Kubernetes Security

📋 Recommended Actions ⚠️ Action Required Immediate upgrade is strongly recommended to address multiple high-severity security vulnerabilities. Review updates to the vendored ACME client, particularly the deprecation of TLS-SNI-01 and TLS-SNI-02 challenge types, which may impact custom ACME integrations. 📝 Summary cert-manager v1.18.4 lands with vital security fixes and significant ACME protocol updates. This release addresses multiple high-severity CVEs in the underlying Go toolchain and various golang.org/x dependencies, demanding your prompt attention to safeguard your Kubernetes clusters. Beyond security, we’ve refined ACME challenge handling, notably deprecating the insecure TLS-SNI-01 and TLS-SNI-02 challenge types. On the bright side, TLS-ALPN-01 now gracefully supports IP address identifiers, expanding its utility for diverse network configurations. Core components also see a Go version bump and updated distroless base images, boosting overall stability. Upgrade now to secure your certificate management and benefit from improved ACME capabilities. ...

📋 Recommended Actions ⚠️ Action Required Immediate upgrade recommended to ensure certificate name constraints are correctly applied, enhancing the security and validity of issued certificates. cert-manager v1.17.4 is a targeted patch release addressing a critical bug in how URI name constraints are applied during certificate signing request (CSR) generation. Previously, Permitted.URIDomains were incorrectly treated as excluded, potentially leading to misconfigurations in certificate issuance policies. This fix ensures that your defined URI name constraints are honored as intended, bolstering the integrity and security of your issued certificates. ...

📋 Recommended Actions ⚠️ Action Required Immediate patching is highly recommended to address several security vulnerabilities in core dependencies and ensure the continued stability of your cert-manager deployments. This cert-manager v1.17.2 release delivers vital security updates by patching multiple Go dependencies that address various CVEs. Beyond these critical fixes, we’ve also refreshed our Go toolchain and base images, ensuring a more robust and secure foundation for your certificate management needs. ...