Dependency Updates

📋 Recommended Actions ⚠️ Action Required Immediate upgrade is strongly recommended to address multiple high-severity security vulnerabilities. Review updates to the vendored ACME client, particularly the deprecation of TLS-SNI-01 and TLS-SNI-02 challenge types, which may impact custom ACME integrations. 📝 Summary cert-manager v1.18.4 lands with vital security fixes and significant ACME protocol updates. This release addresses multiple high-severity CVEs in the underlying Go toolchain and various golang.org/x dependencies, demanding your prompt attention to safeguard your Kubernetes clusters. Beyond security, we’ve refined ACME challenge handling, notably deprecating the insecure TLS-SNI-01 and TLS-SNI-02 challenge types. On the bright side, TLS-ALPN-01 now gracefully supports IP address identifiers, expanding its utility for diverse network configurations. Core components also see a Go version bump and updated distroless base images, boosting overall stability. Upgrade now to secure your certificate management and benefit from improved ACME capabilities. ...

📋 Recommended Actions ✅ No Immediate Action Required No immediate action required. Review updates to better support your users, especially if you’re leveraging Kubernetes Gateway API or istioctl proxy-status. 📝 Summary Istio 1.27.1 delivers crucial bug fixes and valuable enhancements, bolstering operational stability and testing capabilities. This release notably improves Kubernetes Gateway API adoption by fixing a tag watcher issue that caused programming failures with revisioned installs. Users of istioctl proxy-status will find a more robust experience as its behavior when no proxies are found has been fixed to prevent breaking external tooling. We’ve also added comprehensive mTLS support to the Echo server, allowing for more detailed and accurate security testing. Core component reliability sees significant boosts with fixes for traffic policy validation (especially retry_budget) and improved istio-iptables logic that correctly handles IPv4/IPv6 states. Dependency updates ensure compatibility and security. These changes collectively enhance Istio’s stability and flexibility, making it even more dependable for your cloud-native deployments. ...

📋 Recommended Actions ✅ No Immediate Action Required No immediate action required. Review updates for improved ACME challenge stability and awareness of updated Ingress-Nginx testing within cert-manager’s ecosystem. This cert-manager v1.17.3 patch release focuses on enhancing the reliability of certificate issuance and ensuring robust compatibility with other crucial Kubernetes ecosystem components. You’ll find a significant increase in the ACME challenge authorization timeout, which should lead to more successful certificate requests, particularly in environments with network latency or slower DNS propagation. Additionally, our end-to-end testing environment has been updated to use a newer ingress-nginx version with its admission webhook enabled, reinforcing cert-manager’s compatibility with modern ingress configurations. ...

📋 Recommended Actions ⚠️ Action Required Immediate patching is highly recommended to address several security vulnerabilities in core dependencies and ensure the continued stability of your cert-manager deployments. This cert-manager v1.17.2 release delivers vital security updates by patching multiple Go dependencies that address various CVEs. Beyond these critical fixes, we’ve also refreshed our Go toolchain and base images, ensuring a more robust and secure foundation for your certificate management needs. ...

📋 Recommended Actions ⚠️ Action Required Immediate action is not universally required but highly recommended to review the default changes for promoted feature gates (like NameConstraints and UseDomainQualifiedFinalizer now defaulting to true) and the deprecation of ValidateCAA (now defaulting to false). Adjust your configurations as necessary to maintain desired behavior, especially if you rely on the previous implicit defaults. Consider leveraging the new literal keystore password option for simplified management. ...