diff --git a/.spelling b/.spelling index 9f988c589f4..9d619af9bea 100644 --- a/.spelling +++ b/.spelling @@ -633,6 +633,7 @@ v1.13.3 v1.13. v1.12.5 v1.12.6 +v1.12.7 liveness apiservices arm64 diff --git a/content/docs/releases/release-notes/release-notes-1.12.md b/content/docs/releases/release-notes/release-notes-1.12.md index ebb3b26a57a..59ba88adb44 100644 --- a/content/docs/releases/release-notes/release-notes-1.12.md +++ b/content/docs/releases/release-notes/release-notes-1.12.md @@ -3,6 +3,100 @@ title: Release 1.12 description: 'cert-manager release notes: cert-manager 1.12' --- +## v1.12.7 + +This patch release contains fixes for the following security vulnerabilities in the cert-manager-controller: +- [`GO-2023-2382`](https://pkg.go.dev/vuln/GO-2023-2382): Denial of service via chunk extensions in `net/http` + +If you use +[ArtifactHub Security report](https://artifacthub.io/packages/helm/cert-manager/cert-manager/1.12.6?modal=security-report) or +[trivy](https://trivy.dev/), +this patch will also silence the following warning +about a vulnerability in code which is imported but **not used** by the cert-manager-controller: +- [`CVE-2023-47108`](https://access.redhat.com/security/cve/CVE-2023-47108): DoS vulnerability in `otelgrpc` due to unbound cardinality metrics. + +An ongoing security audit of cert-manager suggested some changes to the webhook code to mitigate DoS attacks, +and these are included in this patch release. + +### Changes + +#### Feature + +- cert-manager is now built with Go `1.20.12` ([#6543](https://github.com/cert-manager/cert-manager/pull/6543), [@wallrj](https://github.com/wallrj)). + +#### Bug or Regression + +- The webhook server now returns HTTP error 413 (Content Too Large) for requests with body size `>= 3MiB`. This is to mitigate DoS attacks that attempt to crash the webhook process by sending large requests that exceed the available memory ([#6506](https://github.com/cert-manager/cert-manager/pull/6506), [@inteon](https://github.com/inteon)). +- The webhook server now returns HTTP error 400 (Bad Request) if the request contains an empty body ([#6506](https://github.com/cert-manager/cert-manager/pull/6506), [@inteon](https://github.com/inteon)). +- The webhook server now returns HTTP error 500 (Internal Server Error) rather than crashing, if the code panics while handling a request ([#6506](https://github.com/cert-manager/cert-manager/pull/6506), [@inteon](https://github.com/inteon)). +- Mitigate potential Slowloris attacks by setting `ReadHeaderTimeout` in all `http.Server` instances ([#6539](https://github.com/cert-manager/cert-manager/pull/6539), [@wallrj](https://github.com/wallrj)). +- Upgrade `otel` and `docker` to fix: `CVE-2023-47108` and `GHSA-jq35-85cj-fj4p` ([#6513](https://github.com/cert-manager/cert-manager/pull/6513), [@inteon](https://github.com/inteon)). + +#### Dependencies + +##### Added +- `cloud.google.com/go/dataproc/v2`: `v2.0.1` + +##### Changed +- `cloud.google.com/go/aiplatform`: `v1.45.0 → v1.48.0` +- `cloud.google.com/go/analytics`: `v0.21.2 → v0.21.3` +- `cloud.google.com/go/baremetalsolution`: `v0.5.0 → v1.1.1` +- `cloud.google.com/go/batch`: `v0.7.0 → v1.3.1` +- `cloud.google.com/go/beyondcorp`: `v0.6.1 → v1.0.0` +- `cloud.google.com/go/bigquery`: `v1.52.0 → v1.53.0` +- `cloud.google.com/go/cloudbuild`: `v1.10.1 → v1.13.0` +- `cloud.google.com/go/cloudtasks`: `v1.11.1 → v1.12.1` +- `cloud.google.com/go/compute`: `v1.21.0 → v1.23.0` +- `cloud.google.com/go/contactcenterinsights`: `v1.9.1 → v1.10.0` +- `cloud.google.com/go/container`: `v1.22.1 → v1.24.0` +- `cloud.google.com/go/datacatalog`: `v1.14.1 → v1.16.0` +- `cloud.google.com/go/dataplex`: `v1.8.1 → v1.9.0` +- `cloud.google.com/go/datastore`: `v1.12.1 → v1.13.0` +- `cloud.google.com/go/datastream`: `v1.9.1 → v1.10.0` +- `cloud.google.com/go/deploy`: `v1.11.0 → v1.13.0` +- `cloud.google.com/go/dialogflow`: `v1.38.0 → v1.40.0` +- `cloud.google.com/go/documentai`: `v1.20.0 → v1.22.0` +- `cloud.google.com/go/eventarc`: `v1.12.1 → v1.13.0` +- `cloud.google.com/go/firestore`: `v1.11.0 → v1.12.0` +- `cloud.google.com/go/gkebackup`: `v0.4.0 → v1.3.0` +- `cloud.google.com/go/gkemulticloud`: `v0.6.1 → v1.0.0` +- `cloud.google.com/go/kms`: `v1.12.1 → v1.15.0` +- `cloud.google.com/go/maps`: `v0.7.0 → v1.4.0` +- `cloud.google.com/go/metastore`: `v1.11.1 → v1.12.0` +- `cloud.google.com/go/policytroubleshooter`: `v1.7.1 → v1.8.0` +- `cloud.google.com/go/pubsub`: `v1.32.0 → v1.33.0` +- `cloud.google.com/go/run`: `v0.9.0 → v1.2.0` +- `cloud.google.com/go/servicedirectory`: `v1.10.1 → v1.11.0` +- `cloud.google.com/go/speech`: `v1.17.1 → v1.19.0` +- `cloud.google.com/go/translate`: `v1.8.1 → v1.8.2` +- `cloud.google.com/go/video`: `v1.17.1 → v1.19.0` +- `cloud.google.com/go/vmwareengine`: `v0.4.1 → v1.0.0` +- `cloud.google.com/go`: `v0.110.4 → v0.110.7` +- `github.com/felixge/httpsnoop`: [`v1.0.3 → v1.0.4`](https://github.com/felixge/httpsnoop/compare/v1.0.3...v1.0.4) +- `github.com/go-logr/logr`: [`v1.2.4 → v1.3.0`](https://github.com/go-logr/logr/compare/v1.2.4...v1.3.0) +- `github.com/golang/glog`: [`v1.1.0 → v1.1.2`](https://github.com/golang/glog/compare/v1.1.0...v1.1.2) +- `github.com/google/go-cmp`: [`v0.5.9 → v0.6.0`](https://github.com/google/go-cmp/compare/v0.5.9...v0.6.0) +- `github.com/google/uuid`: [`v1.3.0 → v1.3.1`](https://github.com/google/uuid/compare/v1.3.0...v1.3.1) +- `go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc`: `v0.45.0 → v0.46.0` +- `go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp`: `v0.44.0 → v0.46.0` +- `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc`: `v1.19.0 → v1.20.0` +- `go.opentelemetry.io/otel/exporters/otlp/otlptrace`: `v1.19.0 → v1.20.0` +- `go.opentelemetry.io/otel/metric`: `v1.19.0 → v1.20.0` +- `go.opentelemetry.io/otel/sdk`: `v1.19.0 → v1.20.0` +- `go.opentelemetry.io/otel/trace`: `v1.19.0 → v1.20.0` +- `go.opentelemetry.io/otel`: `v1.19.0 → v1.20.0` +- `go.uber.org/goleak`: `v1.2.1 → v1.3.0` +- `golang.org/x/oauth2`: `v0.10.0 → v0.11.0` +- `golang.org/x/sys`: `v0.13.0 → v0.14.0` +- `google.golang.org/genproto/googleapis/api`: `782d3b1 → b8732ec` +- `google.golang.org/genproto/googleapis/rpc`: `782d3b1 → b8732ec` +- `google.golang.org/genproto`: `782d3b1 → b8732ec` +- `google.golang.org/grpc`: `v1.58.3 → v1.59.0` + +##### Removed +- `cloud.google.com/go/dataproc`: `v1.12.0` + + ## v1.12.6 v1.12.6 fixes some CVE alerts and a Venafi issuer bug diff --git a/content/v1.12-docs/installation/README.md b/content/v1.12-docs/installation/README.md index 4bcccf6ee92..9427caa0e6a 100644 --- a/content/v1.12-docs/installation/README.md +++ b/content/v1.12-docs/installation/README.md @@ -12,7 +12,7 @@ Learn about the various ways you can install cert-manager and how to choose betw The default static configuration can be installed as follows: ```bash -kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.6/cert-manager.yaml +kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.7/cert-manager.yaml ``` 📖 Read more about [installing cert-manager using kubectl apply and static manifests](./kubectl.md). diff --git a/content/v1.12-docs/installation/code-signing.md b/content/v1.12-docs/installation/code-signing.md index f85017b877c..16236e8094f 100644 --- a/content/v1.12-docs/installation/code-signing.md +++ b/content/v1.12-docs/installation/code-signing.md @@ -22,7 +22,7 @@ The simplest way to verify signatures is to download the public key and then pas ```console curl -sSOL https://cert-manager.io/public-keys/cert-manager-pubkey-2021-09-20.pem -IMAGE_TAG=v1.12.6 # change as needed +IMAGE_TAG=v1.12.7 # change as needed cosign verify --signature-digest-algorithm sha512 --key cert-manager-pubkey-2021-09-20.pem quay.io/jetstack/cert-manager-acmesolver:$IMAGE_TAG cosign verify --signature-digest-algorithm sha512 --key cert-manager-pubkey-2021-09-20.pem quay.io/jetstack/cert-manager-cainjector:$IMAGE_TAG cosign verify --signature-digest-algorithm sha512 --key cert-manager-pubkey-2021-09-20.pem quay.io/jetstack/cert-manager-ctl:$IMAGE_TAG diff --git a/content/v1.12-docs/installation/helm.md b/content/v1.12-docs/installation/helm.md index 64845005c1c..30ff2c932d0 100644 --- a/content/v1.12-docs/installation/helm.md +++ b/content/v1.12-docs/installation/helm.md @@ -44,7 +44,7 @@ or using the `installCRDs` option when installing the Helm chart. ```bash -kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.6/cert-manager.crds.yaml +kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.7/cert-manager.crds.yaml ``` ##### Option 2: install CRDs as part of the Helm release @@ -65,7 +65,7 @@ helm install \ cert-manager jetstack/cert-manager \ --namespace cert-manager \ --create-namespace \ - --version v1.12.6 \ + --version v1.12.7 \ # --set installCRDs=true ``` @@ -78,7 +78,7 @@ helm install \ cert-manager jetstack/cert-manager \ --namespace cert-manager \ --create-namespace \ - --version v1.12.6 \ + --version v1.12.7 \ # --set installCRDs=true --set prometheus.enabled=false \ # Example: disabling prometheus using a Helm parameter --set webhook.timeoutSeconds=4 # Example: changing the webhook timeout using a Helm parameter @@ -109,7 +109,7 @@ version: 0.1.0 appVersion: "0.1.0" dependencies: - name: cert-manager - version: v1.12.6 + version: v1.12.7 repository: https://charts.jetstack.io alias: cert-manager condition: cert-manager.enabled @@ -140,7 +140,7 @@ helm template \ cert-manager jetstack/cert-manager \ --namespace cert-manager \ --create-namespace \ - --version v1.12.6 \ + --version v1.12.7 \ # --set prometheus.enabled=false \ # Example: disabling prometheus using a Helm parameter # --set installCRDs=true \ # Uncomment to also template CRDs > cert-manager.custom.yaml diff --git a/content/v1.12-docs/installation/kubectl.md b/content/v1.12-docs/installation/kubectl.md index f93d6ece062..41bbf9d7681 100644 --- a/content/v1.12-docs/installation/kubectl.md +++ b/content/v1.12-docs/installation/kubectl.md @@ -19,7 +19,7 @@ are included in a single YAML manifest file: Install all cert-manager components: ```bash -kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.6/cert-manager.yaml +kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.7/cert-manager.yaml ``` By default, cert-manager will be installed into the `cert-manager` diff --git a/content/v1.12-docs/installation/operator-lifecycle-manager.md b/content/v1.12-docs/installation/operator-lifecycle-manager.md index c24591a3854..3e243764e99 100644 --- a/content/v1.12-docs/installation/operator-lifecycle-manager.md +++ b/content/v1.12-docs/installation/operator-lifecycle-manager.md @@ -217,7 +217,7 @@ The following JSON patch will append `-v=6` to command line arguments of the cer (the first container of the first Deployment). ```bash -kubectl patch csv cert-manager.v1.12.6 \ +kubectl patch csv cert-manager.v1.12.7 \ --type json \ -p '[{"op": "add", "path": "/spec/install/spec/deployments/0/spec/template/spec/containers/0/args/-", "value": "-v=6" }]' ```