diff --git a/teleport-18.yaml b/teleport-18.yaml index 39be23bc91f..2f96a08c571 100644 --- a/teleport-18.yaml +++ b/teleport-18.yaml @@ -1,6 +1,6 @@ package: name: teleport-18 - version: "18.2.4" + version: "18.2.10" epoch: 0 # GHSA-47m2-4cr7-mhcw description: The easiest, and most secure way to access and protect all of your infrastructure. copyright: @@ -39,9 +39,26 @@ pipeline: - uses: git-checkout with: repository: https://github.com/gravitational/teleport - expected-commit: b7ab8694b2256c53b226875b58ad18ced86ae225 + expected-commit: 921ebcb53aca615ad432b6c1ec29a8adf5454d34 tag: v${{package.version}} + - uses: go/bump + with: + deps: |- + github.com/quic-go/quic-go@v0.54.1 + modroot: integrations/terraform + + - uses: go/bump + with: + deps: |- + github.com/quic-go/quic-go@v0.54.1 + modroot: integrations/terraform-mwi + + - uses: go/bump + with: + deps: |- + github.com/quic-go/quic-go@v0.54.1 + # Fixes build failure introduced with 17.0.5 version: # "([wasm-validator error in function fastpathprocessor_process\20externref\20shim] # unexpected false: table.fill requires bulk-memory [--enable-bulk-memory])" @@ -51,6 +68,15 @@ pipeline: with: patches: bulk-memory.patch + # This patch is in order to remediate GHSA-47m2-4cr7-mhcw + # quic-go introduced API changes in v0.53.0 and in order to remediate + # the CVE we need to apply the patches from upstream that allo quic-go + # to be upgraded to v0.53.0 + # https://github.com/gravitational/teleport/pull/56302 + - uses: patch + with: + patches: upgrade-quic-go-to-v0.53.0.patch + - runs: | mkdir -p "${{targets.contextdir}}"/var/lib/teleport mkdir -p "${{targets.contextdir}}"/usr/local/bin diff --git a/teleport-18/upgrade-quic-go-to-v0.53.0.patch b/teleport-18/upgrade-quic-go-to-v0.53.0.patch new file mode 100644 index 00000000000..60a4ef82f6b --- /dev/null +++ b/teleport-18/upgrade-quic-go-to-v0.53.0.patch @@ -0,0 +1,58 @@ +diff --git a/lib/proxy/peer/quic/client.go b/lib/proxy/peer/quic/client.go +index b230f111c2..8e0e5d074a 100644 +--- a/lib/proxy/peer/quic/client.go ++++ b/lib/proxy/peer/quic/client.go +@@ -278,7 +278,7 @@ func (c *ClientConn) Dial(nodeID string, src net.Addr, dst net.Addr, tunnelType + return nil, trace.Wrap(err) + } + +- var conn quic.Connection = earlyConn ++ conn := earlyConn + defer func() { + if err == nil { + return +@@ -466,7 +466,7 @@ func (c *ClientConn) Ping(ctx context.Context) error { + // response buffer. Request and response are length-prefixed by a 32 bit little + // endian integer, but the buffer size is also limited by [quicMaxMessageSize]. + // The given request buffer should already be length-prefixed. +-func sendUnary(deadline time.Time, sizedReqBuf []byte, conn quic.Connection) (_ []byte, _ quic.Stream, err error) { ++func sendUnary(deadline time.Time, sizedReqBuf []byte, conn *quic.Conn) (_ []byte, _ *quic.Stream, err error) { + stream, err := conn.OpenStream() + if err != nil { + return nil, nil, trace.Wrap(err) +@@ -501,8 +501,8 @@ func sendUnary(deadline time.Time, sizedReqBuf []byte, conn quic.Connection) (_ + // streamConn is a [net.Conn] using a single [quic.Stream] in a dedicated + // [quic.Connection]. + type streamConn struct { +- st quic.Stream +- conn quic.Connection ++ st *quic.Stream ++ conn *quic.Conn + + src net.Addr + dst net.Addr +diff --git a/lib/proxy/peer/quic/server.go b/lib/proxy/peer/quic/server.go +index 2931837907..2fe87f7551 100644 +--- a/lib/proxy/peer/quic/server.go ++++ b/lib/proxy/peer/quic/server.go +@@ -209,7 +209,7 @@ func (s *Server) Serve(transport *quic.Transport) error { + } + } + +-func (s *Server) handleConn(conn quic.EarlyConnection) { ++func (s *Server) handleConn(conn *quic.Conn) { + log := s.log.With( + "remote_addr", conn.RemoteAddr().String(), + "internal_id", uuid.NewString(), +@@ -250,7 +250,7 @@ func (s *Server) handleConn(conn quic.EarlyConnection) { + } + } + +-func (s *Server) handleStream(stream quic.Stream, conn quic.EarlyConnection, log *slog.Logger) { ++func (s *Server) handleStream(stream *quic.Stream, conn *quic.Conn, log *slog.Logger) { + log = log.With("stream_id", stream.StreamID()) + log.DebugContext(conn.Context(), "handling stream") + defer log.DebugContext(conn.Context(), "done handling stream") +-- +2.51.0 +