Helm v3.5.2 is a security (patch) release. Users are strongly recommended to update to this release. It fixes two security issues in upstream dependencies and one security issue in the Helm codebase.
Please review the following security advisories for context:
- During an audit, Helm core maintainers discovered sanitization issues described in a security advisory. These have been fixed.
- GoUtils (via Sprig) updated the random alphanumeric functions used in Helm templates. Thanks to Open Source Developer Erik Sundell of Sundell Open Source Consulting AB for reporting this issue.
- ORAS had a security release that does not appear to directly impact Helm. However, we have merged it as a precaution.
- The Go team renamed a crypto library (golang.org/x/crypto/ssh/terminal to golang.org/x/term). This was NOT a security fix. But it was a breaking change to the Helm build.
WARNING: Helm is now stricter about sanitizing data in
plugin.yaml. In particular, we are stricter about SemVer strings.
The community keeps growing, and we'd love to see you there!
- Join the discussion in Kubernetes Slack:
- for questions and just to hang out
- for discussing PRs, code, and bugs
- Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
- Test, debug, and contribute charts: GitHub/helm/charts
Installation and Upgrading
Download Helm v3.5.2. The common platform binaries are here:
- MacOS amd64 (checksum / 68040e9a2f147a92c2f66ce009069826df11f9d1e1c6b78c7457066080ad3229)
- Linux amd64 (checksum / 01b317c506f8b6ad60b11b1dc3f093276bb703281cb1ae01132752253ec706a2)
- Linux arm (checksum / 98d090fc1769f5bf7451c15f6ed5a173a1ce5175eca32070ac19064d36470f1b)
- Linux arm64 (checksum / 126a72e2b209194fd2735861f0cf8bd5b5d1386eedd6aed6e0e050dca80d493e)
- Linux i386 (checksum / c237ea10af6227c71cff745b3ed3f5653ca1cd5887903ae078ab1b62fbdd45ba)
- Linux ppc64le (checksum / 1940d66a05fcf06cc52f55011b81d9c075c234644336d28c14a501f5ca15350d)
- Linux s390x (checksum / 5240797c2dee43222a1fbed4c4659521578538f20f3626d7c1aeddee7a8ec526)
- Windows amd64 (checksum / 079711eeadd3276da0d946a116f4dc08d58b015ca1874d7b3f3cd633e079589e)
This release was signed with
672C 657B E06B 4B30 969C 4A57 4614 49C2 5E36 B98E and can be found at @mattfarina keybase account. Please use the attached signatures for verifying this release using
- 3.5.3 will contain only bug fixes and be released on March 10, 2021.
- 3.6.0 is the next feature release and will be released on May 26, 2021.