CVE

📋 Recommended Actions ⚠️ Action Required Immediate upgrade is recommended to address a high-severity DNS-01 solver stability issue (GHSA-gx3x-vq4p-mhhv) and ensure robust certificate issuance validation. 📝 Summary Cert-manager v1.18.5 delivers critical updates. It fixes a high-severity DNS-01 solver panic (GHSA-gx3x-vq4p-mhhv), preventing service disruptions. It also adds robust validation for issued certificates, ensuring public keys match CSRs, and improves HTTP-01 IPv6 handling. Upgrade now for enhanced stability and security! 🔒 High-Severity Fix: ACME DNS-01 Solver Panic (GHSA-gx3x-vq4p-mhhv) A critical vulnerability identified as GHSA-gx3x-vq4p-mhhv has been addressed in this release, preventing potential denial-of-service scenarios for the ACME DNS-01 solver. Previously, the solver would incorrectly assume that DNS SOA records would always be the first entry in a DNS query response. If a DNS provider returned the SOA record at a different position, cert-manager’s DNS-01 solver could panic and crash, making it unable to process new challenges and disrupting certificate issuance. ...

📋 Recommended Actions ⚠️ Action Required Immediate upgrade is strongly recommended to address multiple high-severity security vulnerabilities. Review updates to the vendored ACME client, particularly the deprecation of TLS-SNI-01 and TLS-SNI-02 challenge types, which may impact custom ACME integrations. 📝 Summary cert-manager v1.18.4 lands with vital security fixes and significant ACME protocol updates. This release addresses multiple high-severity CVEs in the underlying Go toolchain and various golang.org/x dependencies, demanding your prompt attention to safeguard your Kubernetes clusters. Beyond security, we’ve refined ACME challenge handling, notably deprecating the insecure TLS-SNI-01 and TLS-SNI-02 challenge types. On the bright side, TLS-ALPN-01 now gracefully supports IP address identifiers, expanding its utility for diverse network configurations. Core components also see a Go version bump and updated distroless base images, boosting overall stability. Upgrade now to secure your certificate management and benefit from improved ACME capabilities. ...

📋 Recommended Actions ⚠️ Action Required Immediate patching is highly recommended to address several security vulnerabilities in core dependencies and ensure the continued stability of your cert-manager deployments. This cert-manager v1.17.2 release delivers vital security updates by patching multiple Go dependencies that address various CVEs. Beyond these critical fixes, we’ve also refreshed our Go toolchain and base images, ensuring a more robust and secure foundation for your certificate management needs. ...