Helm v3.3.2 is a security (patch) release. Users are strongly recommended to update to this release. It fixes a variety of minor security issues, as well as four notable security issues for which we have opened security advisories. More information on the security advisory can be found on the security advisory page.
Most of the issues were discovered by Trail of Bits during their CNCF-sponsored audit of the Helm codebase. We are grateful for Trail of Bits' detailed and thorough analysis of the Helm codebase. In addition, a Helm core maintainer identified one more issue.
The community keeps growing, and we'd love to see you there!
- Join the discussion in Kubernetes Slack:
- for questions and just to hang out
- for discussing PRs, code, and bugs
- Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
- Test, debug, and contribute charts: GitHub/helm/charts
One breaking change was made: The default behavior of
helm repo add was changed: It no longer overwrites repositories by default. The flag
--force-update was added to
helm repo add to allow a repo to be overwritten. The flag
--no-update still exists, but does nothing. This change accords with the Helm policy for allowing minor breaking changes in the name of security.
The main security issues are:
- The plugin name field is not properly sanitized
- Alias names in Chart.yaml are not properly sanitized
- The index.yaml file for repositories is not parsed in strict mode, enabling duplicate entries
- The plugin.yaml file for repositories is not parsed in strict mode, enabling duplicate entries
Seven other minor changes were made in an effort to improve our security posture.
Installation and Upgrading
Download Helm v3.3.2. The common platform binaries are here:
- MacOS amd64 (checksum / eb86998f8db4e59fe2336ce78b3dc3b3ba5346d81b622dc0a1744bf97c2df5f3)
- Linux amd64 (checksum / cf82fe0ed1675030b203a9a3575b1a1bc4b0f5ce4584ce2cd7f75cd093cad259)
- Linux arm (checksum / 0a8a9dae0526b527dacd4d3e0fcff06973ba492273a9ddc1c07f953de781683b)
- Linux arm64 (checksum / 8a3d4624efea2a65ec09c8fce82df3dbc09867e5c8c6a7ef80c16dfdb9278877)
- Linux i386 (checksum / 355a8a77dcd384c11fa0d710eff0459716451a2f1f6d2f56da2aad9c964ca192)
- Linux ppc64le (checksum / 10d46db09900d335056ff15009ac60c6ba20859bff01b83214ca1927a089452b)
- Linux s390x (checksum / eb86998f8db4e59fe2336ce78b3dc3b3ba5346d81b622dc0a1744bf97c2df5f3)
- Windows amd64 (checksum / 10cbf1b282dbbbbf138002747a8665888b08c3d911c6351bdcb48482fa356a03)
This release was signed with
672C 657B E06B 4B30 969C 4A57 4614 49C2 5E36 B98E and can be found at @mattfarina keybase account. Please use the attached signatures for verifying this release using
- 3.3.3 will contain only bug fixes.
- 3.4.0 is the next feature release.
- fix(cmd/helm): add build tags for architecture 45d230f (Adam Reese)
- switched to stricter YAML parsing on plugin metadata files 6eeec4a (Matthew Fisher)
- Merge pull request from GHSA-m54r-vrmv-hw33 809e2d9 (Matt Butcher)
- Merge pull request from GHSA-jm56-5h66-w453 055dd41 (Matt Butcher)
- Merge pull request from GHSA-9vp5-m38w-j776 59d5b94 (Matt Butcher)
- go fmt 2a74204 (Matthew Fisher)
- improve the HTTP detection for tar archives e2da16f (Matt Butcher)
- replace --no-update with --force-update and invert default. BREAKING. 882eeac (Matt Butcher)
- handle case where dependency name collisions break dependency resolution 40b7800 (Matt Butcher)
- fixed bug that caused helm create to not overwrite modified files 106f1fb (Matt Butcher)
- refactor the release name validation to be consistent across Helm ed5fba5 (Matt Butcher)
- validate the name passed in during helm create c4ef82b (Matt Butcher)
- fix: check mode bits on kubeconfig file 8239866 (Matt Butcher)