Kubernetes Security

📋 Recommended Actions ⚠️ Action Required Immediate upgrade is highly recommended to address CVE-2024-24791 and benefit from the latest security patches in underlying dependencies. 📝 Summary cert-manager v1.18.6 delivers critical security enhancements, primarily addressing the CVE-2024-24791 vulnerability found in the Go standard library’s HTTP/2 implementation. This high-severity fix mitigates a potential denial-of-service risk, making an immediate upgrade essential for operational security. Beyond the Go toolchain bump to 1.24.13, this release also incorporates refreshed distroless base images (Debian 12). These updates bring the latest security patches from the Debian ecosystem, ensuring a more robust and secure runtime environment for your cert-manager deployments. No new features or breaking changes are introduced; this is a focused stability and security release. Operations engineers should prioritize this update to safeguard their Kubernetes clusters and maintain certificate issuance integrity. Review the release notes for full details. ...

📋 Recommended Actions ⚠️ Action Required Immediate upgrade is strongly recommended to address multiple high-severity security vulnerabilities. Review updates to the vendored ACME client, particularly the deprecation of TLS-SNI-01 and TLS-SNI-02 challenge types, which may impact custom ACME integrations. 📝 Summary cert-manager v1.18.4 lands with vital security fixes and significant ACME protocol updates. This release addresses multiple high-severity CVEs in the underlying Go toolchain and various golang.org/x dependencies, demanding your prompt attention to safeguard your Kubernetes clusters. Beyond security, we’ve refined ACME challenge handling, notably deprecating the insecure TLS-SNI-01 and TLS-SNI-02 challenge types. On the bright side, TLS-ALPN-01 now gracefully supports IP address identifiers, expanding its utility for diverse network configurations. Core components also see a Go version bump and updated distroless base images, boosting overall stability. Upgrade now to secure your certificate management and benefit from improved ACME capabilities. ...

📋 Recommended Actions ⚠️ Action Required Immediate upgrade recommended to ensure certificate name constraints are correctly applied, enhancing the security and validity of issued certificates. cert-manager v1.17.4 is a targeted patch release addressing a critical bug in how URI name constraints are applied during certificate signing request (CSR) generation. Previously, Permitted.URIDomains were incorrectly treated as excluded, potentially leading to misconfigurations in certificate issuance policies. This fix ensures that your defined URI name constraints are honored as intended, bolstering the integrity and security of your issued certificates. ...

📋 Recommended Actions ⚠️ Action Required Immediate patching is highly recommended to address several security vulnerabilities in core dependencies and ensure the continued stability of your cert-manager deployments. This cert-manager v1.17.2 release delivers vital security updates by patching multiple Go dependencies that address various CVEs. Beyond these critical fixes, we’ve also refreshed our Go toolchain and base images, ensuring a more robust and secure foundation for your certificate management needs. ...