Update module github.com/cert-manager/cert-manager to v1.19.3 [SECURITY]#6
Open
gcsvc-or-orbot wants to merge 11 commits into
Open
Update module github.com/cert-manager/cert-manager to v1.19.3 [SECURITY]#6gcsvc-or-orbot wants to merge 11 commits into
gcsvc-or-orbot wants to merge 11 commits into
Conversation
Add relaxPermChecks and encryption enabling flags to ps-entry
Build and push image to ghcr
* Fix keyfile permissions * Remove extra debug line * Update build/ps-entry.sh Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
LIB-623: Add Renovate dependency management
The --relaxPermChecks flag is a Percona Server for MongoDB specific option that does not exist in MongoDB Community Edition. Our Docker images use MongoDB Community packages (mongodb-org-*), so this flag causes mongod to fail at startup with 'unrecognised option' error. This was the root cause of build failures in the Braze zone: both cfg (config server) and rs-0 (shard) pods entered CrashLoopBackOff because mongod rejected the unrecognized --relaxPermChecks flag. Changes: - Remove --relaxPermChecks from containerArgs() in container.go - Remove --relaxPermChecks from mongos args in mongos.go - Update mongos_test.go to assert flag is NOT present - Update all e2e test comparison YAML files (257 files) - Update all reconcile-statefulset testdata YAML files (9 files) The defense-in-depth stripping in build/ps-entry.sh is preserved for backwards compatibility with any future edge cases.
…aze-zone LIB-980: Build failures in Braze zone
43f0edf to
66a50a1
Compare
93f11b3 to
d28787c
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v1.19.2→v1.19.3cert-manager-controller DoS via Specially Crafted DNS Response
CVE-2026-25518 / GHSA-gx3x-vq4p-mhhv
More information
Details
Impact
The cert-manager-controller performs DNS lookups during ACME DNS-01 processing (for zone discovery and propagation self-checks). By default, these lookups use standard unencrypted DNS.
An attacker who can intercept and modify DNS traffic from the cert-manager-controller pod can insert a crafted entry into cert-manager's DNS cache. Accessing this entry will trigger a panic, resulting in Denial of Service (DoS) of the cert-manager controller.
The issue can also be exploited if the authoritative DNS server for the domain being validated is controlled by a malicious actor.
Patches
The vulnerability was introduced in cert-manager v1.18.0 and has been patched in cert-manager v1.19.3 and v1.18.5, which are the supported minor releases at the time of publishing.
cert-manager versions prior to v1.18.0 are unaffected.
Workarounds
Resources
Credits
Huge thanks to Oleh Konko (@1seal) for reporting the issue, providing a detailed PoC and an initial patch!
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
cert-manager/cert-manager (github.com/cert-manager/cert-manager)
v1.19.3Compare Source
cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.
This release contains three bug fixes, including a fix for the MODERATE severity DoS issue in GHSA-gx3x-vq4p-mhhv. All users should upgrade to the latest release.
Changes by Kind
Bug or Regression
Other (Cleanup or Flake)
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate.