๐ Recommended Actions
โ ๏ธ Action Required
Immediate upgrade is highly recommended to address CVE-2024-24791 and benefit from the latest security patches in underlying dependencies.
๐ Summary
cert-manager v1.18.6 delivers critical security enhancements, primarily addressing the CVE-2024-24791 vulnerability found in the Go standard library’s HTTP/2 implementation. This high-severity fix mitigates a potential denial-of-service risk, making an immediate upgrade essential for operational security. Beyond the Go toolchain bump to 1.24.13, this release also incorporates refreshed distroless base images (Debian 12). These updates bring the latest security patches from the Debian ecosystem, ensuring a more robust and secure runtime environment for your cert-manager deployments. No new features or breaking changes are introduced; this is a focused stability and security release. Operations engineers should prioritize this update to safeguard their Kubernetes clusters and maintain certificate issuance integrity. Review the release notes for full details.
๐ Go Toolchain Update: Patching CVE-2024-24791
๐ Security Advisory
CVE ID: CVE-2024-24791
CVSS Score: 7.5 (High)
This release includes a crucial update to the underlying Go toolchain, moving from Go 1.24.12 to 1.24.13. This isn’t just a routine bump; it specifically addresses CVE-2024-24791, a high-severity vulnerability within the Go standard library’s HTTP/2 implementation. Patching this vulnerability is vital as it prevents a potential denial-of-service (DoS) attack, safeguarding the stability and availability of your cert-manager instances.
The update primarily involves modifying the VENDORED_GO_VERSION variable and its associated SHA256 checksums within the build configuration. This ensures that all components of cert-manager are compiled with the patched Go version, inheriting the security fixes. No changes are required in user-facing configurations or APIs; the benefits are applied transparently through the upgrade. The cert-manager project automatically picks up the new Go version during its build process, securing all deployed binaries.
Source:
๐ก๏ธ Base Image Refresh for Enhanced Security
To further bolster the security posture of cert-manager, this release incorporates updated distroless base images (Debian 12). These minimal, secure images are the foundation for cert-manager’s containers, and their refresh brings the latest security patches and bug fixes from the underlying Debian 12 operating system. This proactive update helps protect against newly discovered vulnerabilities in core system libraries, ensuring a more resilient and secure environment for your certificate management operations.
The make/base_images.mk file has been updated with new SHA256 checksums for both static-debian12 and base-debian12 distroless images across all supported architectures (amd64, arm64, s390x, arm, ppc64le). This guarantees that when cert-manager containers are built, they pull the most current and secure versions of these minimal images. For users, this means that their cert-manager deployments will automatically run on a foundation with the latest OS-level security fixes upon upgrade.
Source:
make/base_images.mk(1-12)
Minor Updates & Housekeeping
This release primarily focuses on critical security updates. It includes a bump of the vendored Go version to 1.24.13 and a refresh of the distroless Debian 12 base images to their latest secure versions.