Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release-1.14] upgrade Helm to fix CVE-2024-26147 #6834

Merged
merged 1 commit into from Mar 7, 2024
Merged

[release-1.14] upgrade Helm to fix CVE-2024-26147 #6834

merged 1 commit into from Mar 7, 2024

Conversation

inteon
Copy link
Member

@inteon inteon commented Mar 7, 2024
edited

see https://storage.googleapis.com/jetstack-logs/logs/ci-cert-manager-release-1.14-trivy-test-ctl/1765413865450901504/build-log.txt

Trivy output:

{
      "Target": "app/cmd/ctl/ctl",
      "Class": "lang-pkgs",
      "Type": "gobinary",
      "Vulnerabilities": [
        {
          "VulnerabilityID": "CVE-2024-26147",
          "PkgName": "helm.sh/helm/v3",
          "InstalledVersion": "v3.14.1",
          "FixedVersion": "3.14.2",
          "Status": "fixed",
          "Layer": {
            "DiffID": "sha256:90279bedc29a0ded7968d0800222f9f7c3475bd7feeffe84cbb019864382ee01"
          },
          "SeveritySource": "ghsa",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-26147",
          "DataSource": {
            "ID": "ghsa",
            "Name": "GitHub Security Advisory Go",
            "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"
          },
          "Title": "helm: Missing YAML Content Leads To Panic",
          "Description": "Helm is a package manager for Charts for Kubernetes. Versions prior to 3.14.2 contain an uninitialized variable vulnerability when Helm parses index and plugin yaml files missing expected content. When either an `index.yaml` file or a plugins `plugin.yaml` file were missing all metadata a panic would occur in Helm. In the Helm SDK, this is found when using the `LoadIndexFile` or `DownloadIndexFile` functions in the `repo` package or the `LoadDir` function in the `plugin` package. For the Helm client this impacts functions around adding a repository and all Helm functions if a malicious plugin is added as Helm inspects all known plugins on each invocation. This issue has been resolved in Helm v3.14.2. If a malicious plugin has been added which is causing all Helm client commands to panic, the malicious plugin can be manually removed from the filesystem. If using Helm SDK versions prior to 3.14.2, calls to affected functions can use `recover` to catch the panic.",
          "Severity": "HIGH",
          "CweIDs": [
            "CWE-457"
          ],
          "CVSS": {
            "ghsa": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "V3Score": 7.5
            },
            "redhat": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "V3Score": 7.5
            }
          },
          "References": [
            "https://access.redhat.com/security/cve/CVE-2024-26147",
            "https://github.com/helm/helm",
            "https://github.com/helm/helm/commit/bb4cc9125503a923afb7988f3eb478722a8580af",
            "https://github.com/helm/helm/security/advisories/GHSA-r53h-jv2g-vpx6",
            "https://nvd.nist.gov/vuln/detail/CVE-2024-26147",
            "https://www.cve.org/CVERecord?id=CVE-2024-26147"
          ],
          "PublishedDate": "2024-02-21T23:15:08.763Z",
          "LastModifiedDate": "2024-02-22T19:07:27.197Z"
        },
        ...
      ]
    }

Pull Request Motivation

Kind

/kind cleanup

Release Note

Upgrade Helm: fix CVE-2024-26147 alert

@inteon
upgrade Helm to fix CVE-2024-26147
a362957 
Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
@jetstack-bot jetstack-bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. area/testing Issues relating to testing size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Mar 7, 2024
@ThatsMrTalbot
Copy link
Contributor

/lgtm

@jetstack-bot jetstack-bot added the lgtm Indicates that a PR is ready to be merged. label Mar 7, 2024
@inteon
Copy link
Member Author

inteon commented Mar 7, 2024

/approve

@jetstack-bot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: inteon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jetstack-bot jetstack-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 7, 2024
@jetstack-bot jetstack-bot merged commit 716ff1c into cert-manager:release-1.14 Mar 7, 2024
8 checks passed
nrdufour added a commit to nrdufour/home-ops that referenced this pull request Mar 9, 2024
@nrdufour
chore(deps): update helm release cert-manager to v1.14.4 (#425)
513a051 
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [cert-manager](https://github.com/cert-manager/cert-manager) | patch | `v1.14.3` -> `v1.14.4` |

---

### Release Notes

<details>
<summary>cert-manager/cert-manager (cert-manager)</summary>

### [`v1.14.4`](https://github.com/cert-manager/cert-manager/releases/tag/v1.14.4)

[Compare Source](cert-manager/cert-manager@v1.14.3...v1.14.4)

cert-manager is the easiest way to automatically manage certificates in Kubernetes and OpenShift clusters.

cert-manager 1.14 brings a variety of features, security improvements and bug fixes, including: support for creating X.509 certificates with "Other Name" fields, and support for creating CA certificates with "Name Constraints" and "Authority Information Accessors" extensions.

##### ⚠️ Known Issues

-   ACME Issuer (Let's Encrypt): wrong certificate chain may be used if preferredChain is configured: see [release docs](https://cert-manager.io/docs/releases/release-notes/release-notes-1.14/#acme-issuer-lets-encrypt-wrong-certificate-chain-may-be-used-if-preferredchain-is-configured---6755-6757) for more info and mitigations

##### ℹ️ Documentation

[Release notes](https://cert-manager.io/docs/releases/release-notes/release-notes-1.14)
[Upgrade notes](https://cert-manager.io/docs/releases/upgrading/upgrading-1.13-1.14)
[Installation instructions](https://cert-manager.io/docs/installation/)

##### 🔧 Breaking changes

See Breaking changes in [v1.14.0 release notes](https://github.com/cert-manager/cert-manager/releases/tag/v1.14.0)

##### 📜 Changes since v1.14.3

##### Bug or Regression

-   Allow `cert-manager.io/allow-direct-injection` in annotations ([#&#8203;6809](cert-manager/cert-manager#6809), [@&#8203;jetstack-bot](https://github.com/jetstack-bot))
-   BUGFIX: JKS and PKCS12 stores now contain the full set of CAs specified by an issuer ([#&#8203;6812](cert-manager/cert-manager#6812), [@&#8203;jetstack-bot](https://github.com/jetstack-bot))
-   BUGFIX: cainjector leaderelection flag/ config option defaults are missing ([#&#8203;6819](cert-manager/cert-manager#6819), [@&#8203;jetstack-bot](https://github.com/jetstack-bot))

##### Other (Cleanup or Flake)

-   Bump base images. ([#&#8203;6842](cert-manager/cert-manager#6842), [@&#8203;inteon](https://github.com/inteon))
-   Upgrade Helm: fix CVE-2024-26147 alert ([#&#8203;6834](cert-manager/cert-manager#6834), [@&#8203;inteon](https://github.com/inteon))
-   Upgrade go to 1.21.8: fixes CVE-2024-24783 ([#&#8203;6825](cert-manager/cert-manager#6825), [@&#8203;jetstack-bot](https://github.com/jetstack-bot))
-   Upgrade google.golang.org/protobuf: fixing GO-2024-2611 ([#&#8203;6829](cert-manager/cert-manager#6829), [@&#8203;inteon](https://github.com/inteon))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yMzEuMCIsInVwZGF0ZWRJblZlciI6IjM3LjIzMS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Reviewed-on: https://git.home/nrdufour/home-ops/pulls/425
Co-authored-by: Renovate <renovate@ptinem.io>
Co-committed-by: Renovate <renovate@ptinem.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/testing Issues relating to testing dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@inteon @ThatsMrTalbot @jetstack-bot