Distroless

📋 Recommended Actions ⚠️ Action Required Immediate upgrade is highly recommended to address CVE-2024-24791 and benefit from the latest security patches in underlying dependencies. 📝 Summary cert-manager v1.18.6 delivers critical security enhancements, primarily addressing the CVE-2024-24791 vulnerability found in the Go standard library’s HTTP/2 implementation. This high-severity fix mitigates a potential denial-of-service risk, making an immediate upgrade essential for operational security. Beyond the Go toolchain bump to 1.24.13, this release also incorporates refreshed distroless base images (Debian 12). These updates bring the latest security patches from the Debian ecosystem, ensuring a more robust and secure runtime environment for your cert-manager deployments. No new features or breaking changes are introduced; this is a focused stability and security release. Operations engineers should prioritize this update to safeguard their Kubernetes clusters and maintain certificate issuance integrity. Review the release notes for full details. ...

📋 Recommended Actions ⚠️ Action Required Immediate patching is highly recommended to address the OpenTelemetry security vulnerability (GO-2026-4394) and to benefit from the latest Go runtime and base image security updates. 📝 Summary Cert-manager v1.19.4 brings crucial security and maintenance updates, bolstering the reliability of your certificate management. This release addresses a medium-severity OpenTelemetry vulnerability (GO-2026-4394) related to sensitive data exposure in HTTP headers, making an upgrade vital for enhanced security posture. We’ve also updated the Go runtime to version 1.25.7, incorporating the latest performance improvements and bug fixes. Furthermore, all base images have been refreshed to Debian 12, ensuring cert-manager components run on the most current and secure foundations. These updates are essential for maintaining a stable and secure Kubernetes environment. Upgrade soon to protect your clusters and leverage these core improvements. ...

📋 Recommended Actions ⚠️ Action Required Immediate upgrade is recommended to address a high-severity DNS-01 solver stability issue (GHSA-gx3x-vq4p-mhhv) and ensure robust certificate issuance validation. 📝 Summary Cert-manager v1.18.5 delivers critical updates. It fixes a high-severity DNS-01 solver panic (GHSA-gx3x-vq4p-mhhv), preventing service disruptions. It also adds robust validation for issued certificates, ensuring public keys match CSRs, and improves HTTP-01 IPv6 handling. Upgrade now for enhanced stability and security! 🔒 High-Severity Fix: ACME DNS-01 Solver Panic (GHSA-gx3x-vq4p-mhhv) A critical vulnerability identified as GHSA-gx3x-vq4p-mhhv has been addressed in this release, preventing potential denial-of-service scenarios for the ACME DNS-01 solver. Previously, the solver would incorrectly assume that DNS SOA records would always be the first entry in a DNS query response. If a DNS provider returned the SOA record at a different position, cert-manager’s DNS-01 solver could panic and crash, making it unable to process new challenges and disrupting certificate issuance. ...

📋 Recommended Actions ⚠️ Action Required Immediate upgrade is strongly recommended to address multiple high-severity security vulnerabilities. Review updates to the vendored ACME client, particularly the deprecation of TLS-SNI-01 and TLS-SNI-02 challenge types, which may impact custom ACME integrations. 📝 Summary cert-manager v1.18.4 lands with vital security fixes and significant ACME protocol updates. This release addresses multiple high-severity CVEs in the underlying Go toolchain and various golang.org/x dependencies, demanding your prompt attention to safeguard your Kubernetes clusters. Beyond security, we’ve refined ACME challenge handling, notably deprecating the insecure TLS-SNI-01 and TLS-SNI-02 challenge types. On the bright side, TLS-ALPN-01 now gracefully supports IP address identifiers, expanding its utility for diverse network configurations. Core components also see a Go version bump and updated distroless base images, boosting overall stability. Upgrade now to secure your certificate management and benefit from improved ACME capabilities. ...

📋 Recommended Actions ⚠️ Action Required Immediate patching is highly recommended to address critical security vulnerabilities. Operations engineers must also review their Helm chart configurations for nodeSelector behavior changes to avoid deployment disruptions. 📝 Summary cert-manager v1.19.2 is here, bringing crucial security updates and significant internal modernization. This release patches several identified vulnerabilities, including CVE-2025-61727, CVE-2025-61729, CVE-2025-47914, and CVE-2025-58181 through updates to the Go runtime and core golang.org/x dependencies. This enhances overall security. A key change for Helm users is how nodeSelector values merge; component-specific selectors now merge with global ones, overriding specific keys, which requires a review of existing deployments. This release also removes the outdated autocert package, signaling a move towards modern, secure ACME challenge handling by deprecating insecure TLS-SNI-01/TLS-SNI-02 challenges and improving TLS-ALPN-01 for IP addresses. Upgrade promptly to secure your clusters and review Helm configurations. ...

📋 Recommended Actions ✅ No Immediate Action Required No immediate action required. Review updates for improved ACME challenge stability and awareness of updated Ingress-Nginx testing within cert-manager’s ecosystem. This cert-manager v1.17.3 patch release focuses on enhancing the reliability of certificate issuance and ensuring robust compatibility with other crucial Kubernetes ecosystem components. You’ll find a significant increase in the ACME challenge authorization timeout, which should lead to more successful certificate requests, particularly in environments with network latency or slower DNS propagation. Additionally, our end-to-end testing environment has been updated to use a newer ingress-nginx version with its admission webhook enabled, reinforcing cert-manager’s compatibility with modern ingress configurations. ...

📋 Recommended Actions ⚠️ Action Required Immediate patching is highly recommended to address several security vulnerabilities in core dependencies and ensure the continued stability of your cert-manager deployments. This cert-manager v1.17.2 release delivers vital security updates by patching multiple Go dependencies that address various CVEs. Beyond these critical fixes, we’ve also refreshed our Go toolchain and base images, ensuring a more robust and secure foundation for your certificate management needs. ...