During last release of cert-manager-operator.v1.11.5, v1.12.1 we aimed at applying remediation to our downstream repositories both operand, operator based upon vulnerabilities found in CVE-2023-44487 and CVE-2023-39325 by following guidance from https://docs.google.com/document/d/1F99glzhX2i2Ppe5Qq3M-Po_jSSUiVssqFyWRhVm1X3o/edit.
However, as of today seemingly these CVE fixes have also been properly incorporated in the upstream cert-manager which calls for analysis if we want to revert the downstream patch commits and pull upstream commits back again. This analysis would help conclude next steps for such items including the new CVEs as well remediation carry/drop for the older fixes incorporated.
Acceptance criteria:
- Decide if operator (and it's respective operand cert-manager) for v1.11, v1.12 needs a new z-stream release with altered commits, new CVE fixes, etc.
- is related to
-
CM-178 cert-manager-operator 1.13 release
- Closed