plugin-barman-cloud

marco/plugin-barman-cloud

Fork 0

mirror of https://github.com/cloudnative-pg/plugin-barman-cloud.git synced 2026-03-09 12:12:21 +01:00

Author SHA1 Message Date

Author	SHA1	Message	Date
renovate[bot]	f7a8aa87c6	Merge `f4b38b9891` into `79238f5772`	2026-03-06 12:51:05 +11:00
renovate[bot]	79238f5772	fix(deps): update module github.com/cert-manager/cert-manager to v1.19.3 [security] (#775 ) Some checks failed release-please / release-please (push) Failing after 4s Details This PR contains the following updates: \| Package \| Change \| [Age](https://docs.renovatebot.com/merge-confidence/) \| [Confidence](https://docs.renovatebot.com/merge-confidence/) \| \|---\|---\|---\|---\| \| [github.com/cert-manager/cert-manager](https://redirect.github.com/cert-manager/cert-manager) \| `v1.19.2` → `v1.19.3` \| ![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fcert-manager%2fcert-manager/v1.19.3?slim=true) \| ![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fcert-manager%2fcert-manager/v1.19.2/v1.19.3?slim=true) \| ### GitHub Vulnerability Alerts #### [CVE-2026-25518](https://redirect.github.com/cert-manager/cert-manager/security/advisories/GHSA-gx3x-vq4p-mhhv) ### Impact The cert-manager-controller performs DNS lookups during ACME DNS-01 processing (for zone discovery and propagation self-checks). By default, these lookups use standard unencrypted DNS. An attacker who can intercept and modify DNS traffic from the cert-manager-controller pod can insert a crafted entry into cert-manager's DNS cache. Accessing this entry will trigger a panic, resulting in Denial of Service (DoS) of the cert-manager controller. The issue can also be exploited if the authoritative DNS server for the domain being validated is controlled by a malicious actor. ### Patches The vulnerability was introduced in cert-manager v1.18.0 and has been patched in cert-manager v1.19.3 and v1.18.5, which are the supported minor releases at the time of publishing. cert-manager versions prior to v1.18.0 are unaffected. ### Workarounds - Using DNS-over-HTTPS reduces the risk of DNS traffic being intercepted and modified. - Note that DNS-over-HTTPS does not prevent the risk of an attacker-controlled authoritative DNS server. ### Resources - Fix for cert-manager 1.18: [https://github.com/cert-manager/cert-manager/pull/8467](https://redirect.github.com/cert-manager/cert-manager/pull/8467) - Fix for cert-manager 1.19: [https://github.com/cert-manager/cert-manager/pull/8468](https://redirect.github.com/cert-manager/cert-manager/pull/8468) - Fix for master branch: [https://github.com/cert-manager/cert-manager/pull/8469](https://redirect.github.com/cert-manager/cert-manager/pull/8469) ### Credits Huge thanks to Oleh Konko (@1seal) for reporting the issue, providing a detailed PoC and an initial patch! --- ### Release Notes <details> <summary>cert-manager/cert-manager (github.com/cert-manager/cert-manager)</summary> ### [`v1.19.3`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.19.3) [Compare Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.19.2...v1.19.3) cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters. This release contains three bug fixes, including a fix for the MODERATE severity DoS issue in GHSA-gx3x-vq4p-mhhv. All users should upgrade to the latest release. #### Changes by Kind ##### Bug or Regression - Fixed an infinite re-issuance loop that could occur when an issuer returns a certificate with a public key that doesn't match the CSR. The issuing controller now validates the certificate before storing it and fails with backoff on mismatch. ([#8415](https://redirect.github.com/cert-manager/cert-manager/issues/8415), [@cert-manager-bot](https://redirect.github.com/cert-manager-bot)) - Fixed an issue where HTTP-01 challenges failed when the Host header contained an IPv6 address. This means that users can now issue IP address certificates for IPv6 address subjects. ([#8436](https://redirect.github.com/cert-manager/cert-manager/issues/8436), [@cert-manager-bot](https://redirect.github.com/cert-manager-bot)) - Security (MODERATE): Fix a potential panic in the cert-manager controller when a DNS response in an unexpected order was cached. If an attacker was able to modify DNS responses (or if they controlled the DNS server) it was possible to cause denial of service for the cert-manager controller. ([#8468](https://redirect.github.com/cert-manager/cert-manager/issues/8468), [@SgtCoDFish](https://redirect.github.com/SgtCoDFish)) ##### Other (Cleanup or Flake) - Bump go to 1.25.6 ([#8459](https://redirect.github.com/cert-manager/cert-manager/issues/8459), [@SgtCoDFish](https://redirect.github.com/SgtCoDFish)) </details> --- ### Configuration 📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻ Rebasing: Never, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/cloudnative-pg/plugin-barman-cloud). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41NS40IiwidXBkYXRlZEluVmVyIjoiNDMuNTUuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYXV0b21hdGVkIiwibm8taXNzdWUiXX0=--> Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>	2026-03-06 12:42:04 +11:00

renovate[bot]

f7a8aa87c6

Merge f4b38b9891 into 79238f5772

2026-03-06 12:51:05 +11:00

renovate[bot]

79238f5772

fix(deps): update module github.com/cert-manager/cert-manager to v1.19.3 [security] (#775 )

release-please / release-please (push) Failing after 4s

Details

This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
|
[github.com/cert-manager/cert-manager](https://redirect.github.com/cert-manager/cert-manager)
| `v1.19.2` → `v1.19.3` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fcert-manager%2fcert-manager/v1.19.3?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fcert-manager%2fcert-manager/v1.19.2/v1.19.3?slim=true)
|

### GitHub Vulnerability Alerts

####
[CVE-2026-25518](https://redirect.github.com/cert-manager/cert-manager/security/advisories/GHSA-gx3x-vq4p-mhhv)

### Impact

The cert-manager-controller performs DNS lookups during ACME DNS-01
processing (for zone discovery and propagation self-checks). By default,
these lookups use standard unencrypted DNS.

An attacker who can intercept and modify DNS traffic from the
cert-manager-controller pod can insert a crafted entry into
cert-manager's DNS cache. Accessing this entry will trigger a panic,
resulting in Denial of Service (DoS) of the cert-manager controller.

The issue can also be exploited if the authoritative DNS server for the
domain being validated is controlled by a malicious actor.

### Patches

The vulnerability was introduced in cert-manager v1.18.0 and has been
patched in cert-manager v1.19.3 and v1.18.5, which are the supported
minor releases at the time of publishing.

cert-manager versions prior to v1.18.0 are unaffected.

### Workarounds

- Using DNS-over-HTTPS reduces the risk of DNS traffic being intercepted
and modified.
- Note that DNS-over-HTTPS does *not* prevent the risk of an
attacker-controlled authoritative DNS server.

### Resources

- Fix for cert-manager 1.18:
[https://github.com/cert-manager/cert-manager/pull/8467](https://redirect.github.com/cert-manager/cert-manager/pull/8467)
- Fix for cert-manager 1.19:
[https://github.com/cert-manager/cert-manager/pull/8468](https://redirect.github.com/cert-manager/cert-manager/pull/8468)
- Fix for master branch:
[https://github.com/cert-manager/cert-manager/pull/8469](https://redirect.github.com/cert-manager/cert-manager/pull/8469)

### Credits

Huge thanks to Oleh Konko (@&#8203;1seal) for reporting the issue,
providing a detailed PoC and an initial patch!

---

### Release Notes

<details>
<summary>cert-manager/cert-manager
(github.com/cert-manager/cert-manager)</summary>

###
[`v1.19.3`](https://redirect.github.com/cert-manager/cert-manager/releases/tag/v1.19.3)

[Compare
Source](https://redirect.github.com/cert-manager/cert-manager/compare/v1.19.2...v1.19.3)

cert-manager is the easiest way to automatically manage certificates in
Kubernetes and OpenShift clusters.

This release contains three bug fixes, including a fix for the MODERATE
severity DoS issue in GHSA-gx3x-vq4p-mhhv. All users should upgrade to
the latest release.

#### Changes by Kind

##### Bug or Regression

- Fixed an infinite re-issuance loop that could occur when an issuer
returns a certificate with a public key that doesn't match the CSR. The
issuing controller now validates the certificate before storing it and
fails with backoff on mismatch.
([#&#8203;8415](https://redirect.github.com/cert-manager/cert-manager/issues/8415),
[@&#8203;cert-manager-bot](https://redirect.github.com/cert-manager-bot))
- Fixed an issue where HTTP-01 challenges failed when the Host header
contained an IPv6 address. This means that users can now issue IP
address certificates for IPv6 address subjects.
([#&#8203;8436](https://redirect.github.com/cert-manager/cert-manager/issues/8436),
[@&#8203;cert-manager-bot](https://redirect.github.com/cert-manager-bot))
- Security (MODERATE): Fix a potential panic in the cert-manager
controller when a DNS response in an unexpected order was cached. If an
attacker was able to modify DNS responses (or if they controlled the DNS
server) it was possible to cause denial of service for the cert-manager
controller.
([#&#8203;8468](https://redirect.github.com/cert-manager/cert-manager/issues/8468),
[@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))

##### Other (Cleanup or Flake)

- Bump go to 1.25.6
([#&#8203;8459](https://redirect.github.com/cert-manager/cert-manager/issues/8459),
[@&#8203;SgtCoDFish](https://redirect.github.com/SgtCoDFish))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Never, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/cloudnative-pg/plugin-barman-cloud).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41NS40IiwidXBkYXRlZEluVmVyIjoiNDMuNTUuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYXV0b21hdGVkIiwibm8taXNzdWUiXX0=-->

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

2026-03-06 12:42:04 +11:00

Compare commits

2 Commits

6ba877a4eb ... f7a8aa87c6

Diff Content Not Available

Compare commits

2 Commits 6ba877a4eb ... f7a8aa87c6

Diff Content Not Available

2 Commits

6ba877a4eb ... f7a8aa87c6