π Recommended Actions
β οΈ Action Required
Immediate review recommended for all users. Upgrade promptly to benefit from critical security hardening, fix potential denial-of-service vectors, and enhance certificate issuance reliability.
π Summary
cert-manager v1.19.3 delivers crucial security enhancements and improved issuance robustness. This release directly addresses GHSA-gx3x-vq4p-mhhv, preventing a potential panic in the ACME DNS solver that could lead to denial-of-service. This high-severity fix solidifies the reliability of your ACME challenges. We’ve also introduced a vital new check: certificate issuance will now fail if the public key in the signed certificate doesn’t match the original Certificate Signing Request (CSR). This prevents infinite re-issuance loops with misconfigured external issuers, ensuring cryptographic integrity. Furthermore, the HTTP-01 solver gained more robust handling of IPv6 address literals, improving compliance and reliability for diverse network configurations. Essential tooling updates, including Go 1.25.6 and Kind 0.31.0, round out this focused release. Upgrade to boost the security and stability of your certificate management.
π Addressing GHSA-gx3x-vq4p-mhhv: Robust ACME DNS Zone Finding
π Security Advisory
CVE ID: GHSA-gx3x-vq4p-mhhv
CVSS Score: 7.5 (High)
A critical vulnerability identified as GHSA-gx3x-vq4p-mhhv has been patched, enhancing the stability and security of the ACME DNS solver. Previously, cert-manager could encounter a panic when processing cached DNS responses if the SOA (Start of Authority) record wasn’t the very first entry in the answer list. This could lead to a denial-of-service scenario for the cert-manager controller. This fix ensures that the DNS utility correctly locates the SOA record regardless of its position, making your ACME DNS challenges more resilient to maliciously crafted or non-standard DNS responses.
The FindZoneByFqdn function in the ACME DNS solver now explicitly iterates through all DNS Answer records to identify the SOA record. Instead of assuming the SOA record is at Answer[0], it safely checks each entry, preventing a panic if the response structure differs from expectations. This makes the DNS resolution process more robust against variations in DNS server behavior or potential exploits.
// Before:
// return cachedEntryItem.Response.Answer[0].(*dns.SOA).Hdr.Name, nil
// After:
for _, ans := range cachedEntryItem.Response.Answer {
if soa, ok := ans.(*dns.SOA); ok {
return soa.Hdr.Name, nil
}
}
return "", fmt.Errorf("cached response has no SOA record")
Source:
π‘οΈ Enhanced Certificate Issuance: Public Key Mismatch Detection
To bolster the integrity and reliability of certificate issuance, cert-manager now performs a critical validation step: it verifies that the public key contained within a newly signed certificate precisely matches the public key specified in the original Certificate Signing Request (CSR). This improvement prevents scenarios where a misconfigured or malicious external issuer might return a certificate with a different public key than requested, which could lead to an invalid certificate being stored or, worse, an infinite re-issuance loop, exhausting resources.
The controller now decodes the issued certificate and compares its public key with the public key derived from the CSR. If a mismatch is detected, the issuance process will gracefully fail with a specific reason, preventing the certificate from being stored and providing clear diagnostic information. This ensures that only cryptographically valid and correctly issued certificates are accepted, significantly improving the trustworthiness of your certificate infrastructure.
// pkg/controller/certificates/issuing/issuing_controller.go
...
x509Cert, err := utilpki.DecodeX509CertificateBytes(req.Status.Certificate)
// ... error handling ...
certMatchesCSR, err := utilpki.PublicKeysEqual(x509Cert.PublicKey, csr.PublicKey)
// ... error handling ...
if !certMatchesCSR {
return c.failIssueCertificate(ctx, log, crt, &cmapi.CertificateRequestCondition{
Type: cmapi.CertificateRequestConditionReady,
Status: cmmeta.ConditionFalse,
Reason: "InvalidCertificate",
Message: "Issuer returned a certificate with a public key that does not match the CSR. This usually indicates a misconfigured issuer.",
})
}
...
Source:
pkg/controller/certificates/issuing/issuing_controller.go(336-365)pkg/controller/certificates/issuing/issuing_controller_test.go(1369-1416)
π HTTP-01 Solver Improvement: Better IPv6 Address Handling
The HTTP-01 ACME solver has received a refinement to its parseHost function, leading to more accurate and compliant handling of IPv6 address literals. This enhancement ensures that the solver correctly extracts the host portion from IPv6 addresses, particularly those enclosed in square brackets as per RFC 3986 and RFC 9110, improving the reliability of HTTP-01 challenges in modern, IPv6-heavy environments.
The updated parseHost logic now leverages net.SplitHostPort for addresses with ports and then strings.Trim for square brackets, providing a robust method for extracting the host regardless of whether it’s an FQDN, IPv4, or bracketed IPv6 address. This brings cert-manager’s HTTP-01 challenge processing into closer alignment with standard URI host syntax, preventing potential parsing errors.
// Before:
// addrPort, err := netip.ParseAddrPort(s)
// ...
// addr, err := netip.ParseAddr(s)
// ...
// host := strings.Split(s, ":")
// return host[0]
// After:
// if host, _, err := net.SplitHostPort(s); err == nil {
// return host
// }
// return strings.Trim(s, "[]")
Source:
Minor Updates & Housekeeping
This release includes a bump of the Go toolchain to v1.25.6, an upgrade of the kind testing tool to v0.31.0 along with updated Kind images to support Kubernetes v1.35, and general updates to distroless base images for all architectures.