fix(deps): update module github.com/cert-manager/cert-manager to v1.19.3 [security] (#775) · 79238f5772 - plugin-barman-cloud

mirror of https://github.com/cloudnative-pg/plugin-barman-cloud.git synced 2026-03-09 12:12:21 +01:00

fix(deps): update module github.com/cert-manager/cert-manager to v1.19.3 [security] (#775)

Some checks failed

release-please / release-please (push) Failing after 4s

Details

This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
|
[github.com/cert-manager/cert-manager](https://redirect.github.com/cert-manager/cert-manager)
| `v1.19.2` → `v1.19.3` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fcert-manager%2fcert-manager/v1.19.3?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fcert-manager%2fcert-manager/v1.19.2/v1.19.3?slim=true)
|

### GitHub Vulnerability Alerts

####
[CVE-2026-25518](https://redirect.github.com/cert-manager/cert-manager/security/advisories/GHSA-gx3x-vq4p-mhhv)

### Impact

The cert-manager-controller performs DNS lookups during ACME DNS-01
processing (for zone discovery and propagation self-checks). By default,
these lookups use standard unencrypted DNS.

An attacker who can intercept and modify DNS traffic from the
cert-manager-controller pod can insert a crafted entry into
cert-manager's DNS cache. Accessing this entry will trigger a panic,
resulting in Denial of Service (DoS) of the cert-manager controller.

The issue can also be exploited if the authoritative DNS server for the
domain being validated is controlled by a malicious actor.

### Patches

The vulnerability was introduced in cert-manager v1.18.0 and has been
patched in cert-manager v1.19.3 and v1.18.5, which are the supported
minor releases at the time of publishing.

cert-manager versions prior to v1.18.0 are unaffected.

### Workarounds

- Using DNS-over-HTTPS reduces the risk of DNS traffic being intercepted
and modified.
- Note that DNS-over-HTTPS does *not* prevent the risk of an
attacker-controlled authoritative DNS server.

### Resources

- Fix for cert-manager 1.18:
[https://github.com/cert-manager/cert-manager/pull/8467](https://redirect.github.com/cert-manager/cert-manager/pull/8467)
- Fix for cert-manager 1.19:
[https://github.com/cert-manager/cert-manager/pull/8468](https://redirect.github.com/cert-manager/cert-manager/pull/8468)
- Fix for master branch:
[https://github.com/cert-manager/cert-manager/pull/8469](https://redirect.github.com/cert-manager/cert-manager/pull/8469)

### Credits

Huge thanks to Oleh Konko (@&#8203;1seal) for reporting the issue,
providing a detailed PoC and an initial patch!

---

### Release Notes

<details>
<summary>cert-manager/cert-manager
(github.com/cert-manager/cert-manager)</summary>

###
[`v1.19.3`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.19.3)

[Compare
Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.19.2...v1.19.3)

cert-manager is the easiest way to automatically manage certificates in
Kubernetes and OpenShift clusters.

This release contains three bug fixes, including a fix for the MODERATE
severity DoS issue in GHSA-gx3x-vq4p-mhhv. All users should upgrade to
the latest release.

#### Changes by Kind

##### Bug or Regression

- Fixed an infinite re-issuance loop that could occur when an issuer
returns a certificate with a public key that doesn't match the CSR. The
issuing controller now validates the certificate before storing it and
fails with backoff on mismatch.
([#&#8203;8415](https://redirect.github.com/cert-manager/cert-manager/issues/8415),
[@&#8203;cert-manager-bot](https://redirect.github.com/cert-manager-bot))
- Fixed an issue where HTTP-01 challenges failed when the Host header
contained an IPv6 address. This means that users can now issue IP
address certificates for IPv6 address subjects.
([#&#8203;8436](https://redirect.github.com/cert-manager/cert-manager/issues/8436),
[@&#8203;cert-manager-bot](https://redirect.github.com/cert-manager-bot))
- Security (MODERATE): Fix a potential panic in the cert-manager
controller when a DNS response in an unexpected order was cached. If an
attacker was able to modify DNS responses (or if they controlled the DNS
server) it was possible to cause denial of service for the cert-manager
controller.
([#&#8203;8468](https://redirect.github.com/cert-manager/cert-manager/issues/8468),
[@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))

##### Other (Cleanup or Flake)

- Bump go to 1.25.6
([#&#8203;8459](https://redirect.github.com/cert-manager/cert-manager/issues/8459),
[@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Never, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/cloudnative-pg/plugin-barman-cloud).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41NS40IiwidXBkYXRlZEluVmVyIjoiNDMuNTUuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYXV0b21hdGVkIiwibm8taXNzdWUiXX0=-->

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

This commit is contained in:

renovate[bot]

2026-03-06 12:42:04 +11:00

committed by

GitHub

parent f12c978732

commit 79238f5772

No known key found for this signature in database

GPG Key ID: B5690EEEBB952194

2 changed files with 3 additions and 3 deletions

									
										2

go.mod
									
										View File
										
				@ -5,7 +5,7 @@ go 1.25.0

				toolchain go1.25.6

				require (

					github.com/cert-manager/cert-manager v1.19.2

					github.com/cert-manager/cert-manager v1.19.3

					github.com/cloudnative-pg/api v1.28.0

					github.com/cloudnative-pg/barman-cloud v0.4.1-0.20260108104508-ced266c145f5

					github.com/cloudnative-pg/cloudnative-pg v1.28.0

4

go.sum

View File

 @ -12,8 +12,8 @@ github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM
 github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
 github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
 github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
 github.com/cert-manager/cert-manager v1.19.2 h1:jSprN1h5pgNDSl7HClAmIzXuTxic/5FXJ32kbQHqjlM=
 github.com/cert-manager/cert-manager v1.19.2/go.mod h1:e9NzLtOKxTw7y99qLyWGmPo6mrC1Nh0EKKcMkRfK+GE=
 github.com/cert-manager/cert-manager v1.19.3 h1:3d0Nk/HO3BOmAdBJNaBh+6YgaO3Ciey3xCpOjiX5Obs=
 github.com/cert-manager/cert-manager v1.19.3/go.mod h1:e9NzLtOKxTw7y99qLyWGmPo6mrC1Nh0EKKcMkRfK+GE=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cloudnative-pg/api v1.28.0 h1:xElzHliO0eKkVQafkfMhDJo0aIRCmB1ItEt+SGh6B58=

fix(deps): update module github.com/cert-manager/cert-manager to v1.19.3 [security] (#775) Some checks failed release-please / release-please (push) Failing after 4s Details

2 go.mod Unescape Escape View File

4 go.sum Unescape Escape View File

fix(deps): update module github.com/cert-manager/cert-manager to v1.19.3 [security] (#775)

Some checks failed

release-please / release-please (push) Failing after 4s

Details

2

go.mod

View File

4

go.sum

View File