Update quay.io/jetstack/cert-manager-ctl Docker tag to v1.13.3
This MR contains the following updates:
Package | Type | Update | Change |
---|---|---|---|
quay.io/jetstack/cert-manager-ctl | ironbank-docker | patch |
v1.13.2 -> v1.13.3
|
quay.io/jetstack/cert-manager-ctl | patch |
v1.13.2 -> v1.13.3
|
|
quay.io/jetstack/cert-manager-ctl | stage | patch |
v1.13.2 -> v1.13.3
|
Release Notes
cert-manager/cert-manager
v1.13.3
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
⚠ ️ Read about the breaking changes in cert-manager 1.13 before you upgrade from a < v1.13 version!
This patch release contains fixes for the following security vulnerabilities in the cert-manager-controller:
-
GO-2023-2334
: Decryption of malicious PBES2 JWE objects can consume unbounded system resources.
If you use ArtifactHub Security report or trivy, this patch will also silence the following warning about a vulnerability in code which is imported but not used by the cert-manager-controller:
-
CVE-2023-47108
: DoS vulnerability inotelgrpc
due to unbound cardinality metrics.
An ongoing security audit of cert-manager suggested some changes to the webhook code to mitigate DoS attacks, and these are included in this patch release.
Changes
Bug or Regression
- The webhook server now returns HTTP error 413 (Content Too Large) for requests with body size
>= 3MiB
. This is to mitigate DoS attacks that attempt to crash the webhook process by sending large requests that exceed the available memory. (#6507, @inteon) - The webhook server now returns HTTP error 400 (Bad Request) if the request contains an empty body. (#6507, @inteon)
- The webhook server now returns HTTP error 500 (Internal Server Error) rather than crashing, if the code panics while handling a request. (#6507, @inteon)
- Mitigate potential "Slowloris" attacks by setting
ReadHeaderTimeout
in allhttp.Server
instances. (#6538, @wallrj) - Upgrade Go modules:
otel
,docker
, andjose
to fix CVE alerts. See https://github.com/advisories/GHSA-8pgv-569h-w5rw, https://github.com/advisories/GHSA-jq35-85cj-fj4p, and https://github.com/advisories/GHSA-2c7c-3mj9-8fqh. (#6514, @inteon)
Dependencies
Added
Nothing has changed.
Changed
-
cloud.google.com/go/firestore
:v1.11.0 → v1.12.0
-
cloud.google.com/go
:v0.110.6 → v0.110.7
-
github.com/felixge/httpsnoop
:v1.0.3 → v1.0.4
-
github.com/go-jose/go-jose/v3
:v3.0.0 → v3.0.1
-
github.com/go-logr/logr
:v1.2.4 → v1.3.0
-
github.com/golang/glog
:v1.1.0 → v1.1.2
-
github.com/google/go-cmp
:v0.5.9 → v0.6.0
-
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc
:v0.45.0 → v0.46.0
-
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp
:v0.44.0 → v0.46.0
-
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc
:v1.19.0 → v1.20.0
-
go.opentelemetry.io/otel/exporters/otlp/otlptrace
:v1.19.0 → v1.20.0
-
go.opentelemetry.io/otel/metric
:v1.19.0 → v1.20.0
-
go.opentelemetry.io/otel/sdk
:v1.19.0 → v1.20.0
-
go.opentelemetry.io/otel/trace
:v1.19.0 → v1.20.0
-
go.opentelemetry.io/otel
:v1.19.0 → v1.20.0
-
go.uber.org/goleak
:v1.2.1 → v1.3.0
-
golang.org/x/sys
:v0.13.0 → v0.14.0
-
google.golang.org/genproto/googleapis/api
:f966b18 → b8732ec
-
google.golang.org/genproto
:f966b18 → b8732ec
-
google.golang.org/grpc
:v1.58.3 → v1.59.0
Removed
Nothing has changed.
Configuration
-
If you want to rebase/retry this MR, check this box
This MR has been generated by Renovate Bot.