Gravitational Teleport v4.3.7 Release Notes
Release Date: 2020-10-01 // over 3 years ago-
🚀 This release of Teleport contains a security fix and a bug fix.
- ⚡️ Mitigated CVE-2020-15216 by updating github.com/russellhaering/goxmldsig.
Details
A vulnerability was discovered in the
github.com/russellhaering/goxmldsig
library which is used by Teleport to validate the
🔧 signatures of XML files used to configure SAML 2.0 connectors. With a carefully crafted XML file, an attacker can completely
bypass XML signature validation and pass off an altered file as a signed one.Actions
⚡️ The
goxmldsig
library has been updated upstream and Teleport 4.3.7 includes the fix. Any Enterprise SSO users using Okta,
⬆️ Active Directory, OneLogin or custom SAML connectors should upgrade their auth servers to version 4.3.7 and restart Teleport.⚡️ If you are unable to upgrade immediately, we suggest deleting SAML connectors for all clusters until the updates can be applied.
- Fixed an issue where DynamoDB connections made by Teleport would not respect the
HTTP_PROXY
orHTTPS_PROXY
environment variables. #4271
Download
🚀 Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.