Skip to content

@mattfarina mattfarina released this Feb 4, 2021

Helm v3.5.2 is a security (patch) release. Users are strongly recommended to update to this release. It fixes two security issues in upstream dependencies and one security issue in the Helm codebase.

Please review the following security advisories for context:

  • During an audit, Helm core maintainers discovered sanitization issues described in a security advisory. These have been fixed.
  • GoUtils (via Sprig) updated the random alphanumeric functions used in Helm templates. Thanks to Open Source Developer Erik Sundell of Sundell Open Source Consulting AB for reporting this issue.
  • ORAS had a security release that does not appear to directly impact Helm. However, we have merged it as a precaution.
  • The Go team renamed a crypto library (golang.org/x/crypto/ssh/terminal to golang.org/x/term). This was NOT a security fix. But it was a breaking change to the Helm build.

WARNING: Helm is now stricter about sanitizing data in Chart.yaml, index.yaml, and plugin.yaml. In particular, we are stricter about SemVer strings.

The community keeps growing, and we'd love to see you there!

  • Join the discussion in Kubernetes Slack:
    • for questions and just to hang out
    • for discussing PRs, code, and bugs
  • Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
  • Test, debug, and contribute charts: GitHub/helm/charts

Installation and Upgrading

Download Helm v3.5.2. The common platform binaries are here:

This release was signed with 672C 657B E06B 4B30 969C 4A57 4614 49C2 5E36 B98E and can be found at @mattfarina keybase account. Please use the attached signatures for verifying this release using gpg.

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

  • 3.5.3 will contain only bug fixes and be released on March 10, 2021.
  • 3.6.0 is the next feature release and will be released on May 26, 2021.

Changelog

  • Upgrade to oras v0.9.0 (#9269) 167aac7 (Josh Dolitsky)
  • Adding missing replace directive for oras bb44eae (Matt Farina)
  • chore(go.mod): bump Masterminds/{spring,goutils} and deislabs/oras 09fa6b2 (Adam Reese)
  • fix(*): Validate metadata semver and printable characters 2bf5c28 (Adam Reese)
Assets 26