Update module helm.sh/helm/v3 to v3.14.2 [SECURITY] - autoclosed #84
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v3.7.1
->v3.14.2
Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
CVE-2022-36055
Fuzz testing, by Ada Logics and sponsored by the CNCF, identified input to functions in the
_strvals_
package that can cause an out of memory panic. Out of memory panics cannot be recovered from. Applications that use functions from the_strvals_
package in the Helm SDK can have a Denial of Service attack when they use this package and it panics.Impact
The
_strvals_
package contains a parser that turns strings into Go structures. For example, the Helm client has command line flags like--set
,--set-string
, and others that enable the user to pass in strings that are merged into the values. The_strvals_
package converts these strings into structures Go can work with. Some string inputs can cause array data structures to be created causing an out of memory panic.Applications that use the
_strvals_
package in the Helm SDK to parse user supplied input can suffer a Denial of Service when that input causes a panic that cannot be recovered from.The Helm Client will panic with input to
--set
,--set-string
, and other value setting flags that causes an out of memory panic. Helm is not a long running service so the panic will not affect future uses of the Helm client.Patches
This issue has been resolved in 3.9.4.
Workarounds
SDK users can validate strings supplied by users won't create large arrays causing significant memory usage before passing them to the
_strvals_
functions.For more information
Helm's security policy is spelled out in detail in our SECURITY document.
Credits
Disclosed by Ada Logics in a fuzzing audit sponsored by CNCF.
CVE-2022-23524
Fuzz testing, by Ada Logics and sponsored by the CNCF, identified input to functions in the strvals package that can cause a stack overflow. In Go, a stack overflow cannot be recovered from. Applications that use functions from the strvals package in the Helm SDK can have a Denial of Service attack when they use this package and it panics.
Impact
The strvals package contains a parser that turns strings into Go structures. For example, the Helm client has command line flags like
--set
,--set-string
, and others that enable the user to pass in strings that are merged into the values. The strvals package converts these strings into structures Go can work with. Some string inputs can cause array data structures to be created causing a stack overflow.Applications that use the strvals package in the Helm SDK to parse user supplied input can suffer a Denial of Service when that input causes a panic that cannot be recovered from.
The Helm Client will panic with input to
--set
,--set-string
, and other value setting flags that causes a stack overflow. Helm is not a long running service so the panic will not affect future uses of the Helm client.Patches
This issue has been resolved in 3.10.3.
Workarounds
SDK users can validate strings supplied by users won't create large arrays causing significant memory usage before passing them to the strvals functions.
For more information
Helm's security policy is spelled out in detail in our SECURITY document.
Credits
Disclosed by Ada Logics in a fuzzing audit sponsored by CNCF.
CVE-2023-25165
A Helm contributor discovered an information disclosure vulnerability using the
getHostByName
template function.Impact
getHostByName
is a Helm template function introduced in Helm v3. The function is able to accept a hostname and return an IP address for that hostname. To get the IP address the function performs a DNS lookup. The DNS lookup happens when used withhelm install|upgrade|template
or when the Helm SDK is used to render a chart.Information passed into the chart can be disclosed to the DNS servers used to lookup the IP address. For example, a malicious chart could inject
getHostByName
into a chart in order to disclose values to a malicious DNS server.Patches
The issue has been fixed in Helm 3.11.1.
Workarounds
Prior to using a chart with Helm verify the
getHostByName
function is not being used in a template to disclose any information you do not want passed to DNS servers.For more information
Helm's security policy is spelled out in detail in our SECURITY document.
Credits
Disclosed by Philipp Stehle at SAP.
CVE-2022-23525
Fuzz testing, by Ada Logics and sponsored by the CNCF, identified input to functions in the
_repo_
package that can cause a segmentation violation. Applications that use functions from the_repo_
package in the Helm SDK can have a Denial of Service attack when they use this package and it panics.Impact
The
_repo_
package contains a handler that processes the index file of a repository. For example, the Helm client adds references to chart repositories where charts are managed. The_repo_
package parses the index file of the repository and loads it into structures Go can work with. Some index files can cause array data structures to be created causing a memory violation.Applications that use the
_repo_
package in the Helm SDK to parse an index file can suffer a Denial of Service when that input causes a panic that cannot be recovered from.The Helm Client will panic with an index file that causes a memory violation panic. Helm is not a long running service so the panic will not affect future uses of the Helm client.
Patches
This issue has been resolved in 3.10.3.
Workarounds
SDK users can validate index files that are correctly formatted before passing them to the
_repo_
functions.For more information
Helm's security policy is spelled out in detail in our SECURITY document.
Credits
Disclosed by Ada Logics in a fuzzing audit sponsored by CNCF.
CVE-2022-23526
Fuzz testing, by Ada Logics and sponsored by the CNCF, identified input to functions in the
_chartutil_
package that can cause a segmentation violation. Applications that use functions from the_chartutil_
package in the Helm SDK can have a Denial of Service attack when they use this package and it panics.Impact
The
_chartutil_
package contains a parser that loads a JSON Schema validation file. For example, the Helm client when rendering a chart will validate its values with the schema file. The_chartutil_
package parses the schema file and loads it into structures Go can work with. Some schema files can cause array data structures to be created causing a memory violation.Applications that use the
_chartutil_
package in the Helm SDK to parse a schema file can suffer a Denial of Service when that input causes a panic that cannot be recovered from.The Helm Client will panic with a schema file that causes a memory violation panic. Helm is not a long running service so the panic will not affect future uses of the Helm client.
Patches
This issue has been resolved in 3.10.3.
Workarounds
SDK users can validate schema files that are correctly formatted before passing them to the
_chartutil_
functions.For more information
Helm's security policy is spelled out in detail in our SECURITY document.
Credits
Disclosed by Ada Logics in a fuzzing audit sponsored by CNCF.
CVE-2024-25620
A Helm contributor discovered a path traversal vulnerability when Helm saves a chart including at download time.
Impact
When either the Helm client or SDK is used to save a chart whose name within the
Chart.yaml
file includes a relative path change, the chart would be saved outside its expected directory based on the changes in the relative path. The validation and linting did not detect the path changes in the name.Patches
This issue has been resolved in Helm v3.14.1.
Workarounds
Check all charts used by Helm for path changes in their name as found in the
Chart.yaml
file. This includes dependencies.Credits
Disclosed by Dominykas Blyžė at Nearform Ltd.
CVE-2024-26147
A Helm contributor discovered uninitialized variable vulnerability when Helm parses index and plugin yaml files missing expected content.
Impact
When either an
index.yaml
file or a pluginsplugin.yaml
file were missing all metadata a panic would occur in Helm.In the Helm SDK this is found when using the
LoadIndexFile
orDownloadIndexFile
functions in therepo
package or theLoadDir
function in theplugin
package. For the Helm client this impacts functions around adding a repository and all Helm functions if a malicious plugin is added as Helm inspects all known plugins on each invocation.Patches
This issue has been resolved in Helm v3.14.2.
Workarounds
If a malicious plugin has been added which is causing all Helm client commands to panic, the malicious plugin can be manually removed from the filesystem.
If using Helm SDK versions prior to 3.14.2, calls to affected functions can use
recover
to catch the panic.For more information
Helm's security policy is spelled out in detail in our SECURITY document.
Credits
Disclosed by Jakub Ciolek at AlphaSense.
Release Notes
helm/helm (helm.sh/helm/v3)
v3.14.2
: Helm v3.14.2Compare Source
Helm v3.14.2 is a security (patch) release. Users are strongly recommended to update to this release.
A Helm contributor discovered uninitialized variable vulnerability when Helm parses index and plugin yaml files missing expected content.
Jakub Ciolek with AlphaSense discovered the vulnerability.
Installation and Upgrading
Download Helm v3.14.2. The common platform binaries are here:
This release was signed with
672C 657B E06B 4B30 969C 4A57 4614 49C2 5E36 B98E
and can be found at @mattfarina keybase account. Please use the attached signatures for verifying this release usinggpg
.The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with
bash
.What's Next
v3.14.1
: Helm v3.14.1Compare Source
Helm v3.14.1 is a security (patch) release. Users are strongly recommended to update to this release.
A Helm contributor discovered a path traversal vulnerability when Helm saves a chart including at download time.
Dominykas Blyžė with Nearform Ltd. discovered the vulnerability.
Installation and Upgrading
Download Helm v3.14.1. The common platform binaries are here:
This release was signed with
672C 657B E06B 4B30 969C 4A57 4614 49C2 5E36 B98E
and can be found at @mattfarina keybase account. Please use the attached signatures for verifying this release usinggpg
.The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with
bash
.What's Next
v3.14.0
: Helm v3.14.0Compare Source
Helm v3.14.0 is a feature release. Users are encouraged to upgrade for the best experience.
The community keeps growing, and we'd love to see you there!
Notable Changes
helm search
flag of--fail-on-no-result
tpl
invocation access todefines
tpl
function--kube-version
tolint
commandignore
pkg is now publicInstallation and Upgrading
Download Helm v3.14.0. The common platform binaries are here:
This release was signed with
672C 657B E06B 4B30 969C 4A57 4614 49C2 5E36 B98E
and can be found at @mattfarina keybase account. Please use the attached signatures for verifying this release usinggpg
.The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with
bash
.What's Next
Changelog
3fc9f4b
(George Jenkins)69dcc92
(Matt Farina)c042264
(Matt Farina)6e5332e
(Joe Julian)869c1d2
(Antoine Deschênes)847369c
(Matt Farina)08ea59c
(dependabot[bot])30e1a2c
(dependabot[bot])803cf2d
(Matt Farina)a997de1
(Marcin Owsiany)ignore
pkg public again5586760
(Ismail Alidzhikov)b3cb20a
(dependabot[bot])e5fff68
(Matt Farina)bfec4ec
(Marcin Owsiany)70c1519
(dependabot[bot])be10183
(dependabot[bot])015e174
(Matt Farina)2a211bf
(dependabot[bot])ce87ece
(Sean Mills)3cb6b06
(dependabot[bot])42c5af2
(dependabot[bot])312a073
(lixin18)8814bfb
(Marcin Chojnacki)c54e39a
(dependabot[bot])d6e9197
(dependabot[bot])9f0313e
(Denis Policastro)24e2864
(Matt Farina)c5fe7dd
(dependabot[bot])992dc58
(Matt Farina)81362d9
(Marcel Humburg)6d1f6cd
(dependabot[bot])372ccca
(dependabot[bot])a1a21ae
(dependabot[bot])250f0bd
(Dmitry Chepurovskiy)0ec47f8
(Dmitry Chepurovskiy)f94e5db
(Ian Zink)b0d1637
(Serge Logvinov)544cabb
(dependabot[bot])25371e2
(Matt Farina)919bffe
(genofire)e6d9b99
(Dmitry Chepurovskiy)e219c75
(Dmitry Chepurovskiy)f004d42
(b4nks)9d3d17a
(Ian Zink)828763e
(Lars Zimmermann)fe4c01f
(Hidde Beydals)da3c666
(Hidde Beydals)21ea847
(Ian Zink)415af5b
(Andy Smith)102e931
(dependabot[bot])2505592
(dependabot[bot])c372b15
(Matt Farina)8b0a78c
(dependabot[bot])58ccfc0
(dependabot[bot])0619d08
(Ian Zink)4199be8
(abrarcv170)0403305
(Antony Chazapis)GoFish
from package managers for installing the binarya9377f9
(y-yagi)tpl
invocation access todefines
in a containing one"b261a1b
(Graham Reed)tpl
"36d417d
(Graham Reed)1a3e9a9
(Stefan McShane)786707c
(Antony Chazapis)6a4035a
(Daniel Strobusch)95905f1
(Graham Reed)fa067ec
(Mathias Neerup)f28447c
(Mathias Neerup)b9cece6
(Bhargav Ravuri)141fa4a
(muang0)4cb62d1
(muang0)dbb21fc
(muang0)fcc0332
(muang0)a1a1aaf
(muang0)fa025fc
(zak905)tpl
invocation access todefines
in a containing onea7d3fd6
(Graham Reed)e2a7c79
(Graham Reed)tpl
db4f330
(Graham Reed)d008340
(James Oden)4f99c86
(James Oden)d94c509
(James Oden)a9d59f9
(Quentin Devos)v3.13.3
: Helm v3.13.3Compare Source
Helm v3.13.3 is a patch release. Users are encouraged to upgrade for the best experience. Users are encouraged to upgrade for the best experience.
The community keeps growing, and we'd love to see you there!
Installation and Upgrading
Download Helm v3.13.3. The common platform binaries are here:
This release was signed with
672C 657B E06B 4B30 969C 4A57 4614 49C2 5E36 B98E
and can be found at @mattfarina keybase account. Please use the attached signatures for verifying this release usinggpg
.The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with
bash
.What's Next
Changelog
c8b9489
(Matt Farina)2f03d01
(Sean Mills)2e63576
(genofire)v3.13.2
: Helm v3.13.2Compare Source
Helm v3.13.2 is a patch release. Users are encouraged to upgrade for the best experience. Users are encouraged to upgrade for the best experience.
The community keeps growing, and we'd love to see you there!
Installation and Upgrading
Download Helm v3.13.2. The common platform binaries are here:
This release was signed with
672C 657B E06B 4B30 969C 4A57 4614 49C2 5E36 B98E
and can be found at @mattfarina keybase account. Please use the attached signatures for verifying this release usinggpg
.The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with
bash
.What's Next
Changelog
2a2fb3b
(dependabot[bot])8f554be
(Marcel Humburg)00a334c
(dependabot[bot])12826e8
(Marcin Chojnacki)666b199
(Dmitry Chepurovskiy)7e0084a
(Dmitry Chepurovskiy)10018ff
(Dmitry Chepurovskiy)3b4cacf
(Dmitry Chepurovskiy)e785e6c
(Matt Farina)268dced
(Matt Farina)99ce118
(dependabot[bot])28f208c
(Ian Zink)v3.13.1
: Helm v3.13.1Compare Source
Helm v3.13.1 is a patch release. Users are encouraged to upgrade for the best experience. Users are encouraged to upgrade for the best experience.
The community keeps growing, and we'd love to see you there!
Installation and Upgrading
Download Helm v3.13.1. The common platform binaries are here:
This release was signed with
672C 657B E06B 4B30 969C 4A57 4614 49C2 5E36 B98E
and can be found at @mattfarina keybase account. Please use the attached signatures for verifying this release usinggpg
.The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with
bash
.What's Next
Changelog
3547a4b
(Matt Farina)6f9ad87
(Ian Zink)bae7b32
(Lars Zimmermann)06e4fb1
(Hidde Beydals)0e7ec78
(b4nks)0ac7894
(Hidde Beydals)0901269
(Ian Zink)6101393
(Ian Zink)c99a8ac
(dependabot[bot])52a029d
(abrarcv170)ff8e61d
(dependabot[bot])v3.13.0
: Helm v3.13.0Compare Source
Helm v3.13.0 is a feature release. Users are encouraged to upgrade for the best experience.
The community keeps growing, and we'd love to see you there!
Notable Changes
--dry-run
flag now has multiple options which can enable Helm to connect to a Kubernetes instance. The default, when--dry-run
is used, is unchanged.--plain-http
flaghelm get metadata
command--json
flag when creating it. JSON is faster to parse and uses less memory which impacts larger files. This is backwards compatible as Helm, all the way back to 3.0.0, parsing can handle JSON content in the index.yaml file.Installation and Upgrading
Download Helm v3.13.0. The common platform binaries are here:
This release was signed with
672C 657B E06B 4B30 969C 4A57 4614 49C2 5E36 B98E
and can be found at @mattfarina keybase account. Please use the attached signatures for verifying this release usinggpg
.The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with
bash
.What's Next
Changelog
825e86f
(Matt Farina)169561a
(Michał Słapek)417040d
(dependabot[bot])610217f
(dependabot[bot])c2ab954
(Matt Farina)b9fd7f5
(dependabot[bot])ca3a05e
(Joe Julian)04ec71a
(Joe Julian)ebb3168
(dependabot[bot])fa45978
(dependabot[bot])e01731d
(ithrael)4944acb
(Maxim Trofimov)6138e10
(Maxim Trofimov)199784f
(Maxim Trofimov)b786cb4
(Maxim Trofimov)df5904d
(Maxim Trofimov)fa89665
(dependabot[bot])4283b2c
(dependabot[bot])d82cc90
(dependabot[bot])479be0c
(Tim Chaplin)4e5e68d
(Bingtan Lu)3c26d65
(dependabot[bot])ee1cbed
(ithrael)0eb3df6
(ithrael)0688046
(ithrael)db9460c
(ithrael)817e646
(dependabot[bot])758dc01
(Ian Zink)04850dc
(dependabot[bot])2011a31
(0xff-dev)bf543d9
](https://togithub.com/helmConfiguration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.