From 34a564c53da305f483dd3bc34fa4c48b7af49ffe Mon Sep 17 00:00:00 2001
From: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
Date: Fri, 24 Oct 2025 23:28:19 +0000
Subject: [PATCH 1/3] teleport-18/18.2.10 package update

Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
---
 teleport-18.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/teleport-18.yaml b/teleport-18.yaml
index 39be23bc91f..7c8abb161ce 100644
--- a/teleport-18.yaml
+++ b/teleport-18.yaml
@@ -1,6 +1,6 @@
 package:
   name: teleport-18
-  version: "18.2.4"
+  version: "18.2.10"
   epoch: 0 # GHSA-47m2-4cr7-mhcw
   description: The easiest, and most secure way to access and protect all of your infrastructure.
   copyright:
@@ -39,7 +39,7 @@ pipeline:
   - uses: git-checkout
     with:
       repository: https://github.com/gravitational/teleport
-      expected-commit: b7ab8694b2256c53b226875b58ad18ced86ae225
+      expected-commit: 921ebcb53aca615ad432b6c1ec29a8adf5454d34
       tag: v${{package.version}}
 
   # Fixes build failure introduced with 17.0.5 version:

From 4f17245efcf5a5e0942b1cd2f7ab82add3c8c9ae Mon Sep 17 00:00:00 2001
From: Batuhan Apaydin <16693043+developer-guy@users.noreply.github.com>
Date: Sat, 25 Oct 2025 22:53:30 +0300
Subject: [PATCH 2/3] fix the CVE-2025-59530

Signed-off-by: Batuhan Apaydin <16693043+developer-guy@users.noreply.github.com>
---
 teleport-18.yaml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/teleport-18.yaml b/teleport-18.yaml
index 7c8abb161ce..66ec37b5553 100644
--- a/teleport-18.yaml
+++ b/teleport-18.yaml
@@ -42,6 +42,11 @@ pipeline:
       expected-commit: 921ebcb53aca615ad432b6c1ec29a8adf5454d34
       tag: v${{package.version}}
 
+  - uses: go/bump
+    with:
+      deps: |-
+        github.com/quic-go/quic-go@v0.54.1
+
   # Fixes build failure introduced with 17.0.5 version:
   # "([wasm-validator error in function fastpathprocessor_process\20externref\20shim]
   # unexpected false: table.fill requires bulk-memory [--enable-bulk-memory])"

From 4ac89f7533979b9fb21aefeb0f8c978d217b808b Mon Sep 17 00:00:00 2001
From: David Negreira <david.negreira@chainguard.dev>
Date: Mon, 27 Oct 2025 10:14:11 +0100
Subject: [PATCH 3/3] teleport-18: bump quic-go to v0.54.1

This commit introduces bumps to quic-go in v0.54.1 in
integrations/terraform and integrations/terraform-mwi

It also introduces a patch so that we can bump the quic-go version to
v0.54.1 in teleport.
quic-go introduced breaking API changes in version v0.53.0 and the
upstream project had to adapt to use the new code.

Patch partially imported from teleport upstream:
https://github.com/gravitational/teleport/pull/56302

Information on quic-go upstream breaking changes:
https://github.com/quic-go/quic-go/releases/tag/v0.53.0

Signed-off-by: David Negreira <david.negreira@chainguard.dev>
---
 teleport-18.yaml                             | 21 +++++++
 teleport-18/upgrade-quic-go-to-v0.53.0.patch | 58 ++++++++++++++++++++
 2 files changed, 79 insertions(+)
 create mode 100644 teleport-18/upgrade-quic-go-to-v0.53.0.patch

diff --git a/teleport-18.yaml b/teleport-18.yaml
index 66ec37b5553..2f96a08c571 100644
--- a/teleport-18.yaml
+++ b/teleport-18.yaml
@@ -42,6 +42,18 @@ pipeline:
       expected-commit: 921ebcb53aca615ad432b6c1ec29a8adf5454d34
       tag: v${{package.version}}
 
+  - uses: go/bump
+    with:
+      deps: |-
+        github.com/quic-go/quic-go@v0.54.1
+      modroot: integrations/terraform
+
+  - uses: go/bump
+    with:
+      deps: |-
+        github.com/quic-go/quic-go@v0.54.1
+      modroot: integrations/terraform-mwi
+
   - uses: go/bump
     with:
       deps: |-
@@ -56,6 +68,15 @@ pipeline:
     with:
       patches: bulk-memory.patch
 
+  # This patch is in order to remediate GHSA-47m2-4cr7-mhcw
+  # quic-go introduced API changes in v0.53.0 and in order to remediate
+  # the CVE we need to apply the patches from upstream that allo quic-go
+  # to be upgraded to v0.53.0
+  # https://github.com/gravitational/teleport/pull/56302
+  - uses: patch
+    with:
+      patches: upgrade-quic-go-to-v0.53.0.patch
+
   - runs: |
       mkdir -p "${{targets.contextdir}}"/var/lib/teleport
       mkdir -p "${{targets.contextdir}}"/usr/local/bin
diff --git a/teleport-18/upgrade-quic-go-to-v0.53.0.patch b/teleport-18/upgrade-quic-go-to-v0.53.0.patch
new file mode 100644
index 00000000000..60a4ef82f6b
--- /dev/null
+++ b/teleport-18/upgrade-quic-go-to-v0.53.0.patch
@@ -0,0 +1,58 @@
+diff --git a/lib/proxy/peer/quic/client.go b/lib/proxy/peer/quic/client.go
+index b230f111c2..8e0e5d074a 100644
+--- a/lib/proxy/peer/quic/client.go
++++ b/lib/proxy/peer/quic/client.go
+@@ -278,7 +278,7 @@ func (c *ClientConn) Dial(nodeID string, src net.Addr, dst net.Addr, tunnelType
+ 		return nil, trace.Wrap(err)
+ 	}
+ 
+-	var conn quic.Connection = earlyConn
++	conn := earlyConn
+ 	defer func() {
+ 		if err == nil {
+ 			return
+@@ -466,7 +466,7 @@ func (c *ClientConn) Ping(ctx context.Context) error {
+ // response buffer. Request and response are length-prefixed by a 32 bit little
+ // endian integer, but the buffer size is also limited by [quicMaxMessageSize].
+ // The given request buffer should already be length-prefixed.
+-func sendUnary(deadline time.Time, sizedReqBuf []byte, conn quic.Connection) (_ []byte, _ quic.Stream, err error) {
++func sendUnary(deadline time.Time, sizedReqBuf []byte, conn *quic.Conn) (_ []byte, _ *quic.Stream, err error) {
+ 	stream, err := conn.OpenStream()
+ 	if err != nil {
+ 		return nil, nil, trace.Wrap(err)
+@@ -501,8 +501,8 @@ func sendUnary(deadline time.Time, sizedReqBuf []byte, conn quic.Connection) (_
+ // streamConn is a [net.Conn] using a single [quic.Stream] in a dedicated
+ // [quic.Connection].
+ type streamConn struct {
+-	st   quic.Stream
+-	conn quic.Connection
++	st   *quic.Stream
++	conn *quic.Conn
+ 
+ 	src net.Addr
+ 	dst net.Addr
+diff --git a/lib/proxy/peer/quic/server.go b/lib/proxy/peer/quic/server.go
+index 2931837907..2fe87f7551 100644
+--- a/lib/proxy/peer/quic/server.go
++++ b/lib/proxy/peer/quic/server.go
+@@ -209,7 +209,7 @@ func (s *Server) Serve(transport *quic.Transport) error {
+ 	}
+ }
+ 
+-func (s *Server) handleConn(conn quic.EarlyConnection) {
++func (s *Server) handleConn(conn *quic.Conn) {
+ 	log := s.log.With(
+ 		"remote_addr", conn.RemoteAddr().String(),
+ 		"internal_id", uuid.NewString(),
+@@ -250,7 +250,7 @@ func (s *Server) handleConn(conn quic.EarlyConnection) {
+ 	}
+ }
+ 
+-func (s *Server) handleStream(stream quic.Stream, conn quic.EarlyConnection, log *slog.Logger) {
++func (s *Server) handleStream(stream *quic.Stream, conn *quic.Conn, log *slog.Logger) {
+ 	log = log.With("stream_id", stream.StreamID())
+ 	log.DebugContext(conn.Context(), "handling stream")
+ 	defer log.DebugContext(conn.Context(), "done handling stream")
+-- 
+2.51.0
+