Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency gravitational/teleport to v17.1.5 #9514

Merged
merged 1 commit into from
Jan 11, 2025
Merged

chore(deps): update dependency gravitational/teleport to v17.1.5 #9514

merged 1 commit into from
Jan 11, 2025

Conversation

uniget-bot
Copy link

This PR contains the following updates:

Package Update Change
gravitational/teleport patch 17.1.4 -> 17.1.5

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

gravitational/teleport (gravitational/teleport)

v17.1.5: Teleport 17.1.5

Compare Source

Description

  • Fixes an issue causing Azure join method to fail due to throttling. #​50928
  • Fix Teleport Connect Oracle support. Requires updated Teleport database agents (v17.1.5+). #​50922
  • Prevent quoting errors in log messages. #​50821
  • Fixed an issue that could cause teleport event handlers to become stuck in an error loop upon upgrading to v17 (fix requires upgrading auth server). #​50820
  • Add user_agent field to db.session.start audit events. #​50806
  • Fix an issue "tsh aws ssm start-session" fails when KMS encryption is enabled. #​50796
  • Support wider range of Oracle clients and simplified configuration. #​50740
  • Added support for multi-port TCP apps to tsh proxy app. #​50691

Download

Download the current and previous releases of Teleport at https://goteleport.com/download.

Plugins

Download the current release of Teleport plugins from the links below.

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

nicholasdille-bot
nicholasdille-bot approved these changes Jan 11, 2025
View reviewed changes
Copy link

@nicholasdille-bot nicholasdille-bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auto-approved because label type/renovate is present.

@github-actions GitHub Actions
Copy link

🔍 Vulnerabilities of ghcr.io/uniget-org/tools/teleport:17.1.5

📦 Image Reference ghcr.io/uniget-org/tools/teleport:17.1.5
digestsha256:aaa94f3c96c72e134533154ffb872bcd81326d984f9a4d23961b83925fbc7cb7
vulnerabilitiescritical: 0 high: 0 medium: 2 low: 2
platformlinux/amd64
size181 MB
packages419
critical: 0 high: 0 medium: 1 low: 1 github.com/aws/aws-sdk-go 1.55.5 (golang)

pkg:golang/github.com/aws/aws-sdk-go@1.55.5

medium : CVE--2020--8911

Affected range>=0
Fixed versionNot Fixed
Description

A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code (MAC), which then allows an attacker who has write access to the target's S3 bucket and can observe whether or not an endpoint with access to the key can decrypt a file, they can reconstruct the plaintext with (on average) 128*length (plaintext) queries to the endpoint, by exploiting CBC's ability to manipulate the bytes of the next block and PKCS5 padding errors. It is recommended to update your SDK to V2 or later, and re-encrypt your files.

low : CVE--2020--8912

Affected range>=0
Fixed versionNot Fixed
Description

A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted bucket can change the encryption algorithm of an object in the bucket, which can then allow them to change AES-GCM to AES-CTR. Using this in combination with a decryption oracle can reveal the authentication key used by AES-GCM as decrypting the GMAC tag leaves the authentication key recoverable as an algebraic equation. It is recommended to update your SDK to V2 or later, and re-encrypt your files.

critical: 0 high: 0 medium: 1 low: 0 k8s.io/apiserver 0.31.1 (golang)

pkg:golang/k8s.io/apiserver@0.31.1

medium 4.3: CVE--2020--8552 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range<1.15.10
Fixed version1.15.10, 1.16.7, 1.17.3
CVSS Score4.3
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Description

The Kubernetes API server component has been found to be vulnerable to a denial of service attack via successful API requests.

critical: 0 high: 0 medium: 0 low: 1 github.com/golang-jwt/jwt/v4 4.5.0 (golang)

pkg:golang/github.com/golang-jwt/jwt/v4@4.5.0

low 2.3: CVE--2024--51744 Improper Verification of Cryptographic Signature

Affected range<4.5.1
Fixed version4.5.1
CVSS Score2.3
CVSS VectorCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Description

Summary

Unclear documentation of the error behavior in ParseWithClaims can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by ParseWithClaims return both error codes. If users only check for the jwt.ErrTokenExpired using error.Is, they will ignore the embedded jwt.ErrTokenSignatureInvalid and thus potentially accept invalid tokens.

Fix

We have back-ported the error handling logic from the v5 branch to the v4 branch. In this logic, the ParseWithClaims function will immediately return in "dangerous" situations (e.g., an invalid signature), limiting the combined errors only to situations where the signature is valid, but further validation failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of the 4.5.1 release.

Workaround

We are aware that this changes the behaviour of an established function and is not 100 % backwards compatible, so updating to 4.5.1 might break your code. In case you cannot update to 4.5.0, please make sure that you are properly checking for all errors ("dangerous" ones first), so that you are not running in the case detailed above.

token, err := /* jwt.Parse or similar */
if token.Valid {
	fmt.Println("You look nice today")
} else if errors.Is(err, jwt.ErrTokenMalformed) {
	fmt.Println("That's not even a token")
} else if errors.Is(err, jwt.ErrTokenUnverifiable) {
	fmt.Println("We could not verify this token")
} else if errors.Is(err, jwt.ErrTokenSignatureInvalid) {
	fmt.Println("This token has an invalid signature")
} else if errors.Is(err, jwt.ErrTokenExpired) || errors.Is(err, jwt.ErrTokenNotValidYet) {
	// Token is either expired or not active yet
	fmt.Println("Timing is everything")
} else {
	fmt.Println("Couldn't handle this token:", err)
}

@github-actions GitHub Actions
Copy link

Attempting automerge. See https://github.com/uniget-org/tools/actions/runs/12720130582.

@github-actions GitHub Actions
Copy link

PR is clean and can be merged. See https://github.com/uniget-org/tools/actions/runs/12720130582.

@github-actions github-actions bot merged commit 5e532b5 into main Jan 11, 2025
10 checks passed
@github-actions github-actions bot deleted the renovate/gravitational-teleport-17.1.x branch January 11, 2025 01:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nicholasdille-bot nicholasdille-bot nicholasdille-bot approved these changes

Assignees
No one assigned
Labels
bump/patch type/renovate
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@uniget-bot @nicholasdille-bot @renovate-bot