DNS

📋 Recommended Actions ⚠️ Action Required Immediate upgrade is recommended to address a high-severity DNS-01 solver stability issue (GHSA-gx3x-vq4p-mhhv) and ensure robust certificate issuance validation. 📝 Summary Cert-manager v1.18.5 delivers critical updates. It fixes a high-severity DNS-01 solver panic (GHSA-gx3x-vq4p-mhhv), preventing service disruptions. It also adds robust validation for issued certificates, ensuring public keys match CSRs, and improves HTTP-01 IPv6 handling. Upgrade now for enhanced stability and security! 🔒 High-Severity Fix: ACME DNS-01 Solver Panic (GHSA-gx3x-vq4p-mhhv) A critical vulnerability identified as GHSA-gx3x-vq4p-mhhv has been addressed in this release, preventing potential denial-of-service scenarios for the ACME DNS-01 solver. Previously, the solver would incorrectly assume that DNS SOA records would always be the first entry in a DNS query response. If a DNS provider returned the SOA record at a different position, cert-manager’s DNS-01 solver could panic and crash, making it unable to process new challenges and disrupting certificate issuance. ...

📋 Recommended Actions ⚠️ Action Required Immediate review recommended for all users. Upgrade promptly to benefit from critical security hardening, fix potential denial-of-service vectors, and enhance certificate issuance reliability. 📝 Summary cert-manager v1.19.3 delivers crucial security enhancements and improved issuance robustness. This release directly addresses GHSA-gx3x-vq4p-mhhv, preventing a potential panic in the ACME DNS solver that could lead to denial-of-service. This high-severity fix solidifies the reliability of your ACME challenges. We’ve also introduced a vital new check: certificate issuance will now fail if the public key in the signed certificate doesn’t match the original Certificate Signing Request (CSR). This prevents infinite re-issuance loops with misconfigured external issuers, ensuring cryptographic integrity. Furthermore, the HTTP-01 solver gained more robust handling of IPv6 address literals, improving compliance and reliability for diverse network configurations. Essential tooling updates, including Go 1.25.6 and Kind 0.31.0, round out this focused release. Upgrade to boost the security and stability of your certificate management. ...

📋 Recommended Actions ✅ No Immediate Action Required No immediate action required. Review updates to better support your users, especially if using headless services with multiple IPs in a multicluster setup. 📝 Summary Istio 1.27.5 delivers a crucial bug fix, significantly improving DNS resolution for headless services. This update addresses an issue where pods with multiple IP addresses in headless service configurations, especially across multicluster setups, were not always correctly represented in the DNS name table. Now, Istio ensures all relevant IP addresses are correctly aggregated and prioritized for local clusters, providing more reliable service discovery. This means your applications will experience more robust connectivity to headless services. Additionally, this release includes important dependency bumps for core components like proxy, ztunnel, istio.io/api, and istio.io/client-go, along with updated build tools. These maintenance updates ensure stability, performance, and compatibility within the Istio ecosystem. Review these changes to understand their impact on your deployments. ...

📋 Recommended Actions ⚠️ Action Required Upgrade to Istio 1.28.2 after carefully reviewing the new minimum Kubernetes version requirement (1.30). Existing Ambient mode users planning nftables migration should be aware of the new safe fallback mechanism. 📝 Summary Istio 1.28.2 delivers crucial updates, enhancing stability and streamlining operations. Critically, the minimum required Kubernetes version has been bumped to 1.30, a change requiring pre-upgrade validation. For Ambient mode, a new intelligent fallback ensures smoother migrations from iptables to nftables, preventing network disruptions by detecting existing artifacts and temporarily sticking to iptables until node reboot. DNS resolution for headless services sees significant improvement, now correctly handling pods with multiple IPs and prioritizing local cluster endpoints for multi-cluster setups. Additionally, a long-standing bug preventing proxy startup when sidecar.istio.io/statsEvictionInterval was 60 seconds or more has been resolved. Updates to the KRT library also improve internal data processing, setting the stage for more robust configurations. Review these changes to ensure a seamless upgrade and optimized mesh. ...

📋 Recommended Actions ⚠️ Action Required Immediate patching is highly recommended to address several security vulnerabilities in core dependencies and ensure the continued stability of your cert-manager deployments. This cert-manager v1.17.2 release delivers vital security updates by patching multiple Go dependencies that address various CVEs. Beyond these critical fixes, we’ve also refreshed our Go toolchain and base images, ensuring a more robust and secure foundation for your certificate management needs. ...

📋 Recommended Actions ⚠️ Action Required Immediate upgrade recommended for all users relying on Cloudflare DNS01 challenges to restore functionality and ensure uninterrupted certificate issuance. This cert-manager v1.17.1 patch release delivers a crucial fix for users leveraging Cloudflare DNS01 challenges. Due to a recent breaking API change from Cloudflare, cert-manager v1.17.0 and earlier versions were experiencing issues with certificate issuance via this method. This update ensures seamless operation for your ACME certificates, alongside a standard bump to the Go toolchain to v1.23.6. ...