v0.23.6

[gardener/external-dns-management]

🛡️ Important Security Information

This release contains changes that address the following vulnerabilities:

CVE-2025-47282: Malicious google credential in DNS secret can lead to privilege escalation

A security vulnerability was discovered in Gardener that could allow a user with administrative privileges for a Gardener project or a user with administrative privileges for a shoot cluster, including administrative privileges for a single namespace of the shoot cluster, to obtain control over the seed cluster where the shoot cluster is managed.

Affected Versions:

• external-dns-management < 0.23.6

Fixed Versions:

• external-dns-management >= 0.23.6

CVSS Rating: Critical (9.9) CVSS:3.0/av:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

✨ New Features

• [USER] Introduce values reconcile and full for annotation dns.gardener.cloud/ignore. While the value reconcile (and its already existing alias true) only ignore reconciliation but not deletion to avoid orphan DNS records, the value full also ignores the records on deletion. by @MartinWeindel [#455]

🏃 Others

• [OPERATOR] Ensure valid project_id for google-clouddns provider. by @MartinWeindel [#459]
• [OPERATOR] Periodic feedback events on errors every 15 minutes. by @MartinWeindel [#458]

Helm Charts

• dns-controller-manager: europe-docker.pkg.dev/gardener-project/releases/charts/dns-controller-manager:v0.23.6

Container (OCI) Images

• dns-controller-manager: europe-docker.pkg.dev/gardener-project/releases/dns-controller-manager:v0.23.6