Merge pull request #1599 from SgtCoDFish/cm-releases

Add details on new cert-manager releases
cert-manager · Nov 21, 2024 · 12a648f · 12a648f
2 parents 810edcc + 9e260b5
commit 12a648f
Show file tree

Hide file tree

Showing 7 changed files with 78 additions and 4 deletions.
diff --git a/content/docs/cli/controller.md b/content/docs/cli/controller.md
@@ -33,7 +33,7 @@ Flags:
       --default-issuer-kind string                           Kind of the Issuer to use when the tls is requested but issuer kind is not specified on the ingress resource. (default "Issuer")
       --default-issuer-name string                           Name of the Issuer to use when the tls is requested but issuer name is not specified on the ingress resource.
       --dns01-check-retry-period duration                    The duration the controller should wait between a propagation check. Despite the name, this flag is used to configure the wait period for both DNS01 and HTTP01 challenge propagation checks. For DNS01 challenges the propagation check verifies that a TXT record with the challenge token has been created. For HTTP01 challenges the propagation check verifies that the challenge token is served at the challenge URL.This should be a valid duration string, for example 180s or 1h (default 10s)
-      --dns01-recursive-nameservers <ip address>:<port>      A list of comma separated dns server endpoints used for DNS01 and DNS-over-HTTPS (DoH) check requests. This should be a list containing entries of the following formats: <ip address>:<port> or `https://<DoH RFC 8484 server address>`. For example: `8.8.8.8:53,8.8.4.4:53` or `https://1.1.1.1/dns-query,https://8.8.8.8/dns-query`. To make sure ALL DNS requests happen through DoH, `dns01-recursive-nameservers-only` should also be set to true.
+      --dns01-recursive-nameservers <ip address>:<port>      A list of comma separated dns server endpoints used for DNS01 and DNS-over-HTTPS (DoH) check requests. This should be a list containing entries of the following formats: <ip address>:<port> or `https://<DoH RFC 8484 server address>`. For example: `8.8.8.8:53,8.8.4.4:53,[2001:4860:4860::8888]:53` or `https://1.1.1.1/dns-query,https://8.8.8.8/dns-query`. To make sure ALL DNS requests happen through DoH, `dns01-recursive-nameservers-only` should also be set to true.
       --dns01-recursive-nameservers-only                     When true, cert-manager will only ever query the configured DNS resolvers to perform the ACME DNS01 self check. This is useful in DNS constrained environments, where access to authoritative nameservers is restricted. Enabling this option could cause the DNS01 self check to take longer due to caching performed by the recursive nameservers.
       --enable-certificate-owner-ref                         Whether to set the certificate resource as an owner of secret where the tls certificate is stored. When this flag is enabled, the secret will be automatically removed when the certificate resource is deleted.
       --enable-gateway-api                                   Whether gateway API integration is enabled within cert-manager. The ExperimentalGatewayAPISupport feature gate must also be enabled (default as of 1.15).

diff --git a/content/docs/reference/api-docs.md b/content/docs/reference/api-docs.md
@@ -7103,5 +7103,5 @@ description: >-
 </table>
 <hr />
 <p>
-  <em> Generated with <code>gen-crd-api-reference-docs</code> on git commit <code>67c897d</code>. </em>
+  <em> Generated with <code>gen-crd-api-reference-docs</code> on git commit <code>33df0f2</code>. </em>
 </p>
diff --git a/content/docs/releases/release-notes/release-notes-1.12.md b/content/docs/releases/release-notes/release-notes-1.12.md
@@ -217,6 +217,28 @@ time and resources towards the continued maintenance of cert-manager projects. V
 cert-manager 1.12 as a long term support release, meaning it will be maintained for much longer
 than other releases to provide a stable platform for enterprises to build upon.
 
+## `v1.12.14`
+
+This patch release makes [several changes](https://github.com/cert-manager/cert-manager/pull/7403) to how PEM input is validated in
+cert-manager, adding maximum sizes appropriate to the type of PEM data which is being parsed.
+
+This is to prevent an unacceptable slow-down in parsing specially crafted PEM data. The issue was found by Google's OSS-Fuzz project.
+
+The issue is low severity; to exploit the PEM issue would require privileged access which would likely allow Denial-of-Service through other methods.
+
+Note also that since most PEM data parsed by cert-manager comes from `ConfigMap` or `Secret` resources which have
+a max size limit of approximately 1MB, it's difficult to force cert-manager to parse large amounts of PEM data.
+
+Further details are in the [security advisory](https://github.com/cert-manager/cert-manager/security/advisories/GHSA-r4pg-vg54-wxx4).
+
+This patch release also fixes [an issue](https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r) reported by Trivy,
+although that issue is low severity and is not expected to be relevant to cert-manager.
+
+## Bug Fixes
+
+- Set a maximum size for PEM inputs which cert-manager will accept to remove possibility of taking a long time to process an input ([#7403](https://github.com/cert-manager/cert-manager/pull/7403), [@SgtCoDFish](https://github.com/SgtCoDFish))
+- Fix `CVE-2024-5174` in `github.com/golang-jwt/jwt/v4` ([#7407](https://github.com/cert-manager/cert-manager/pull/7407), [@SgtCoDFish](https://github.com/SgtCoDFish))
+
 ## `v1.12.13`
 
 This patch release fixes the following vulnerabilities:

diff --git a/content/docs/releases/release-notes/release-notes-1.15.md b/content/docs/releases/release-notes/release-notes-1.15.md
@@ -33,6 +33,32 @@ Thanks also to the CNCF, which provides resources and support, and to the AWS op
 
 In addition, massive thanks to Venafi for contributing developer time and resources towards the continued maintenance of cert-manager projects.
 
+## `v1.15.4`
+
+This patch release makes [several changes](https://github.com/cert-manager/cert-manager/pull/7402) to how PEM input is validated in
+cert-manager, adding maximum sizes appropriate to the type of PEM data which is being parsed.
+
+This is to prevent an unacceptable slow-down in parsing specially crafted PEM data. The issue was found by Google's OSS-Fuzz project.
+
+The issue is low severity; to exploit the PEM issue would require privileged access which would likely allow Denial-of-Service through other methods.
+
+Note also that since most PEM data parsed by cert-manager comes from `ConfigMap` or `Secret` resources which have
+a max size limit of approximately 1MB, it's difficult to force cert-manager to parse large amounts of PEM data.
+
+Further details are in the [security advisory](https://github.com/cert-manager/cert-manager/security/advisories/GHSA-r4pg-vg54-wxx4).
+
+In addition, the version of Go used to build cert-manager 1.15 was updated along with the base images, and a Route53 bug fix was backported.
+
+### Bug Fixes
+
+- Prevent aggressive Route53 retries caused by STS authentication failures by removing the Amazon Request ID from STS errors. ([#7261](https://github.com/cert-manager/cert-manager/pull/7261), [@cert-manager-bot](https://github.com/cert-manager-bot))
+- Set a maximum size for PEM inputs which cert-manager will accept to remove possibility of taking a long time to process an input ([#7402](https://github.com/cert-manager/cert-manager/pull/7402), [@SgtCoDFish](https://github.com/SgtCoDFish))
+
+### Other
+
+- Bump go to 1.22.9 ([#7424](https://github.com/cert-manager/cert-manager/pull/7424), [@SgtCoDFish](https://github.com/SgtCoDFish))
+
+
 ## `v1.15.3`
 
 ### Bug or Regression

diff --git a/content/docs/releases/release-notes/release-notes-1.16.md b/content/docs/releases/release-notes/release-notes-1.16.md
@@ -221,8 +221,34 @@ Thanks also to the CNCF, which provides resources and support, and to the AWS op
 
 In addition, massive thanks to Venafi for contributing developer time and resources towards the continued maintenance of cert-manager projects.
 
+## `v1.16.2`
+
+This patch release makes [several changes](https://github.com/cert-manager/cert-manager/pull/7401) to how PEM input is validated in
+cert-manager, adding maximum sizes appropriate to the type of PEM data which is being parsed.
+
+This is to prevent an unacceptable slow-down in parsing specially crafted PEM data. The issue was found by Google's OSS-Fuzz project.
+
+The issue is low severity; to exploit the PEM issue would require privileged access which would likely allow Denial-of-Service through other methods.
+
+Note also that since most PEM data parsed by cert-manager comes from `ConfigMap` or `Secret` resources which have
+a max size limit of approximately 1MB, it's difficult to force cert-manager to parse large amounts of PEM data.
+
+Further details are in the [security advisory](https://github.com/cert-manager/cert-manager/security/advisories/GHSA-r4pg-vg54-wxx4).
+
+In addition, the version of Go used to build cert-manager 1.16 was updated along with the base images.
+
+### Bug Fixes
+
+- Set a maximum size for PEM inputs which cert-manager will accept to remove possibility of taking a long time to process an input ([#7401](https://github.com/cert-manager/cert-manager/pull/7401), @SgtCoDFish)
+
+#### Other (Cleanup or Flake)
+
+- Bump go to 1.23.3 and bump base images to latest available ([#7431](https://github.com/cert-manager/cert-manager/pull/7431), @SgtCoDFish)
+
 ## `v1.16.1`
 
+cert-manager `v1.16.1` contains some fixes to Helm value schema validation, as well as a fix to the ACME ClusterIssuer.
+
 Changes since `v1.16.0`.
 
 ### Bug or Regression

diff --git a/content/docs/variables.json b/content/docs/variables.json
@@ -1,3 +1,3 @@
 {
-  "cert_manager_latest_version": "v1.16.1"
+  "cert_manager_latest_version": "v1.16.2"
 }
diff --git a/scripts/gendocs/generate-trust-manager b/scripts/gendocs/generate-trust-manager
@@ -61,6 +61,6 @@ gendocs() {
 echo "+++ Cloning trust-manager repository..."
 git clone "https://github.com/cert-manager/trust-manager.git" "$tmpdir"
 
-checkout "v0.12.0"
+checkout "v0.13.0"
 
 gendocs "$REPO_ROOT/content/docs/trust/trust-manager/api-reference.md"