cert-manager - v1.12.7
Security
This patch release contains fixes for the following security vulnerabilities in the cert-manager-controller:
- GO-2023-2382
: Denial of service via chunk extensions in net/http
If you use ArtifactHub Security report or trivy, this patch will also silence the following warning about a vulnerability in code which is imported but not used by the cert-manager-controller:
- CVE-2023-47108
: DoS vulnerability in otelgrpc
due to unbound cardinality metrics.
An ongoing security audit of cert-manager suggested some changes to the webhook code to mitigate DoS attacks,
and these are included in this patch release.
Changes
Feature
Bug or Regression
- The webhook server now returns HTTP error 413 (Content Too Large) for requests with body size
>= 3MiB
. This is to mitigate DoS attacks that attempt to crash the webhook process by sending large requests that exceed the available memory (#6506, @inteon). - The webhook server now returns HTTP error 400 (Bad Request) if the request contains an empty body (#6506, @inteon).
- The webhook server now returns HTTP error 500 (Internal Server Error) rather than crashing, if the code panics while handling a request (#6506, @inteon).
- Mitigate potential Slowloris attacks by setting
ReadHeaderTimeout
in allhttp.Server
instances (#6539, @wallrj). - Upgrade
otel
anddocker
to fix:CVE-2023-47108
andGHSA-jq35-85cj-fj4p
(#6513, @inteon).
Dependencies
Added
cloud.google.com/go/dataproc/v2
:v2.0.1
Changed
cloud.google.com/go/aiplatform
:v1.45.0 → v1.48.0
cloud.google.com/go/analytics
:v0.21.2 → v0.21.3
cloud.google.com/go/baremetalsolution
:v0.5.0 → v1.1.1
cloud.google.com/go/batch
:v0.7.0 → v1.3.1
cloud.google.com/go/beyondcorp
:v0.6.1 → v1.0.0
cloud.google.com/go/bigquery
:v1.52.0 → v1.53.0
cloud.google.com/go/cloudbuild
:v1.10.1 → v1.13.0
cloud.google.com/go/cloudtasks
:v1.11.1 → v1.12.1
cloud.google.com/go/compute
:v1.21.0 → v1.23.0
cloud.google.com/go/contactcenterinsights
:v1.9.1 → v1.10.0
cloud.google.com/go/container
:v1.22.1 → v1.24.0
cloud.google.com/go/datacatalog
:v1.14.1 → v1.16.0
cloud.google.com/go/dataplex
:v1.8.1 → v1.9.0
cloud.google.com/go/datastore
:v1.12.1 → v1.13.0
cloud.google.com/go/datastream
:v1.9.1 → v1.10.0
cloud.google.com/go/deploy
:v1.11.0 → v1.13.0
cloud.google.com/go/dialogflow
:v1.38.0 → v1.40.0
cloud.google.com/go/documentai
:v1.20.0 → v1.22.0
cloud.google.com/go/eventarc
:v1.12.1 → v1.13.0
cloud.google.com/go/firestore
:v1.11.0 → v1.12.0
cloud.google.com/go/gkebackup
:v0.4.0 → v1.3.0
cloud.google.com/go/gkemulticloud
:v0.6.1 → v1.0.0
cloud.google.com/go/kms
:v1.12.1 → v1.15.0
cloud.google.com/go/maps
:v0.7.0 → v1.4.0
cloud.google.com/go/metastore
:v1.11.1 → v1.12.0
cloud.google.com/go/policytroubleshooter
:v1.7.1 → v1.8.0
cloud.google.com/go/pubsub
:v1.32.0 → v1.33.0
cloud.google.com/go/run
:v0.9.0 → v1.2.0
cloud.google.com/go/servicedirectory
:v1.10.1 → v1.11.0
cloud.google.com/go/speech
:v1.17.1 → v1.19.0
cloud.google.com/go/translate
:v1.8.1 → v1.8.2
cloud.google.com/go/video
:v1.17.1 → v1.19.0
cloud.google.com/go/vmwareengine
:v0.4.1 → v1.0.0
cloud.google.com/go
:v0.110.4 → v0.110.7
github.com/felixge/httpsnoop
:v1.0.3 → v1.0.4
github.com/go-logr/logr
:v1.2.4 → v1.3.0
github.com/golang/glog
:v1.1.0 → v1.1.2
github.com/google/go-cmp
:v0.5.9 → v0.6.0
github.com/google/uuid
:v1.3.0 → v1.3.1
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
:v0.45.0 → v0.46.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
:v0.44.0 → v0.46.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc
:v1.19.0 → v1.20.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace
:v1.19.0 → v1.20.0
go.opentelemetry.io/otel/metric
:v1.19.0 → v1.20.0
go.opentelemetry.io/otel/sdk
:v1.19.0 → v1.20.0
go.opentelemetry.io/otel/trace
:v1.19.0 → v1.20.0
go.opentelemetry.io/otel
:v1.19.0 → v1.20.0
go.uber.org/goleak
:v1.2.1 → v1.3.0
golang.org/x/oauth2
:v0.10.0 → v0.11.0
golang.org/x/sys
:v0.13.0 → v0.14.0
google.golang.org/genproto/googleapis/api
:782d3b1 → b8732ec
google.golang.org/genproto/googleapis/rpc
:782d3b1 → b8732ec
google.golang.org/genproto
:782d3b1 → b8732ec
google.golang.org/grpc
:v1.58.3 → v1.59.0
Removed
cloud.google.com/go/dataproc
:v1.12.0
Security
Details
date
Dec. 12, 2023, 4:08 p.m.
name
v1.12.7
type
Patch
👇
Register or login to:
- 🔍View and search all cert-manager releases.
- 🛠️Create and share lists to track your tools.
- 🚨Setup notifications for major, security, feature or patch updates.
- 🚀Much more coming soon!