cert-manager - v1.12.7

Security

This patch release contains fixes for the following security vulnerabilities in the cert-manager-controller:
- GO-2023-2382: Denial of service via chunk extensions in net/http

If you use ArtifactHub Security report or trivy, this patch will also silence the following warning about a vulnerability in code which is imported but not used by the cert-manager-controller:
- CVE-2023-47108: DoS vulnerability in otelgrpc due to unbound cardinality metrics.

An ongoing security audit of cert-manager suggested some changes to the webhook code to mitigate DoS attacks,
and these are included in this patch release.

Changes

Feature

  • cert-manager is now built with Go 1.20.12 (#6543, @wallrj).

Bug or Regression

  • The webhook server now returns HTTP error 413 (Content Too Large) for requests with body size >= 3MiB. This is to mitigate DoS attacks that attempt to crash the webhook process by sending large requests that exceed the available memory (#6506, @inteon).
  • The webhook server now returns HTTP error 400 (Bad Request) if the request contains an empty body (#6506, @inteon).
  • The webhook server now returns HTTP error 500 (Internal Server Error) rather than crashing, if the code panics while handling a request (#6506, @inteon).
  • Mitigate potential Slowloris attacks by setting ReadHeaderTimeout in all http.Server instances (#6539, @wallrj).
  • Upgrade otel and docker to fix: CVE-2023-47108 and GHSA-jq35-85cj-fj4p (#6513, @inteon).

Dependencies

Added
  • cloud.google.com/go/dataproc/v2: v2.0.1
Changed
  • cloud.google.com/go/aiplatform: v1.45.0 → v1.48.0
  • cloud.google.com/go/analytics: v0.21.2 → v0.21.3
  • cloud.google.com/go/baremetalsolution: v0.5.0 → v1.1.1
  • cloud.google.com/go/batch: v0.7.0 → v1.3.1
  • cloud.google.com/go/beyondcorp: v0.6.1 → v1.0.0
  • cloud.google.com/go/bigquery: v1.52.0 → v1.53.0
  • cloud.google.com/go/cloudbuild: v1.10.1 → v1.13.0
  • cloud.google.com/go/cloudtasks: v1.11.1 → v1.12.1
  • cloud.google.com/go/compute: v1.21.0 → v1.23.0
  • cloud.google.com/go/contactcenterinsights: v1.9.1 → v1.10.0
  • cloud.google.com/go/container: v1.22.1 → v1.24.0
  • cloud.google.com/go/datacatalog: v1.14.1 → v1.16.0
  • cloud.google.com/go/dataplex: v1.8.1 → v1.9.0
  • cloud.google.com/go/datastore: v1.12.1 → v1.13.0
  • cloud.google.com/go/datastream: v1.9.1 → v1.10.0
  • cloud.google.com/go/deploy: v1.11.0 → v1.13.0
  • cloud.google.com/go/dialogflow: v1.38.0 → v1.40.0
  • cloud.google.com/go/documentai: v1.20.0 → v1.22.0
  • cloud.google.com/go/eventarc: v1.12.1 → v1.13.0
  • cloud.google.com/go/firestore: v1.11.0 → v1.12.0
  • cloud.google.com/go/gkebackup: v0.4.0 → v1.3.0
  • cloud.google.com/go/gkemulticloud: v0.6.1 → v1.0.0
  • cloud.google.com/go/kms: v1.12.1 → v1.15.0
  • cloud.google.com/go/maps: v0.7.0 → v1.4.0
  • cloud.google.com/go/metastore: v1.11.1 → v1.12.0
  • cloud.google.com/go/policytroubleshooter: v1.7.1 → v1.8.0
  • cloud.google.com/go/pubsub: v1.32.0 → v1.33.0
  • cloud.google.com/go/run: v0.9.0 → v1.2.0
  • cloud.google.com/go/servicedirectory: v1.10.1 → v1.11.0
  • cloud.google.com/go/speech: v1.17.1 → v1.19.0
  • cloud.google.com/go/translate: v1.8.1 → v1.8.2
  • cloud.google.com/go/video: v1.17.1 → v1.19.0
  • cloud.google.com/go/vmwareengine: v0.4.1 → v1.0.0
  • cloud.google.com/go: v0.110.4 → v0.110.7
  • github.com/felixge/httpsnoop: v1.0.3 → v1.0.4
  • github.com/go-logr/logr: v1.2.4 → v1.3.0
  • github.com/golang/glog: v1.1.0 → v1.1.2
  • github.com/google/go-cmp: v0.5.9 → v0.6.0
  • github.com/google/uuid: v1.3.0 → v1.3.1
  • go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc: v0.45.0 → v0.46.0
  • go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp: v0.44.0 → v0.46.0
  • go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc: v1.19.0 → v1.20.0
  • go.opentelemetry.io/otel/exporters/otlp/otlptrace: v1.19.0 → v1.20.0
  • go.opentelemetry.io/otel/metric: v1.19.0 → v1.20.0
  • go.opentelemetry.io/otel/sdk: v1.19.0 → v1.20.0
  • go.opentelemetry.io/otel/trace: v1.19.0 → v1.20.0
  • go.opentelemetry.io/otel: v1.19.0 → v1.20.0
  • go.uber.org/goleak: v1.2.1 → v1.3.0
  • golang.org/x/oauth2: v0.10.0 → v0.11.0
  • golang.org/x/sys: v0.13.0 → v0.14.0
  • google.golang.org/genproto/googleapis/api: 782d3b1 → b8732ec
  • google.golang.org/genproto/googleapis/rpc: 782d3b1 → b8732ec
  • google.golang.org/genproto: 782d3b1 → b8732ec
  • google.golang.org/grpc: v1.58.3 → v1.59.0
Removed
  • cloud.google.com/go/dataproc: v1.12.0

Details

date
Dec. 12, 2023, 4:08 p.m.
name
v1.12.7
type
Patch
official page
https://github.com/cert-manager/cert-manager/releases/tag/v1.12.7
👇
Register or login to:
  • 🔍View and search all cert-manager releases.
  • 🛠️Create and share lists to track your tools.
  • 🚨Setup notifications for major, security, feature or patch updates.
  • 🚀Much more coming soon!
Continue with GitHub
Continue with Google
or