Skip to content

Update module github.com/cert-manager/cert-manager to v1.19.3 [SECURITY]#6

Open
gcsvc-or-orbot wants to merge 11 commits into
mainfrom
renovate/go-github.com-cert-manager-cert-manager-vulnerability
Open

Update module github.com/cert-manager/cert-manager to v1.19.3 [SECURITY]#6
gcsvc-or-orbot wants to merge 11 commits into
mainfrom
renovate/go-github.com-cert-manager-cert-manager-vulnerability

Conversation

@gcsvc-or-orbot

Copy link
Copy Markdown
Collaborator

This PR contains the following updates:

Package Change Age Confidence
github.com/cert-manager/cert-manager v1.19.2v1.19.3 age confidence

cert-manager-controller DoS via Specially Crafted DNS Response

CVE-2026-25518 / GHSA-gx3x-vq4p-mhhv

More information

Details

Impact

The cert-manager-controller performs DNS lookups during ACME DNS-01 processing (for zone discovery and propagation self-checks). By default, these lookups use standard unencrypted DNS.

An attacker who can intercept and modify DNS traffic from the cert-manager-controller pod can insert a crafted entry into cert-manager's DNS cache. Accessing this entry will trigger a panic, resulting in Denial of Service (DoS) of the cert-manager controller.

The issue can also be exploited if the authoritative DNS server for the domain being validated is controlled by a malicious actor.

Patches

The vulnerability was introduced in cert-manager v1.18.0 and has been patched in cert-manager v1.19.3 and v1.18.5, which are the supported minor releases at the time of publishing.

cert-manager versions prior to v1.18.0 are unaffected.

Workarounds
  • Using DNS-over-HTTPS reduces the risk of DNS traffic being intercepted and modified.
    • Note that DNS-over-HTTPS does not prevent the risk of an attacker-controlled authoritative DNS server.
Resources
Credits

Huge thanks to Oleh Konko (@​1seal) for reporting the issue, providing a detailed PoC and an initial patch!

Severity

  • CVSS Score: 5.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

cert-manager/cert-manager (github.com/cert-manager/cert-manager)

v1.19.3

Compare Source

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

This release contains three bug fixes, including a fix for the MODERATE severity DoS issue in GHSA-gx3x-vq4p-mhhv. All users should upgrade to the latest release.

Changes by Kind

Bug or Regression
  • Fixed an infinite re-issuance loop that could occur when an issuer returns a certificate with a public key that doesn't match the CSR. The issuing controller now validates the certificate before storing it and fails with backoff on mismatch. (#​8415, @​cert-manager-bot)
  • Fixed an issue where HTTP-01 challenges failed when the Host header contained an IPv6 address. This means that users can now issue IP address certificates for IPv6 address subjects. (#​8436, @​cert-manager-bot)
  • Security (MODERATE): Fix a potential panic in the cert-manager controller when a DNS response in an unexpected order was cached. If an attacker was able to modify DNS responses (or if they controlled the DNS server) it was possible to cause denial of service for the cert-manager controller. (#​8468, @​SgtCoDFish)
Other (Cleanup or Flake)

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

KevinKlaesRackspace2 and others added 8 commits January 15, 2026 12:22
Add relaxPermChecks and encryption enabling flags to ps-entry
* Fix keyfile permissions

* Remove extra debug line

* Update build/ps-entry.sh

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

---------

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
LIB-623: Add Renovate dependency management
KevinKlaesRackspace2 and others added 3 commits July 13, 2026 11:02
The --relaxPermChecks flag is a Percona Server for MongoDB specific option
that does not exist in MongoDB Community Edition. Our Docker images use
MongoDB Community packages (mongodb-org-*), so this flag causes mongod to
fail at startup with 'unrecognised option' error.

This was the root cause of build failures in the Braze zone: both cfg
(config server) and rs-0 (shard) pods entered CrashLoopBackOff because
mongod rejected the unrecognized --relaxPermChecks flag.

Changes:
- Remove --relaxPermChecks from containerArgs() in container.go
- Remove --relaxPermChecks from mongos args in mongos.go
- Update mongos_test.go to assert flag is NOT present
- Update all e2e test comparison YAML files (257 files)
- Update all reconcile-statefulset testdata YAML files (9 files)

The defense-in-depth stripping in build/ps-entry.sh is preserved for
backwards compatibility with any future edge cases.
…aze-zone

LIB-980: Build failures in Braze zone
@gcsvc-or-orbot gcsvc-or-orbot force-pushed the renovate/go-github.com-cert-manager-cert-manager-vulnerability branch from 43f0edf to 66a50a1 Compare July 13, 2026 18:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants