note that cert-manager is not actually vulnerable to CVE-2022-23471
since the affected code is not used
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
cert-manager was not able to retry failed TPP certificates due to the
fact that TPP will not reset a given certificate that has a failed
enrollment status from a previous enrollment. More specifically,
cert-manager was getting stuck with either:
WebSDK CertRequest Module Requested Certificate
or
This certificate cannot be processed while it is in an error state.
Fix any errors, and then click Retry.
With vcert v4.23.0, a call to "reset" is made when one of these two
messages are found while polling for the certificate (i.e., while
calling vcert's RetrieveCertificate function).
Signed-off-by: Maël Valais <mael@vls.dev>
```text
{
"VulnerabilityID": "CVE-2022-41717",
"PkgName": "golang.org/x/net",
"InstalledVersion": "v0.0.0-20220921155015-db77216a4ee9",
"FixedVersion": "0.4.0",
"Layer": {
"DiffID": "sha256:629212d4fb1b47585329d1c630cb91f919ddcd6168031a07121953d6c6dbd438"
},
"PrimaryURL": "https://avd.aquasec.com/nvd/cve-2022-41717",
"DataSource": {
"ID": "go-vulndb",
"Name": "The Go Vulnerability Database",
"URL": "https://github.com/golang/vulndb"
},
"Title": "An attacker can cause excessive memory growth in a Go server accepting ...",
"Description": "An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server connections contain a cache of HTTP header keys sent by the client. While the total number of entries in this cache is capped, an attacker sending very large keys can cause the server to allocate approximately 64 MiB per open connection.",
"Severity": "UNKNOWN",
"References": [
"https://go.dev/cl/455635",
"https://go.dev/cl/455717",
"https://go.dev/issue/56350",
"https://groups.google.com/g/golang-announce/c/L_3rmdT0BMU/m/yZDrXjIiBQAJ",
"https://pkg.go.dev/vuln/GO-2022-1144"
],
"PublishedDate": "2022-12-08T20:15:00Z",
"LastModifiedDate": "2022-12-08T22:30:00Z"
}
```
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
the replaced version had several CVEs as reported by Trivy:
CVE-2021-44716 - golang.org/x/net:
golang: net/http: limit growth of header canonicalization cache
CVE-2021-31525 - golang.org/x/net:
golang: net/http: panic in ReadRequest and ReadResponse when reading a
very large header
CVE-2022-29526 - golang.org/x/sys:
golang: syscall: faccessat checks wrong group
this commit fixes those reported CVEs
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
As the later version has a breaking change (bumps github.com/emicklei/go-restful -> github.com/emicklei/go-restful/v3)
Signed-off-by: irbekrm <irbekrm@gmail.com>
To allow us to both upgrade the upstream library and keep supporting HMACMD5 as RFC2136 TSIG algorithm although it was deprecated in the upstream library
Signed-off-by: irbekrm <irbekrm@gmail.com>
This is so as to avoid dropping support for HMacMD5 value for issuer.spec.acme.solvers.dns01.rfc2136.tsigAlgorithm
Signed-off-by: irbekrm <irbekrm@gmail.com>
Following the release of cert-manager v1.6.0, it was observed that an
update to the keystore-go library was backwards-incompatible; it
introduced a 6-character minimum length on passwords which wasn't
previously in force.
This led to https://github.com/pavel-v-chernykh/keystore-go/issues/30
which in turn led to https://github.com/pavel-v-chernykh/keystore-go/pull/31
This commit bumps to use the new version, which by default doesn't have
a min password length
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
