgun on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 15.4.26
-        helm.sh/chart: teleport-plugin-email-15.4.26
+        app.kubernetes.io/version: 15.4.28
+        helm.sh/chart: teleport-plugin-email-15.4.28
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on):
   1: |
@@ -59,8 +59,8 @@ should match the snapshot (smtp on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 15.4.26
-        helm.sh/chart: teleport-plugin-email-15.4.26
+        app.kubernetes.io/version: 15.4.28
+        helm.sh/chart: teleport-plugin-email-15.4.28
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, no starttls):
   1: |
@@ -92,8 +92,8 @@ should match the snapshot (smtp on, no starttls):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 15.4.26
-        helm.sh/chart: teleport-plugin-email-15.4.26
+        app.kubernetes.io/version: 15.4.28
+        helm.sh/chart: teleport-plugin-email-15.4.28
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, password file):
   1: |
@@ -125,8 +125,8 @@ should match the snapshot (smtp on, password file):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 15.4.26
-        helm.sh/chart: teleport-plugin-email-15.4.26
+        app.kubernetes.io/version: 15.4.28
+        helm.sh/chart: teleport-plugin-email-15.4.28
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, roleToRecipients set):
   1: |
@@ -161,8 +161,8 @@ should match the snapshot (smtp on, roleToRecipients set):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 15.4.26
-        helm.sh/chart: teleport-plugin-email-15.4.26
+        app.kubernetes.io/version: 15.4.28
+        helm.sh/chart: teleport-plugin-email-15.4.28
       name: RELEASE-NAME-teleport-plugin-email
 should match the snapshot (smtp on, starttls disabled):
   1: |
@@ -194,6 +194,6 @@ should match the snapshot (smtp on, starttls disabled):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 15.4.26
-        helm.sh/chart: teleport-plugin-email-15.4.26
+        app.kubernetes.io/version: 15.4.28
+        helm.sh/chart: teleport-plugin-email-15.4.28
       name: RELEASE-NAME-teleport-plugin-email

examples/chart/access/email/tests/__snapshot__/deployment_test.yaml.snap

@@ -7,8 +7,8 @@ should be possible to override volume name (smtp on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 15.4.26
-        helm.sh/chart: teleport-plugin-email-15.4.26
+        app.kubernetes.io/version: 15.4.28
+        helm.sh/chart: teleport-plugin-email-15.4.28
       name: RELEASE-NAME-teleport-plugin-email
     spec:
       replicas: 1
@@ -22,8 +22,8 @@ should be possible to override volume name (smtp on):
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-email
-            app.kubernetes.io/version: 15.4.26
-            helm.sh/chart: teleport-plugin-email-15.4.26
+            app.kubernetes.io/version: 15.4.28
+            helm.sh/chart: teleport-plugin-email-15.4.28
         spec:
           containers:
           - command:
@@ -34,7 +34,7 @@ should be possible to override volume name (smtp on):
             env:
             - name: TELEPORT_PLUGIN_FAIL_FAST
               value: "true"
-            image: public.ecr.aws/gravitational/teleport-plugin-email:15.4.26
+            image: public.ecr.aws/gravitational/teleport-plugin-email:15.4.28
             imagePullPolicy: IfNotPresent
             name: teleport-plugin-email
             ports:
@@ -75,8 +75,8 @@ should match the snapshot:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 15.4.26
-        helm.sh/chart: teleport-plugin-email-15.4.26
+        app.kubernetes.io/version: 15.4.28
+        helm.sh/chart: teleport-plugin-email-15.4.28
       name: RELEASE-NAME-teleport-plugin-email
     spec:
       replicas: 1
@@ -90,8 +90,8 @@ should match the snapshot:
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-email
-            app.kubernetes.io/version: 15.4.26
-            helm.sh/chart: teleport-plugin-email-15.4.26
+            app.kubernetes.io/version: 15.4.28
+            helm.sh/chart: teleport-plugin-email-15.4.28
         spec:
           containers:
           - command:
@@ -136,8 +136,8 @@ should match the snapshot (mailgun on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 15.4.26
-        helm.sh/chart: teleport-plugin-email-15.4.26
+        app.kubernetes.io/version: 15.4.28
+        helm.sh/chart: teleport-plugin-email-15.4.28
       name: RELEASE-NAME-teleport-plugin-email
     spec:
       replicas: 1
@@ -151,8 +151,8 @@ should match the snapshot (mailgun on):
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-email
-            app.kubernetes.io/version: 15.4.26
-            helm.sh/chart: teleport-plugin-email-15.4.26
+            app.kubernetes.io/version: 15.4.28
+            helm.sh/chart: teleport-plugin-email-15.4.28
         spec:
           containers:
           - command:
@@ -163,7 +163,7 @@ should match the snapshot (mailgun on):
             env:
             - name: TELEPORT_PLUGIN_FAIL_FAST
               value: "true"
-            image: public.ecr.aws/gravitational/teleport-plugin-email:15.4.26
+            image: public.ecr.aws/gravitational/teleport-plugin-email:15.4.28
             imagePullPolicy: IfNotPresent
             name: teleport-plugin-email
             ports:
@@ -204,8 +204,8 @@ should match the snapshot (smtp on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 15.4.26
-        helm.sh/chart: teleport-plugin-email-15.4.26
+        app.kubernetes.io/version: 15.4.28
+        helm.sh/chart: teleport-plugin-email-15.4.28
       name: RELEASE-NAME-teleport-plugin-email
     spec:
       replicas: 1
@@ -219,8 +219,8 @@ should match the snapshot (smtp on):
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-email
-            app.kubernetes.io/version: 15.4.26
-            helm.sh/chart: teleport-plugin-email-15.4.26
+            app.kubernetes.io/version: 15.4.28
+            helm.sh/chart: teleport-plugin-email-15.4.28
         spec:
           containers:
           - command:
@@ -231,7 +231,7 @@ should match the snapshot (smtp on):
             env:
             - name: TELEPORT_PLUGIN_FAIL_FAST
               value: "true"
-            image: public.ecr.aws/gravitational/teleport-plugin-email:15.4.26
+            image: public.ecr.aws/gravitational/teleport-plugin-email:15.4.28
             imagePullPolicy: IfNotPresent
             name: teleport-plugin-email
             ports:
@@ -272,8 +272,8 @@ should mount external secret (mailgun on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 15.4.26
-        helm.sh/chart: teleport-plugin-email-15.4.26
+        app.kubernetes.io/version: 15.4.28
+        helm.sh/chart: teleport-plugin-email-15.4.28
       name: RELEASE-NAME-teleport-plugin-email
     spec:
       replicas: 1
@@ -287,8 +287,8 @@ should mount external secret (mailgun on):
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-email
-            app.kubernetes.io/version: 15.4.26
-            helm.sh/chart: teleport-plugin-email-15.4.26
+            app.kubernetes.io/version: 15.4.28
+            helm.sh/chart: teleport-plugin-email-15.4.28
         spec:
           containers:
           - command:
@@ -299,7 +299,7 @@ should mount external secret (mailgun on):
             env:
             - name: TELEPORT_PLUGIN_FAIL_FAST
               value: "true"
-            image: public.ecr.aws/gravitational/teleport-plugin-email:15.4.26
+            image: public.ecr.aws/gravitational/teleport-plugin-email:15.4.28
             imagePullPolicy: IfNotPresent
             name: teleport-plugin-email
             ports:
@@ -340,8 +340,8 @@ should mount external secret (smtp on):
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/managed-by: Helm
         app.kubernetes.io/name: teleport-plugin-email
-        app.kubernetes.io/version: 15.4.26
-        helm.sh/chart: teleport-plugin-email-15.4.26
+        app.kubernetes.io/version: 15.4.28
+        helm.sh/chart: teleport-plugin-email-15.4.28
       name: RELEASE-NAME-teleport-plugin-email
     spec:
       replicas: 1
@@ -355,8 +355,8 @@ should mount external secret (smtp on):
             app.kubernetes.io/instance: RELEASE-NAME
             app.kubernetes.io/managed-by: Helm
             app.kubernetes.io/name: teleport-plugin-email
-            app.kubernetes.io/version: 15.4.26
-            helm.sh/chart: teleport-plugin-email-15.4.26
+            app.kubernetes.io/version: 15.4.28
+            helm.sh/chart: teleport-plugin-email-15.4.28
         spec:
           containers:
           - command:
@@ -367,7 +367,7 @@ should mount external secret (smtp on):
             env:
             - name: TELEPORT_PLUGIN_FAIL_FAST
               value: "true"
-            image: public.ecr.aws/gravitational/teleport-plugin-email:15.4.26
+            image: public.ecr.aws/gravitational/teleport-plugin-email:15.4.28
             imagePullPolicy: IfNotPresent
             name: teleport-plugin-email
             ports:

examples/chart/access/jira/Chart.yaml

@@ -1,4 +1,4 @@
-.version: &version "15.4.26"
+.version: &version "15.4.28"
 
 apiVersion: v2
 name: teleport-plugin-jira