v1.12.7
This patch release contains fixes for the following security vulnerabilities in the cert-manager-controller:
GO-2023-2382
: Denial of service via chunk extensions innet/http
If you use ArtifactHub Security report or trivy, this patch will also silence the following warning about a vulnerability in code which is imported but not used by the cert-manager-controller:
CVE-2023-47108
: DoS vulnerability inotelgrpc
due to unbound cardinality metrics.
An ongoing security audit of cert-manager suggested some changes to the webhook code to mitigate DoS attacks,
and these are included in this patch release.
Known bugs
If you misconfigure two Certificate resources to have the same target Secret resource, cert-manager will generate a MANY CertificateRequests, possibly causing high CPU usage and/ or high costs due to the large number of certificates issued (see #6406).
This problem was resolved in v1.13.2 and other later versions, but the fix cannot be easily backported to v1.12.x. We recommend using v1.12.x with caution (avoid misconfigured Certificate resources) or upgrading to a newer version.
Changes
Feature
Bug or Regression
- The webhook server now returns HTTP error 413 (Content Too Large) for requests with body size
>= 3MiB
. This is to mitigate DoS attacks that attempt to crash the webhook process by sending large requests that exceed the available memory (#6506, @inteon). - The webhook server now returns HTTP error 400 (Bad Request) if the request contains an empty body (#6506, @inteon).
- The webhook server now returns HTTP error 500 (Internal Server Error) rather than crashing, if the code panics while handling a request (#6506, @inteon).
- Mitigate potential Slowloris attacks by setting
ReadHeaderTimeout
in allhttp.Server
instances (#6539, @wallrj). - Upgrade
otel
anddocker
to fix:CVE-2023-47108
andGHSA-jq35-85cj-fj4p
(#6513, @inteon).
Dependencies
Added
cloud.google.com/go/dataproc/v2
:v2.0.1
Changed
cloud.google.com/go/aiplatform
:v1.45.0 → v1.48.0
cloud.google.com/go/analytics
:v0.21.2 → v0.21.3
cloud.google.com/go/baremetalsolution
:v0.5.0 → v1.1.1
cloud.google.com/go/batch
:v0.7.0 → v1.3.1
cloud.google.com/go/beyondcorp
:v0.6.1 → v1.0.0
cloud.google.com/go/bigquery
:v1.52.0 → v1.53.0
cloud.google.com/go/cloudbuild
:v1.10.1 → v1.13.0
cloud.google.com/go/cloudtasks
:v1.11.1 → v1.12.1
cloud.google.com/go/compute
:v1.21.0 → v1.23.0
cloud.google.com/go/contactcenterinsights
:v1.9.1 → v1.10.0
cloud.google.com/go/container
:v1.22.1 → v1.24.0
cloud.google.com/go/datacatalog
:v1.14.1 → v1.16.0
cloud.google.com/go/dataplex
:v1.8.1 → v1.9.0
cloud.google.com/go/datastore
:v1.12.1 → v1.13.0
cloud.google.com/go/datastream
:v1.9.1 → v1.10.0
cloud.google.com/go/deploy
:v1.11.0 → v1.13.0
cloud.google.com/go/dialogflow
:v1.38.0 → v1.40.0
cloud.google.com/go/documentai
:v1.20.0 → v1.22.0
cloud.google.com/go/eventarc
:v1.12.1 → v1.13.0
cloud.google.com/go/firestore
:v1.11.0 → v1.12.0
cloud.google.com/go/gkebackup
:v0.4.0 → v1.3.0
cloud.google.com/go/gkemulticloud
:v0.6.1 → v1.0.0
cloud.google.com/go/kms
:v1.12.1 → v1.15.0
cloud.google.com/go/maps
:v0.7.0 → v1.4.0
cloud.google.com/go/metastore
:v1.11.1 → v1.12.0
cloud.google.com/go/policytroubleshooter
:v1.7.1 → v1.8.0
cloud.google.com/go/pubsub
:v1.32.0 → v1.33.0
cloud.google.com/go/run
:v0.9.0 → v1.2.0
cloud.google.com/go/servicedirectory
:v1.10.1 → v1.11.0
cloud.google.com/go/speech
:v1.17.1 → v1.19.0
cloud.google.com/go/translate
:v1.8.1 → v1.8.2
cloud.google.com/go/video
:v1.17.1 → v1.19.0
cloud.google.com/go/vmwareengine
:v0.4.1 → v1.0.0
cloud.google.com/go
:v0.110.4 → v0.110.7
github.com/felixge/httpsnoop
:v1.0.3 → v1.0.4
github.com/go-logr/logr
:v1.2.4 → v1.3.0
github.com/golang/glog
:v1.1.0 → v1.1.2
github.com/google/go-cmp
:v0.5.9 → v0.6.0
github.com/google/uuid
:v1.3.0 → v1.3.1
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
:v0.45.0 → v0.46.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
:v0.44.0 → v0.46.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc
:v1.19.0 → v1.20.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace
:v1.19.0 → v1.20.0
go.opentelemetry.io/otel/metric
:v1.19.0 → v1.20.0
go.opentelemetry.io/otel/sdk
:v1.19.0 → v1.20.0
go.opentelemetry.io/otel/trace
:v1.19.0 → v1.20.0
go.opentelemetry.io/otel
:v1.19.0 → v1.20.0
go.uber.org/goleak
:v1.2.1 → v1.3.0
golang.org/x/oauth2
:v0.10.0 → v0.11.0
golang.org/x/sys
:v0.13.0 → v0.14.0
google.golang.org/genproto/googleapis/api
:782d3b1 → b8732ec
google.golang.org/genproto/googleapis/rpc
:782d3b1 → b8732ec
google.golang.org/genproto
:782d3b1 → b8732ec
google.golang.org/grpc
:v1.58.3 → v1.59.0
Removed
cloud.google.com/go/dataproc
:v1.12.0