note that cert-manager is not actually vulnerable to CVE-2022-23471
since the affected code is not used
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
```text
{
"VulnerabilityID": "CVE-2022-41717",
"PkgName": "golang.org/x/net",
"InstalledVersion": "v0.0.0-20220921155015-db77216a4ee9",
"FixedVersion": "0.4.0",
"Layer": {
"DiffID": "sha256:629212d4fb1b47585329d1c630cb91f919ddcd6168031a07121953d6c6dbd438"
},
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-41717",
"DataSource": {
"ID": "go-vulndb",
"Name": "The Go Vulnerability Database",
"URL": "https://github.com/golang/vulndb"
},
"Title": "An attacker can cause excessive memory growth in a Go server accepting ...",
"Description": "An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.",
"Severity": "UNKNOWN",
"References": [
"https://go.dev/cl/455635",
"https://go.dev/cl/455717",
"https://go.dev/issue/56350",
"https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ",
"https://pkg.go.dev/vuln/GO-2022-1144"
],
"PublishedDate": "2022-12-08T20:15:00Z",
"LastModifiedDate": "2022-12-08T22:30:00Z"
}
```
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
the replaced version had several CVEs as reported by Trivy:
CVE-2021-44716 - golang.org/x/net:
golang: net/http: limit growth of header canonicalization cache
CVE-2021-31525 - golang.org/x/net:
golang: net/http: panic in ReadRequest and ReadResponse when reading a
very large header
CVE-2022-29526 - golang.org/x/sys:
golang: syscall: faccessat checks wrong group
this commit fixes those reported CVEs
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
Note that the gateway-shim is only half the work for supporting the
Gateway API in cert-manager. The other half is the HTTP01 solver
support, which is still worked on.
The Gateway API in cert-manager is releases as an experimental feature
and needs to be enabled manually with the following flag:
--controllers=*,gateway-shim
All the annotations supported by ingress-shim are also supported by
gateway-shim, with some exceptions:
"acme.cert-manager.io/http01-ingress-class"
This annotation is not supported on the Gateway resource. Although the
Gateway resource also has a "gatewayClass" field, we will need to add
another field instead of "ingress-class" to avoid confusion with the
ingress-shim.
"acme.cert-manager.io/http01-edit-in-place"
This annotation is not supported because it is specific to some ingress
controllers like ingress-gce.
"kubernetes.io/tls-acme"
This annotation is not supported because it is a behavior inherited from
kube-lego and we chose not to keep this behavior with the Gateway API.
Unlike the ingress-shim, you can reuse the same Secret name in multiple
TLS configurations on the same Gateway resource.
The ingress-shim now shows the exact location of the duplicate
secretName when the user gives the same secretName in two separate TLS
blocks.
Signed-off-by: Maël Valais <mael@vls.dev>
Co-authored-by: Jake Sanders <i@am.so-aweso.me>
