cert-manager(v1.19.4): Critical Security Patches and Essential Dependency Updates

📋 Recommended Actions

⚠️ Action Required
Immediate patching is highly recommended to address the OpenTelemetry security vulnerability (GO-2026-4394) and to benefit from the latest Go runtime and base image security updates.

📝 Summary

Cert-manager v1.19.4 brings crucial security and maintenance updates, bolstering the reliability of your certificate management. This release addresses a medium-severity OpenTelemetry vulnerability (GO-2026-4394) related to sensitive data exposure in HTTP headers, making an upgrade vital for enhanced security posture. We’ve also updated the Go runtime to version 1.25.7, incorporating the latest performance improvements and bug fixes. Furthermore, all base images have been refreshed to Debian 12, ensuring cert-manager components run on the most current and secure foundations. These updates are essential for maintaining a stable and secure Kubernetes environment. Upgrade soon to protect your clusters and leverage these core improvements.

🔒 Security Fix: OpenTelemetry Vulnerability (GO-2026-4394)

A medium-severity vulnerability identified as GO-2026-4394 in the go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp library could allow sensitive information to be inadvertently exposed in HTTP headers during tracing or logging. To mitigate this risk and safeguard your data, cert-manager v1.19.4 includes an upgrade of OpenTelemetry dependencies, ensuring that HTTP headers are properly sanitized and preventing potential information disclosure.

This fix is delivered by bumping the core OpenTelemetry libraries to their latest versions (v1.40.0). You’ll see the version changes in the module files for various components:

-go.opentelemetry.io/otel v1.37.0 // indirect
+go.opentelemetry.io/otel v1.40.0 // indirect
-go.opentelemetry.io/otel/trace v1.37.0 // indirect
+go.opentelemetry.io/otel/trace v1.40.0 // indirect

Additionally, go.opentelemetry.io/auto/sdk has been updated from v1.1.0 to v1.2.1 in the controller and webhook modules, aligning all OpenTelemetry components with the latest security and stability standards.

Source:

• cmd/acmesolver/go.mod (36-39)
• cmd/cainjector/go.mod (57-60)
• cmd/controller/go.mod (129-138)
• cmd/webhook/go.mod (60-69)
• go.mod (151-160)

⚙️ Core Go Runtime and Dependency Upgrades

To keep cert-manager running optimally and benefiting from the latest upstream improvements, this release includes an upgrade to the underlying Go runtime and several key Go dependencies. These updates bring general stability, performance enhancements, and incorporate the latest fixes from the Go ecosystem, ensuring a more robust and efficient cert-manager experience.

The vendored Go version used for building cert-manager has been bumped to Go 1.25.7. This update also includes corresponding changes to the SHA256 checksums for Go binaries across different platforms, ensuring the integrity of the build process.

Several other foundational dependencies have also received updates:

• golang.org/x/sys upgraded from v0.38.0 to v0.40.0.
• github.com/rogpeppe/go-internal upgraded from v1.13.1 to v1.14.1 in the webhook and integration modules.

These collective upgrades ensure that cert-manager is built with the most current and secure tooling available.

Source:

• make/_shared/tools/00_mod.mk (217, 440-443)
• cmd/acmesolver/go.mod (40)
• cmd/cainjector/go.mod (64)
• cmd/controller/go.mod (144)
• cmd/webhook/go.mod (75)
• test/integration/go.mod (100)
• cmd/webhook/go.sum (134-135)
• test/integration/go.sum (159-160)

📦 Base Image Refresh for Enhanced Security and Stability

Keeping the underlying operating system images up-to-date is a fundamental aspect of maintaining a secure and reliable software supply chain. This release of cert-manager updates all base images to the latest distroless/static-debian12 and distroless/base-debian12 versions, ensuring that our components are running on the most recent builds with the latest security patches and bug fixes from Debian. This proactive measure minimizes potential vulnerabilities and provides a more stable foundation for your cert-manager deployments.

The make/base_images.mk file shows the updated SHA256 sums for both static and dynamic distroless base images across all supported architectures (amd64, arm64, s390x, arm, ppc64le). These changes reflect a comprehensive refresh to incorporate the latest upstream updates:

-STATIC_BASE_IMAGE_amd64 := gcr.io/distroless/static-debian12@sha256:b55f6779fb7990fb7db5e272c69a4cd6ea7070f3195da71b5ae163bfdbef4f76
+STATIC_BASE_IMAGE_amd64 := gcr.io/distroless/static-debian12@sha256:340ba156c899ddac5ba57c5188b8e7cd56448eb7ee65b280574465eac2718ad2
-DYNAMIC_BASE_IMAGE_amd64 := gcr.io/distroless/base-debian12@sha256:d5f7dca58e3db53d1de502bd1a747ecb1110cf6b0773af129f951ee11e2e3ed4
+DYNAMIC_BASE_IMAGE_amd64 := gcr.io/distroless/base-debian12@sha256:1f144c77a9ecaaa132fc3037b4417d9f9fd0b7a50101c696af5cb186876aa2a3

This update is transparent to users, but it enhances the security and reliability of the deployed cert-manager images.

Source:

• make/base_images.mk (1-10)

Minor Updates & Housekeeping

This release also includes updates to the LICENSES files across various components to accurately reflect the license information for the newly updated OpenTelemetry dependencies, specifically adding BSD-3-Clause where applicable.