Skip to content

v1.12.7
Compare
Choose a tag to compare
@jetstack-release-bot jetstack-release-bot released this 12 Dec 16:08
v1.12.7
6d7629b
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

This patch release contains fixes for the following security vulnerabilities in the cert-manager-controller:

  • GO-2023-2382: Denial of service via chunk extensions in net/http

If you use ArtifactHub Security report or trivy, this patch will also silence the following warning about a vulnerability in code which is imported but not used by the cert-manager-controller:

  • CVE-2023-47108: DoS vulnerability in otelgrpc due to unbound cardinality metrics.

An ongoing security audit of cert-manager suggested some changes to the webhook code to mitigate DoS attacks,
and these are included in this patch release.

Known bugs

If you misconfigure two Certificate resources to have the same target Secret resource, cert-manager will generate a MANY CertificateRequests, possibly causing high CPU usage and/ or high costs due to the large number of certificates issued (see #6406).

This problem was resolved in v1.13.2 and other later versions, but the fix cannot be easily backported to v1.12.x. We recommend using v1.12.x with caution (avoid misconfigured Certificate resources) or upgrading to a newer version.

Changes

Feature

  • cert-manager is now built with Go 1.20.12 (#6543, @wallrj).

Bug or Regression

  • The webhook server now returns HTTP error 413 (Content Too Large) for requests with body size >= 3MiB. This is to mitigate DoS attacks that attempt to crash the webhook process by sending large requests that exceed the available memory (#6506, @inteon).
  • The webhook server now returns HTTP error 400 (Bad Request) if the request contains an empty body (#6506, @inteon).
  • The webhook server now returns HTTP error 500 (Internal Server Error) rather than crashing, if the code panics while handling a request (#6506, @inteon).
  • Mitigate potential Slowloris attacks by setting ReadHeaderTimeout in all http.Server instances (#6539, @wallrj).
  • Upgrade otel and docker to fix: CVE-2023-47108 and GHSA-jq35-85cj-fj4p (#6513, @inteon).

Dependencies

Added
  • cloud.google.com/go/dataproc/v2: v2.0.1
Changed
  • cloud.google.com/go/aiplatform: v1.45.0 → v1.48.0
  • cloud.google.com/go/analytics: v0.21.2 → v0.21.3
  • cloud.google.com/go/baremetalsolution: v0.5.0 → v1.1.1
  • cloud.google.com/go/batch: v0.7.0 → v1.3.1
  • cloud.google.com/go/beyondcorp: v0.6.1 → v1.0.0
  • cloud.google.com/go/bigquery: v1.52.0 → v1.53.0
  • cloud.google.com/go/cloudbuild: v1.10.1 → v1.13.0
  • cloud.google.com/go/cloudtasks: v1.11.1 → v1.12.1
  • cloud.google.com/go/compute: v1.21.0 → v1.23.0
  • cloud.google.com/go/contactcenterinsights: v1.9.1 → v1.10.0
  • cloud.google.com/go/container: v1.22.1 → v1.24.0
  • cloud.google.com/go/datacatalog: v1.14.1 → v1.16.0
  • cloud.google.com/go/dataplex: v1.8.1 → v1.9.0
  • cloud.google.com/go/datastore: v1.12.1 → v1.13.0
  • cloud.google.com/go/datastream: v1.9.1 → v1.10.0
  • cloud.google.com/go/deploy: v1.11.0 → v1.13.0
  • cloud.google.com/go/dialogflow: v1.38.0 → v1.40.0
  • cloud.google.com/go/documentai: v1.20.0 → v1.22.0
  • cloud.google.com/go/eventarc: v1.12.1 → v1.13.0
  • cloud.google.com/go/firestore: v1.11.0 → v1.12.0
  • cloud.google.com/go/gkebackup: v0.4.0 → v1.3.0
  • cloud.google.com/go/gkemulticloud: v0.6.1 → v1.0.0
  • cloud.google.com/go/kms: v1.12.1 → v1.15.0
  • cloud.google.com/go/maps: v0.7.0 → v1.4.0
  • cloud.google.com/go/metastore: v1.11.1 → v1.12.0
  • cloud.google.com/go/policytroubleshooter: v1.7.1 → v1.8.0
  • cloud.google.com/go/pubsub: v1.32.0 → v1.33.0
  • cloud.google.com/go/run: v0.9.0 → v1.2.0
  • cloud.google.com/go/servicedirectory: v1.10.1 → v1.11.0
  • cloud.google.com/go/speech: v1.17.1 → v1.19.0
  • cloud.google.com/go/translate: v1.8.1 → v1.8.2
  • cloud.google.com/go/video: v1.17.1 → v1.19.0
  • cloud.google.com/go/vmwareengine: v0.4.1 → v1.0.0
  • cloud.google.com/go: v0.110.4 → v0.110.7
  • github.com/felixge/httpsnoop: v1.0.3 → v1.0.4
  • github.com/go-logr/logr: v1.2.4 → v1.3.0
  • github.com/golang/glog: v1.1.0 → v1.1.2
  • github.com/google/go-cmp: v0.5.9 → v0.6.0
  • github.com/google/uuid: v1.3.0 → v1.3.1
  • go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc: v0.45.0 → v0.46.0
  • go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp: v0.44.0 → v0.46.0
  • go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc: v1.19.0 → v1.20.0
  • go.opentelemetry.io/otel/exporters/otlp/otlptrace: v1.19.0 → v1.20.0
  • go.opentelemetry.io/otel/metric: v1.19.0 → v1.20.0
  • go.opentelemetry.io/otel/sdk: v1.19.0 → v1.20.0
  • go.opentelemetry.io/otel/trace: v1.19.0 → v1.20.0
  • go.opentelemetry.io/otel: v1.19.0 → v1.20.0
  • go.uber.org/goleak: v1.2.1 → v1.3.0
  • golang.org/x/oauth2: v0.10.0 → v0.11.0
  • golang.org/x/sys: v0.13.0 → v0.14.0
  • google.golang.org/genproto/googleapis/api: 782d3b1 → b8732ec
  • google.golang.org/genproto/googleapis/rpc: 782d3b1 → b8732ec
  • google.golang.org/genproto: 782d3b1 → b8732ec
  • google.golang.org/grpc: v1.58.3 → v1.59.0
Removed
  • cloud.google.com/go/dataproc: v1.12.0
Assets 22