Skip to content

chore(deps): bump github.com/cert-manager/cert-manager from 1.19.5 to 1.19.6#3599

Merged
tekton-robot merged 1 commit into
release-v0.79.xfrom
dependabot/go_modules/release-v0.79.x/github.com/cert-manager/cert-manager-1.19.6
Jul 1, 2026
Merged

chore(deps): bump github.com/cert-manager/cert-manager from 1.19.5 to 1.19.6#3599
tekton-robot merged 1 commit into
release-v0.79.xfrom
dependabot/go_modules/release-v0.79.x/github.com/cert-manager/cert-manager-1.19.6

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor

Bumps github.com/cert-manager/cert-manager from 1.19.5 to 1.19.6.

Release notes

Sourced from github.com/cert-manager/cert-manager's releases.

v1.19.6

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

This patch release fixes a security issue (GHSA-8rvj-mm4h-c258, HIGH) where the default cert-manager-edit aggregate ClusterRole granted namespace users permission to create ACME Challenge and Order resources directly. A user who could create a Challenge referencing a ClusterIssuer could supply attacker-controlled solver configuration while cert-manager loaded credentials from the ClusterIssuer's namespace, bypassing Issuer solver selectors (dnsZones, dnsNames, matchLabels). With the acme-dns provider specifically, this could disclose DNS credentials to an attacker-controlled endpoint.

This release also includes Go version bumps to address reported CVEs. All users should upgrade.

[!WARNING] Potentially breaking change: The cert-manager-edit aggregate ClusterRole no longer grants create for challenges.acme.cert-manager.io or create, patch, update for orders.acme.cert-manager.io. These resources are internal to cert-manager's ACME workflow and are not intended to be created or modified directly by users. If you have tooling or workflows that create Challenge or Order resources directly (outside of the normal Certificate → CertificateRequest → Order → Challenge flow), you will need to grant those permissions explicitly.

Changes by Kind

Bug or Regression

Other (Cleanup or Flake)

Commits
  • 60b0447 Merge pull request #8944 from cert-manager-bot/cherry-pick-8857-to-release-1.19
  • 7901d42 build-on-tag: let's store GCB logs in a bucket
  • fe38cfb Merge pull request #8943 from cert-manager-bot/cherry-pick-8851-to-release-1.19
  • c989ae0 Merge pull request #8941 from wallrj-cyberark/restrict-edit-clusterrole-rbac-...
  • c048cad build-on-tag now requires a logging option
  • b37dbf0 Restrict Challenge and Order verbs in aggregate edit ClusterRole
  • 9562155 Merge pull request #8925 from wallrj-cyberark/update-go-1.25.11-release-1.19
  • 1720821 [release-1.19] Update Go to v1.25.11
  • ecdac75 Merge pull request #8907 from cert-manager/renovate/release-1.19-base-images
  • c776c75 chore(deps): update base images
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Used by dependabot - identifies all PRs created by dependabot kind/misc Categorizes issue or PR as a miscellaneuous one. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note-none Denotes a PR that doesnt merit a release note. labels Jun 29, 2026
@tekton-robot tekton-robot requested review from khrm and mbpavan June 29, 2026 16:39
@tekton-robot tekton-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Jun 29, 2026
@vdemeester

Copy link
Copy Markdown
Member

/retest

Bumps [github.com/cert-manager/cert-manager](https://github.com/cert-manager/cert-manager) from 1.19.5 to 1.19.6.
- [Release notes](https://github.com/cert-manager/cert-manager/releases)
- [Changelog](https://github.com/cert-manager/cert-manager/blob/master/RELEASE.md)
- [Commits](cert-manager/cert-manager@v1.19.5...v1.19.6)

---
updated-dependencies:
- dependency-name: github.com/cert-manager/cert-manager
  dependency-version: 1.19.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/go_modules/release-v0.79.x/github.com/cert-manager/cert-manager-1.19.6 branch from 91ce3be to 3fd5da7 Compare July 1, 2026 08:24

@vdemeester vdemeester left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Jul 1, 2026
@tekton-robot

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: vdemeester

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 1, 2026
@tekton-robot tekton-robot merged commit f0e8885 into release-v0.79.x Jul 1, 2026
11 checks passed
@dependabot dependabot Bot deleted the dependabot/go_modules/release-v0.79.x/github.com/cert-manager/cert-manager-1.19.6 branch July 1, 2026 09:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. dependencies Used by dependabot - identifies all PRs created by dependabot kind/misc Categorizes issue or PR as a miscellaneuous one. lgtm Indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note-none Denotes a PR that doesnt merit a release note. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants