diff --git a/content/docs/cli/controller.md b/content/docs/cli/controller.md index 7943f2833f..a41ad82099 100644 --- a/content/docs/cli/controller.md +++ b/content/docs/cli/controller.md @@ -33,7 +33,7 @@ Flags: --default-issuer-kind string Kind of the Issuer to use when the tls is requested but issuer kind is not specified on the ingress resource. (default "Issuer") --default-issuer-name string Name of the Issuer to use when the tls is requested but issuer name is not specified on the ingress resource. --dns01-check-retry-period duration The duration the controller should wait between a propagation check. Despite the name, this flag is used to configure the wait period for both DNS01 and HTTP01 challenge propagation checks. For DNS01 challenges the propagation check verifies that a TXT record with the challenge token has been created. For HTTP01 challenges the propagation check verifies that the challenge token is served at the challenge URL.This should be a valid duration string, for example 180s or 1h (default 10s) - --dns01-recursive-nameservers : A list of comma separated dns server endpoints used for DNS01 and DNS-over-HTTPS (DoH) check requests. This should be a list containing entries of the following formats: : or `https://`. For example: `8.8.8.8:53,8.8.4.4:53` or `https://1.1.1.1/dns-query,https://8.8.8.8/dns-query`. To make sure ALL DNS requests happen through DoH, `dns01-recursive-nameservers-only` should also be set to true. + --dns01-recursive-nameservers : A list of comma separated dns server endpoints used for DNS01 and DNS-over-HTTPS (DoH) check requests. This should be a list containing entries of the following formats: : or `https://`. For example: `8.8.8.8:53,8.8.4.4:53,[2001:4860:4860::8888]:53` or `https://1.1.1.1/dns-query,https://8.8.8.8/dns-query`. To make sure ALL DNS requests happen through DoH, `dns01-recursive-nameservers-only` should also be set to true. --dns01-recursive-nameservers-only When true, cert-manager will only ever query the configured DNS resolvers to perform the ACME DNS01 self check. This is useful in DNS constrained environments, where access to authoritative nameservers is restricted. Enabling this option could cause the DNS01 self check to take longer due to caching performed by the recursive nameservers. --enable-certificate-owner-ref Whether to set the certificate resource as an owner of secret where the tls certificate is stored. When this flag is enabled, the secret will be automatically removed when the certificate resource is deleted. --enable-gateway-api Whether gateway API integration is enabled within cert-manager. The ExperimentalGatewayAPISupport feature gate must also be enabled (default as of 1.15). diff --git a/content/docs/reference/api-docs.md b/content/docs/reference/api-docs.md index e9e7eddb1d..f2efe54fdc 100644 --- a/content/docs/reference/api-docs.md +++ b/content/docs/reference/api-docs.md @@ -7103,5 +7103,5 @@ description: >-

- Generated with gen-crd-api-reference-docs on git commit 67c897d. + Generated with gen-crd-api-reference-docs on git commit 33df0f2.

diff --git a/content/docs/releases/release-notes/release-notes-1.12.md b/content/docs/releases/release-notes/release-notes-1.12.md index ff0a418078..cfdd25f38e 100644 --- a/content/docs/releases/release-notes/release-notes-1.12.md +++ b/content/docs/releases/release-notes/release-notes-1.12.md @@ -217,6 +217,28 @@ time and resources towards the continued maintenance of cert-manager projects. V cert-manager 1.12 as a long term support release, meaning it will be maintained for much longer than other releases to provide a stable platform for enterprises to build upon. +## `v1.12.14` + +This patch release makes [several changes](https://github.com/cert-manager/cert-manager/pull/7403) to how PEM input is validated in +cert-manager, adding maximum sizes appropriate to the type of PEM data which is being parsed. + +This is to prevent an unacceptable slow-down in parsing specially crafted PEM data. The issue was found by Google's OSS-Fuzz project. + +The issue is low severity; to exploit the PEM issue would require privileged access which would likely allow Denial-of-Service through other methods. + +Note also that since most PEM data parsed by cert-manager comes from `ConfigMap` or `Secret` resources which have +a max size limit of approximately 1MB, it's difficult to force cert-manager to parse large amounts of PEM data. + +Further details are in the [security advisory](https://github.com/cert-manager/cert-manager/security/advisories/GHSA-r4pg-vg54-wxx4). + +This patch release also fixes [an issue](https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r) reported by Trivy, +although that issue is low severity and is not expected to be relevant to cert-manager. + +## Bug Fixes + +- Set a maximum size for PEM inputs which cert-manager will accept to remove possibility of taking a long time to process an input ([#7403](https://github.com/cert-manager/cert-manager/pull/7403), [@SgtCoDFish](https://github.com/SgtCoDFish)) +- Fix `CVE-2024-5174` in `github.com/golang-jwt/jwt/v4` ([#7407](https://github.com/cert-manager/cert-manager/pull/7407), [@SgtCoDFish](https://github.com/SgtCoDFish)) + ## `v1.12.13` This patch release fixes the following vulnerabilities: diff --git a/content/docs/releases/release-notes/release-notes-1.15.md b/content/docs/releases/release-notes/release-notes-1.15.md index a84c5f4711..348e258758 100644 --- a/content/docs/releases/release-notes/release-notes-1.15.md +++ b/content/docs/releases/release-notes/release-notes-1.15.md @@ -33,6 +33,32 @@ Thanks also to the CNCF, which provides resources and support, and to the AWS op In addition, massive thanks to Venafi for contributing developer time and resources towards the continued maintenance of cert-manager projects. +## `v1.15.4` + +This patch release makes [several changes](https://github.com/cert-manager/cert-manager/pull/7402) to how PEM input is validated in +cert-manager, adding maximum sizes appropriate to the type of PEM data which is being parsed. + +This is to prevent an unacceptable slow-down in parsing specially crafted PEM data. The issue was found by Google's OSS-Fuzz project. + +The issue is low severity; to exploit the PEM issue would require privileged access which would likely allow Denial-of-Service through other methods. + +Note also that since most PEM data parsed by cert-manager comes from `ConfigMap` or `Secret` resources which have +a max size limit of approximately 1MB, it's difficult to force cert-manager to parse large amounts of PEM data. + +Further details are in the [security advisory](https://github.com/cert-manager/cert-manager/security/advisories/GHSA-r4pg-vg54-wxx4). + +In addition, the version of Go used to build cert-manager 1.15 was updated along with the base images, and a Route53 bug fix was backported. + +### Bug Fixes + +- Prevent aggressive Route53 retries caused by STS authentication failures by removing the Amazon Request ID from STS errors. ([#7261](https://github.com/cert-manager/cert-manager/pull/7261), [@cert-manager-bot](https://github.com/cert-manager-bot)) +- Set a maximum size for PEM inputs which cert-manager will accept to remove possibility of taking a long time to process an input ([#7402](https://github.com/cert-manager/cert-manager/pull/7402), [@SgtCoDFish](https://github.com/SgtCoDFish)) + +### Other + +- Bump go to 1.22.9 ([#7424](https://github.com/cert-manager/cert-manager/pull/7424), [@SgtCoDFish](https://github.com/SgtCoDFish)) + + ## `v1.15.3` ### Bug or Regression diff --git a/content/docs/releases/release-notes/release-notes-1.16.md b/content/docs/releases/release-notes/release-notes-1.16.md index 536fb96cb6..fd435825fd 100644 --- a/content/docs/releases/release-notes/release-notes-1.16.md +++ b/content/docs/releases/release-notes/release-notes-1.16.md @@ -221,8 +221,34 @@ Thanks also to the CNCF, which provides resources and support, and to the AWS op In addition, massive thanks to Venafi for contributing developer time and resources towards the continued maintenance of cert-manager projects. +## `v1.16.2` + +This patch release makes [several changes](https://github.com/cert-manager/cert-manager/pull/7401) to how PEM input is validated in +cert-manager, adding maximum sizes appropriate to the type of PEM data which is being parsed. + +This is to prevent an unacceptable slow-down in parsing specially crafted PEM data. The issue was found by Google's OSS-Fuzz project. + +The issue is low severity; to exploit the PEM issue would require privileged access which would likely allow Denial-of-Service through other methods. + +Note also that since most PEM data parsed by cert-manager comes from `ConfigMap` or `Secret` resources which have +a max size limit of approximately 1MB, it's difficult to force cert-manager to parse large amounts of PEM data. + +Further details are in the [security advisory](https://github.com/cert-manager/cert-manager/security/advisories/GHSA-r4pg-vg54-wxx4). + +In addition, the version of Go used to build cert-manager 1.16 was updated along with the base images. + +### Bug Fixes + +- Set a maximum size for PEM inputs which cert-manager will accept to remove possibility of taking a long time to process an input ([#7401](https://github.com/cert-manager/cert-manager/pull/7401), @SgtCoDFish) + +#### Other (Cleanup or Flake) + +- Bump go to 1.23.3 and bump base images to latest available ([#7431](https://github.com/cert-manager/cert-manager/pull/7431), @SgtCoDFish) + ## `v1.16.1` +cert-manager `v1.16.1` contains some fixes to Helm value schema validation, as well as a fix to the ACME ClusterIssuer. + Changes since `v1.16.0`. ### Bug or Regression diff --git a/content/docs/variables.json b/content/docs/variables.json index 8588398b8c..5e393189db 100644 --- a/content/docs/variables.json +++ b/content/docs/variables.json @@ -1,3 +1,3 @@ { - "cert_manager_latest_version": "v1.16.1" + "cert_manager_latest_version": "v1.16.2" } diff --git a/scripts/gendocs/generate-trust-manager b/scripts/gendocs/generate-trust-manager index ffc2c1bd64..a411df636e 100755 --- a/scripts/gendocs/generate-trust-manager +++ b/scripts/gendocs/generate-trust-manager @@ -61,6 +61,6 @@ gendocs() { echo "+++ Cloning trust-manager repository..." git clone "https://github.com/cert-manager/trust-manager.git" "$tmpdir" -checkout "v0.12.0" +checkout "v0.13.0" gendocs "$REPO_ROOT/content/docs/trust/trust-manager/api-reference.md"