cert-manager - v1.13.3

Security

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

⚠️ Read about the breaking changes in cert-manager 1.13 before you upgrade from a < v1.13 version!

This patch release contains fixes for the following security vulnerabilities in the cert-manager-controller:
- GO-2023-2334: Decryption of malicious PBES2 JWE objects can consume unbounded system resources.

If you use ArtifactHub Security report or trivy, this patch will also silence the following warning about a vulnerability in code which is imported but not used by the cert-manager-controller:
- CVE-2023-47108: DoS vulnerability in otelgrpc due to unbound cardinality metrics.

An ongoing security audit of cert-manager suggested some changes to the webhook code to mitigate DoS attacks, and these are included in this patch release.

Changes

Bug or Regression

  • The webhook server now returns HTTP error 413 (Content Too Large) for requests with body size >= 3MiB. This is to mitigate DoS attacks that attempt to crash the webhook process by sending large requests that exceed the available memory. (#6507, @inteon)
  • The webhook server now returns HTTP error 400 (Bad Request) if the request contains an empty body. (#6507, @inteon)
  • The webhook server now returns HTTP error 500 (Internal Server Error) rather than crashing, if the code panics while handling a request. (#6507, @inteon)
  • Mitigate potential "Slowloris" attacks by setting ReadHeaderTimeout in all http.Server instances. (#6538, @wallrj)
  • Upgrade Go modules: otel, docker, and jose to fix CVE alerts. See https://github.com/advisories/GHSA-8pgv-569h-w5rw, https://github.com/advisories/GHSA-jq35-85cj-fj4p, and https://github.com/advisories/GHSA-2c7c-3mj9-8fqh. (#6514, @inteon)

Dependencies

Added

Nothing has changed.

Changed

  • cloud.google.com/go/firestore: v1.11.0 → v1.12.0
  • cloud.google.com/go: v0.110.6 → v0.110.7
  • github.com/felixge/httpsnoop: v1.0.3 → v1.0.4
  • github.com/go-jose/go-jose/v3: v3.0.0 → v3.0.1
  • github.com/go-logr/logr: v1.2.4 → v1.3.0
  • github.com/golang/glog: v1.1.0 → v1.1.2
  • github.com/google/go-cmp: v0.5.9 → v0.6.0
  • go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc: v0.45.0 → v0.46.0
  • go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp: v0.44.0 → v0.46.0
  • go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc: v1.19.0 → v1.20.0
  • go.opentelemetry.io/otel/exporters/otlp/otlptrace: v1.19.0 → v1.20.0
  • go.opentelemetry.io/otel/metric: v1.19.0 → v1.20.0
  • go.opentelemetry.io/otel/sdk: v1.19.0 → v1.20.0
  • go.opentelemetry.io/otel/trace: v1.19.0 → v1.20.0
  • go.opentelemetry.io/otel: v1.19.0 → v1.20.0
  • go.uber.org/goleak: v1.2.1 → v1.3.0
  • golang.org/x/sys: v0.13.0 → v0.14.0
  • google.golang.org/genproto/googleapis/api: f966b18 → b8732ec
  • google.golang.org/genproto: f966b18 → b8732ec
  • google.golang.org/grpc: v1.58.3 → v1.59.0

Removed

Nothing has changed.

Details

date
Dec. 11, 2023, 2:50 p.m.
name
v1.13.3
type
Patch
official page
https://github.com/cert-manager/cert-manager/releases/tag/v1.13.3
👇
Register or login to:
  • 🔍View and search all cert-manager releases.
  • 🛠️Create and share lists to track your tools.
  • 🚨Setup notifications for major, security, feature or patch updates.
  • 🚀Much more coming soon!
Continue with GitHub
Continue with Google
or