π Recommended Actions
β οΈ Action Required
Immediate upgrade is recommended to address a high-severity DNS-01 solver stability issue (GHSA-gx3x-vq4p-mhhv) and ensure robust certificate issuance validation.
π Summary
Cert-manager v1.18.5 delivers critical updates. It fixes a high-severity DNS-01 solver panic (GHSA-gx3x-vq4p-mhhv), preventing service disruptions. It also adds robust validation for issued certificates, ensuring public keys match CSRs, and improves HTTP-01 IPv6 handling. Upgrade now for enhanced stability and security!
π High-Severity Fix: ACME DNS-01 Solver Panic (GHSA-gx3x-vq4p-mhhv)
A critical vulnerability identified as GHSA-gx3x-vq4p-mhhv has been addressed in this release, preventing potential denial-of-service scenarios for the ACME DNS-01 solver. Previously, the solver would incorrectly assume that DNS SOA records would always be the first entry in a DNS query response. If a DNS provider returned the SOA record at a different position, cert-manager’s DNS-01 solver could panic and crash, making it unable to process new challenges and disrupting certificate issuance.
The fix involves a more robust parsing mechanism for cached DNS responses. Instead of directly accessing the first element (Answer[0]), the FindZoneByFqdn utility now iterates through all records in the DNS response’s Answer section to locate the correct SOA record. This ensures that even if DNS responses have varying record orders, the solver will correctly identify the zone and avoid panicking.
Source:
π‘οΈ Robust Issuance: Public Key Matching Validation for Certificates
To enhance the reliability and security of certificate issuance, cert-manager now performs a crucial validation step: it verifies that the public key contained within an issued certificate precisely matches the public key embedded in the original Certificate Signing Request (CSR). This new check prevents scenarios where a misconfigured or malicious issuer might return a certificate with a public key different from what was requested, ensuring that the issued certificate is always usable with your private key.
Upon receiving a signed certificate from an issuer, cert-manager decodes the X.509 certificate and compares its public key against the public key from the corresponding CSR. If a mismatch is detected, the issuance process is marked as failed with a InvalidCertificate reason, and the controller will back off from retrying. This prevents an endless loop of requesting and receiving unusable certificates from an problematic issuer.
Source:
pkg/controller/certificates/issuing/issuing_controller.go(336-368)pkg/controller/certificates/issuing/issuing_controller_test.go(1369-1406)
π Improved HTTP-01 Solver: Enhanced IPv6 Address Literal Handling
The ACME HTTP-01 solver now boasts improved parsing for hostnames, particularly when dealing with IPv6 address literals. This refinement ensures that cert-manager can correctly extract the host portion from HTTP requests, even when IPv6 addresses are presented with or without square brackets and port numbers. This leads to more reliable challenge solving for environments utilizing IPv6.
The parseHost utility function has been refactored to correctly handle various formats of host strings, including [IPv6Address]:Port, IPv6Address (without brackets, though brackets are RFC-compliant), FQDN:Port, and FQDN alone. By leveraging standard net.SplitHostPort and strings.Trim operations, the solver can now accurately identify the host for validation, preventing potential failures in specific networking configurations.
Source:
Minor Updates & Housekeeping
This release also includes essential maintenance updates, such as bumping the Go toolchain to version 1.24.12 and refreshing the underlying distroless base images to their latest debian12 versions, contributing to a more secure and stable runtime environment.