Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update module helm.sh/helm/v3 to v3.11.1 [security] - autoclosed #4428

Closed
wants to merge 1 commit into from
Closed

fix(deps): update module helm.sh/helm/v3 to v3.11.1 [security] - autoclosed #4428

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jun 30, 2023
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Type Update Change
helm.sh/helm/v3 require minor v3.10.3 -> v3.11.1

GitHub Vulnerability Alerts

CVE-2023-25165

A Helm contributor discovered an information disclosure vulnerability using the getHostByName template function.

Impact

getHostByName is a Helm template function introduced in Helm v3. The function is able to accept a hostname and return an IP address for that hostname. To get the IP address the function performs a DNS lookup. The DNS lookup happens when used with helm install|upgrade|template or when the Helm SDK is used to render a chart.

Information passed into the chart can be disclosed to the DNS servers used to lookup the IP address. For example, a malicious chart could inject getHostByName into a chart in order to disclose values to a malicious DNS server.

Patches

The issue has been fixed in Helm 3.11.1.

Workarounds

Prior to using a chart with Helm verify the getHostByName function is not being used in a template to disclose any information you do not want passed to DNS servers.

For more information

Helm's security policy is spelled out in detail in our SECURITY document.

Credits

Disclosed by Philipp Stehle at SAP.

Release Notes

helm/helm (helm.sh/helm/v3)

v3.11.1: Helm v3.11.1

Compare Source

Helm v3.11.1 is a security (patch) release. Users are strongly recommended to update to this release.

The template function getHostByName can be used to disclose information. More details are available in the CVE.

This release introduces a breaking changes to Helm:

  • When using the helm client for the template, install, and upgrade commands there is a new flag. --enable-dns needs to be set for the getHostByName template function to attempt to lookup an IP address for a given hostname. If the flag is not set the template function will return an empty string and skip looping up an IP address for the host.
  • The Helm SDK has added the EnableDNS property to the install action, the upgrade action, and the Engine. This property must be set to true for the in order for the getHostByName template function to attempt to lookup an IP address.

The default for both of these cases is false.

Philipp Stehle at SAP disclosed the vulnerability to the Helm project.

Installation and Upgrading

Download Helm v3.11.1. The common platform binaries are here:

This release was signed with 672C 657B E06B 4B30 969C 4A57 4614 49C2 5E36 B98E and can be found at @​mattfarina keybase account. Please use the attached signatures for verifying this release using gpg.

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

  • 3.11.2 is the next patch/bug fix release and will be on March 08, 2023.
  • 3.12.0 is the next feature release and be on May 10, 2023.

v3.11.0: Helm v3.11.0

Compare Source

Helm v3.11.0 is a feature release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

  • Join the discussion in Kubernetes Slack:
    • for questions and just to hang out
    • for discussing PRs, code, and bugs
  • Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
  • Test, debug, and contribute charts: ArtifactHub/packages

Notable Changes

  • The Helm status command and the SDK can now show the status of core resources deployed in a chart (e.g., deployments). To use with helm status you need to use the --show-resources flag.
  • Add support for comma separated values in template --api-versions
  • Allow CGO_ENABLED to be overridden when building Helm from source

Installation and Upgrading

Download Helm v3.11.0. The common platform binaries are here:

This release was signed with F126 1BDE 9290 12C8 FF2E 501D 6EA5 D759 8529 A53E and can be found at @​hickeyma keybase account. Please use the attached signatures for verifying this release using gpg.

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

  • 3.11.1 is the next patch/bug fix release and will be on February 08, 2023.
  • 3.12.0 is the next feature release and be on May 10, 2023.

Changelog

  • Fix improper use of Table request/response to k8s API 472c573 (Matt Farina)
  • Check status code before retrying request ee1ec6e (Cenk Alti)
  • bump version to v3.11.0 9d8fee1 (Matt Farina)
  • Bump containerd to 1.6.15, oras-go to 1.2.2 and image-spec to v1.1.0-rc2 017785a (Luca Comellini)
  • change linting error messages for null values in arrays 6a5f240 (Daniel Strobusch)
  • Fix after CR 3d81ea2 (Jakub Warczarek)
  • Trigger CI f46ff13 (Jakub Warczarek)
  • Add test for User-Agent header setting and refactor 553f1e3 (Jakub Warczarek)
  • Fix User-Agent header in requests made by Helm 2fa7b3d (Jakub Warczarek)
  • Bump k8s.io deps to v0.26.0 1fc2a6a (Luca Comellini)
  • fix adopted resource not replaced 3181c7d (Vaibhav Sharma)
  • chore(deps): bump github.com/BurntSushi/toml from 1.2.0 to 1.2.1 8774890 (dependabot[bot])
  • Resolve conflicts for go.mod and go.sum 6c76abb (Soujanya Mangipudi)
  • Fix backwards compatibility b6fef6c (Martin Hickey)
  • docs: add docs for cli/values.Options 0fdfe05 (Zuhair AlSader)
  • Update chartrepo.go c8890e9 (caixisheng)
  • chore(deps): bump golang.org/x/text from 0.4.0 to 0.5.0 b307d0f (dependabot[bot])
  • bump sprig version 3.2.3 fda1a0b (yxxhero)
  • Update string handling a59e584 (Martin Hickey)
  • Update repo handling 256e976 (Martin Hickey)
  • improve error message on plugin install 965f859 (Philipp Stehle)
  • harmonize URL reference resolving dfb25e1 (Philipp Stehle)
  • Update logic of non-git situation just to print warning logs 0ebd620 (Wonyeong Choi)
  • Add a flag var to check git is installed or not c027014 (Wonyeong Choi)
  • Add support for CSVs in template --api-versions arg 5aa316e (Ryan Drew)
  • update .golangci for go1.18 61374f6 (yanggang)
  • redirect registry client output to stderr 1535ad5 (Cyril Jouve)
  • chore(deps): bump github.com/spf13/cobra from 1.5.0 to 1.6.1 b3afe43 (dependabot[bot])
  • Readiness & liveness probes correct port 9d027ea (Peter Leong)
  • Update schema validation handling 775af2a (Martin Hickey)
  • fix a few function names on comments 09d3f31 (cui fliter)
  • use intstr.GetScaledValueFromIntOrPercent instead of the deprecated 9d59d92 (Qifan Shen)
  • Updating the deb location for azure cli 70a3df4 (Matt Farina)
  • retry http request on temporary errors b5378b3 (Cenk Alti)
  • Revert "Tolerate temporary errors from etcdserver" d32c623 (Cenk Alti)
  • Updating the repo the azure cli is installed from 9fbf1b3 (Matt Farina)
  • Updating to kubernetes 1.25.2 packages 221b0f5 (Matt Farina)
  • Allow CGO_ENABLED to be overridden for build 6f6c0d8 (Joe Julian)
  • chore(deps): bump github.com/sirupsen/logrus from 1.8.1 to 1.9.0 98077dd (dependabot[bot])
  • chore(deps): bump github.com/lib/pq from 1.10.6 to 1.10.7 bfd1890 (dependabot[bot])
  • chore(deps): bump github.com/BurntSushi/toml from 1.1.0 to 1.2.0 1478a09 (dependabot[bot])
  • chore(deps): bump github.com/rubenv/sql-migrate from 1.1.2 to 1.2.0 4376d2f (dependabot[bot])
  • Tolerate temporary errors from etcdserver ebc79fa (Davanum Srinivas)
  • update: Optimize the error message 4fcec24 (wujunwei)
  • add nil judge for dependency , maintainers validate and some testcase. a7a1117 (wujunwei)
  • Fix code style ae828ce (Martin Hickey)
  • bump version to v3.10.0 cd809f9 (Matt Farina)
  • Addressing review comments - move printing code out of client.go ffa19a4 (Soujanya Mangipudi)
  • Addressing review comments: Extend Interface with new InterfaceResources to avoid breaking changes Move change to staus command behind --show-resources flag 20e3577 (Soujanya Mangipudi)
  • feat(helm): Supporting helm3 to show up resource names that were deployed as part of release in helm status command 9d5be80 (Soujanya Mangipudi)
  • During deletion, explicitly log already deleted resource name. b7c35d2 (Marcin Owsiany)
  • fix: add cases.NoLower option for we can get same effect to strings.Title f0037e5 (wujunwei)
  • one defer 3b19dde (CI)
  • don't change r.CachePath 781ddba (CI)
  • avoid adding new public function cd76fcd (CI)
  • fix tests 32a41fc (CI)
  • fix: clean up temp files in FindChartInAuthAndTLSAndPassRepoURL (#​11171) 24fa3d9 (CI)
  • Fix URL with encoded path support for ChartDownloader d9e5bbc (Mathieu Parent)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot requested a review from a team as a code owner June 30, 2023 11:37
@renovate renovate bot force-pushed the renovate/go-helm.sh/helm/v3-vulnerability branch 13 times, most recently from fa44727 to 914424d Compare July 7, 2023 12:03
@renovate renovate bot force-pushed the renovate/go-helm.sh/helm/v3-vulnerability branch 11 times, most recently from 6b79106 to c009478 Compare July 14, 2023 07:52
@renovate renovate bot force-pushed the renovate/go-helm.sh/helm/v3-vulnerability branch 5 times, most recently from 1dab9c9 to 1b6d1f0 Compare July 19, 2023 13:49
@renovate renovate bot force-pushed the renovate/go-helm.sh/helm/v3-vulnerability branch 3 times, most recently from a7c080c to c068ecb Compare December 12, 2023 09:07
@renovate renovate bot force-pushed the renovate/go-helm.sh/helm/v3-vulnerability branch 9 times, most recently from 05125b5 to 2b7bf1d Compare December 19, 2023 14:18
@renovate renovate bot force-pushed the renovate/go-helm.sh/helm/v3-vulnerability branch 3 times, most recently from 2ac90f9 to d9f6254 Compare December 27, 2023 08:23
@renovate renovate bot force-pushed the renovate/go-helm.sh/helm/v3-vulnerability branch 9 times, most recently from ee4c235 to e16eff2 Compare January 10, 2024 10:04
@renovate renovate bot force-pushed the renovate/go-helm.sh/helm/v3-vulnerability branch from e16eff2 to 481e0ed Compare January 10, 2024 10:54
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Jan 10, 2024

Quality Gate Passed Quality Gate passed

Kudos, no new issues were introduced!

0 New issues
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

@renovate renovate bot changed the title fix(deps): update module helm.sh/helm/v3 to v3.11.1 [security] fix(deps): update module helm.sh/helm/v3 to v3.11.1 [security] - autoclosed Jan 10, 2024
@renovate renovate bot closed this Jan 10, 2024
@renovate renovate bot deleted the renovate/go-helm.sh/helm/v3-vulnerability branch January 10, 2024 10:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants