-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(deps): update module helm.sh/helm/v3 to v3.14.2 [security] #184
base: main
Are you sure you want to change the base?
Conversation
cfb8636
to
6c59c91
Compare
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: renovate[bot] The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
6c59c91
to
35243e2
Compare
35243e2
to
f8bd9e3
Compare
f8bd9e3
to
80a4f8b
Compare
ℹ Artifact update noticeFile name: tas-installer/go.modIn order to perform the update(s) described in the table above, Renovate ran the
Details:
|
80a4f8b
to
5b04e5e
Compare
5b04e5e
to
1f8ec43
Compare
1f8ec43
to
579ed18
Compare
This PR contains the following updates:
v3.13.2
->v3.14.2
Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
CVE-2024-25620
A Helm contributor discovered a path traversal vulnerability when Helm saves a chart including at download time.
Impact
When either the Helm client or SDK is used to save a chart whose name within the
Chart.yaml
file includes a relative path change, the chart would be saved outside its expected directory based on the changes in the relative path. The validation and linting did not detect the path changes in the name.Patches
This issue has been resolved in Helm v3.14.1.
Workarounds
Check all charts used by Helm for path changes in their name as found in the
Chart.yaml
file. This includes dependencies.Credits
Disclosed by Dominykas Blyžė at Nearform Ltd.
CVE-2024-26147
A Helm contributor discovered uninitialized variable vulnerability when Helm parses index and plugin yaml files missing expected content.
Impact
When either an
index.yaml
file or a pluginsplugin.yaml
file were missing all metadata a panic would occur in Helm.In the Helm SDK this is found when using the
LoadIndexFile
orDownloadIndexFile
functions in therepo
package or theLoadDir
function in theplugin
package. For the Helm client this impacts functions around adding a repository and all Helm functions if a malicious plugin is added as Helm inspects all known plugins on each invocation.Patches
This issue has been resolved in Helm v3.14.2.
Workarounds
If a malicious plugin has been added which is causing all Helm client commands to panic, the malicious plugin can be manually removed from the filesystem.
If using Helm SDK versions prior to 3.14.2, calls to affected functions can use
recover
to catch the panic.For more information
Helm's security policy is spelled out in detail in our SECURITY document.
Credits
Disclosed by Jakub Ciolek at AlphaSense.
Release Notes
helm/helm (helm.sh/helm/v3)
v3.14.2
: Helm v3.14.2Compare Source
Helm v3.14.2 is a security (patch) release. Users are strongly recommended to update to this release.
A Helm contributor discovered uninitialized variable vulnerability when Helm parses index and plugin yaml files missing expected content.
Jakub Ciolek with AlphaSense discovered the vulnerability.
Installation and Upgrading
Download Helm v3.14.2. The common platform binaries are here:
This release was signed with
672C 657B E06B 4B30 969C 4A57 4614 49C2 5E36 B98E
and can be found at @mattfarina keybase account. Please use the attached signatures for verifying this release usinggpg
.The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with
bash
.What's Next
v3.14.1
: Helm v3.14.1Compare Source
Helm v3.14.1 is a security (patch) release. Users are strongly recommended to update to this release.
A Helm contributor discovered a path traversal vulnerability when Helm saves a chart including at download time.
Dominykas Blyžė with Nearform Ltd. discovered the vulnerability.
Installation and Upgrading
Download Helm v3.14.1. The common platform binaries are here:
This release was signed with
672C 657B E06B 4B30 969C 4A57 4614 49C2 5E36 B98E
and can be found at @mattfarina keybase account. Please use the attached signatures for verifying this release usinggpg
.The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with
bash
.What's Next
v3.14.0
: Helm v3.14.0Compare Source
Helm v3.14.0 is a feature release. Users are encouraged to upgrade for the best experience.
The community keeps growing, and we'd love to see you there!
Notable Changes
helm search
flag of--fail-on-no-result
tpl
invocation access todefines
tpl
function--kube-version
tolint
commandignore
pkg is now publicInstallation and Upgrading
Download Helm v3.14.0. The common platform binaries are here:
This release was signed with
672C 657B E06B 4B30 969C 4A57 4614 49C2 5E36 B98E
and can be found at @mattfarina keybase account. Please use the attached signatures for verifying this release usinggpg
.The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with
bash
.What's Next
Changelog
3fc9f4b
(George Jenkins)69dcc92
(Matt Farina)c042264
(Matt Farina)6e5332e
(Joe Julian)869c1d2
(Antoine Deschênes)847369c
(Matt Farina)08ea59c
(dependabot[bot])30e1a2c
(dependabot[bot])803cf2d
(Matt Farina)a997de1
(Marcin Owsiany)ignore
pkg public again5586760
(Ismail Alidzhikov)b3cb20a
(dependabot[bot])e5fff68
(Matt Farina)bfec4ec
(Marcin Owsiany)70c1519
(dependabot[bot])be10183
(dependabot[bot])015e174
(Matt Farina)2a211bf
(dependabot[bot])ce87ece
(Sean Mills)3cb6b06
(dependabot[bot])42c5af2
(dependabot[bot])312a073
(lixin18)8814bfb
(Marcin Chojnacki)c54e39a
(dependabot[bot])d6e9197
(dependabot[bot])9f0313e
(Denis Policastro)24e2864
(Matt Farina)c5fe7dd
(dependabot[bot])992dc58
(Matt Farina)81362d9
(Marcel Humburg)6d1f6cd
(dependabot[bot])372ccca
(dependabot[bot])a1a21ae
(dependabot[bot])250f0bd
(Dmitry Chepurovskiy)0ec47f8
(Dmitry Chepurovskiy)f94e5db
(Ian Zink)b0d1637
(Serge Logvinov)544cabb
(dependabot[bot])25371e2
(Matt Farina)919bffe
(genofire)e6d9b99
(Dmitry Chepurovskiy)e219c75
(Dmitry Chepurovskiy)f004d42
(b4nks)9d3d17a
(Ian Zink)828763e
(Lars Zimmermann)fe4c01f
(Hidde Beydals)da3c666
(Hidde Beydals)21ea847
(Ian Zink)415af5b
(Andy Smith)102e931
(dependabot[bot])2505592
(dependabot[bot])c372b15
(Matt Farina)8b0a78c
(dependabot[bot])58ccfc0
(dependabot[bot])0619d08
(Ian Zink)4199be8
(abrarcv170)0403305
(Antony Chazapis)GoFish
from package managers for installing the binarya9377f9
(y-yagi)tpl
invocation access todefines
in a containing one"b261a1b
(Graham Reed)tpl
"36d417d
(Graham Reed)1a3e9a9
(Stefan McShane)786707c
(Antony Chazapis)6a4035a
(Daniel Strobusch)95905f1
(Graham Reed)fa067ec
(Mathias Neerup)f28447c
(Mathias Neerup)b9cece6
(Bhargav Ravuri)141fa4a
(muang0)4cb62d1
(muang0)dbb21fc
(muang0)fcc0332
(muang0)a1a1aaf
(muang0)fa025fc
(zak905)tpl
invocation access todefines
in a containing onea7d3fd6
(Graham Reed)e2a7c79
(Graham Reed)tpl
db4f330
(Graham Reed)d008340
(James Oden)4f99c86
(James Oden)d94c509
(James Oden)a9d59f9
(Quentin Devos)v3.13.3
: Helm v3.13.3Compare Source
Helm v3.13.3 is a patch release. Users are encouraged to upgrade for the best experience. Users are encouraged to upgrade for the best experience.
The community keeps growing, and we'd love to see you there!
Installation and Upgrading
Download Helm v3.13.3. The common platform binaries are here:
This release was signed with
672C 657B E06B 4B30 969C 4A57 4614 49C2 5E36 B98E
and can be found at @mattfarina keybase account. Please use the attached signatures for verifying this release usinggpg
.The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with
bash
.What's Next
Changelog
c8b9489
(Matt Farina)2f03d01
(Sean Mills)2e63576
(genofire)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.