📋 Recommended Actions
⚠️ Action Required
Immediate patching is highly recommended to address CVE-2024-29018, a high-severity vulnerability in the gRPC dependency. Review updated E2E testing procedures if you maintain custom CI workflows.
📝 Summary
cert-manager v1.19.5 delivers essential security and maintenance updates, crucial for maintaining a robust certificate management infrastructure. This release directly addresses CVE-2024-29018, a high-severity vulnerability in the gRPC dependency that could lead to CPU exhaustion. Upgrading promptly is vital to protect your systems. Beyond security, we’ve bumped the core Go runtime to version 1.25.9 and updated numerous transitive dependencies like golang.org/x/crypto and cel.dev/expr to ensure improved stability and performance. Internal CI/CD workflows also see significant enhancements, including support for Kubernetes 1.35 and a migration of upgrade E2E tests to leverage Helm OCI registries. Minor textual cleanups in CRD descriptions also enhance clarity. These updates balance critical security fixes with ongoing platform compatibility and foundational improvements. Upgrade to secure your deployments and benefit from these stability enhancements.
🔒 Critical Security Fix: gRPC Dependency Updated (CVE-2024-29018)
🔒 Security Advisory
CVE ID: CVE-2024-29018
CVSS Score: 7.5 (High)
This release includes a critical security update for the underlying gRPC dependency, addressing CVE-2024-29018. This vulnerability, rated High severity (CVSS 7.5), could lead to CPU exhaustion in affected applications through specially crafted requests. Protecting your cert-manager instances from potential denial-of-service attacks is paramount, making this an urgent update.
We’ve upgraded google.golang.org/grpc to version v1.79.3. This update mitigates the CPU exhaustion vulnerability by integrating the necessary upstream patches. While cert-manager’s direct exposure to this particular gRPC vulnerability might vary based on your specific deployment and usage patterns, it is a crucial update for overall security hygiene and to protect against potential future exploitation paths. Timely updates like this ensure your cert-manager deployment remains resilient against emerging threats.
Source:
⚙️ Core Go Runtime and Tooling Upgrades
Keeping cert-manager’s foundation solid means regularly updating its core dependencies and development tooling. This release brings a bump to the Go runtime, ensuring we leverage the latest performance improvements, stability fixes, and security enhancements from the Go ecosystem. Furthermore, crucial development and CI tools like trivy and kind have been updated, streamlining our internal processes and improving the security posture of our build artifacts.
The Go runtime has been updated to Go 1.25.9. This includes numerous internal bug fixes and performance enhancements. Additionally, several Go modules have been updated across cmd/acmesolver, cmd/cainjector, cmd/controller, cmd/startupapicheck, cmd/webhook, go.mod, test/e2e, and test/integration to their latest versions, including:
golang.org/x/cryptotov0.49.0golang.org/x/nettov0.52.0golang.org/x/oauth2tov0.34.0golang.org/x/synctov0.20.0golang.org/x/systov0.42.0golang.org/x/termtov0.41.0golang.org/x/texttov0.35.0cel.dev/exprtov0.25.1github.com/go-jose/go-jose/v4tov4.1.4go.opentelemetry.io/otelpackages tov1.43.0google.golang.org/protobuftov1.36.11
These transitive dependency updates collectively improve the reliability and security of cert-manager. For local development and CI, the trivy scanner has been updated to v0.69.2 for enhanced vulnerability detection, and kind to v0.31.0 for improved Kubernetes cluster bootstrapping in tests.
Source:
🧪 CI/CD Enhancements for Kubernetes 1.35 and Helm OCI
To keep cert-manager compatible with the rapidly evolving Kubernetes ecosystem, we’ve extended our continuous integration (CI) support to include Kubernetes 1.35. This ensures that future cert-manager releases are thoroughly tested against the latest Kubernetes versions. Additionally, our upgrade end-to-end (E2E) tests now fully embrace Helm OCI registries, aligning our testing infrastructure with modern cloud-native deployment practices for Helm charts.
The make/cluster.sh script has been updated to provision Kind clusters using Kubernetes 1.35* images, demonstrating cert-manager’s readiness for upcoming Kubernetes versions. This ensures early detection of any potential incompatibilities. Furthermore, the hack/verify-upgrade.sh script, which powers our Helm upgrade E2E tests, now directly pulls charts from an OCI registry (oci://quay.io/jetstack/charts/cert-manager). This shift simplifies the testing process by removing the need for helm repo add and helm repo update commands, making our CI more efficient and robust.
Source:
🧹 CRD Description Clarity Improvements
Even small textual details matter for clarity in documentation. This release includes minor but important cleanups within our Custom Resource Definition (CRD) descriptions. By removing non-breaking space characters, we ensure that the API documentation is consistently formatted and easier to read, preventing potential rendering issues in various tools and improving the overall developer experience when interacting with cert-manager’s API.
Non-breaking space characters (
) were removed from the nameserver field descriptions in the RFC2136 DNS01 provider configurations for Challenges, ClusterIssuers, and Issuers. Specifically, the description “If the host is an IPv6 address it must be enclosed in square brackets (e.g [2001:db8::1]) ; port is optional.” was corrected. This ensures consistent markdown rendering and improves readability.
Source:
deploy/charts/cert-manager/templates/crd-acme.cert-manager.io_challenges.yaml(406-407)deploy/crds/cert-manager.io_issuers.yaml(530-531)internal/apis/acme/types_issuer.go(649-650)internal/generated/openapi/zz_generated.openapi.go(1647)
Minor Updates & Housekeeping
This release includes minor base image updates (gcr.io/distroless/static-debian12 and gcr.io/distroless/base-debian12) across various architectures to ensure a secure and up-to-date runtime environment for all cert-manager components. These updates are primarily for housekeeping and maintain the health of our build system.