Skip to content
This repository was archived by the owner on Feb 16, 2024. It is now read-only.

chore(deps): update module helm.sh/helm/v3 to v3.11.1 [security] #296

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update module helm.sh/helm/v3 to v3.11.1 [security] #296

wants to merge 1 commit into from

Conversation

stackable-bot
Copy link
Contributor

This PR contains the following updates:

Package Type Update Change
helm.sh/helm/v3 require minor v3.10.3 -> v3.11.1

GitHub Vulnerability Alerts

CVE-2023-25165

A Helm contributor discovered an information disclosure vulnerability using the getHostByName template function.

Impact

getHostByName is a Helm template function introduced in Helm v3. The function is able to accept a hostname and return an IP address for that hostname. To get the IP address the function performs a DNS lookup. The DNS lookup happens when used with helm install|upgrade|template or when the Helm SDK is used to render a chart.

Information passed into the chart can be disclosed to the DNS servers used to lookup the IP address. For example, a malicious chart could inject getHostByName into a chart in order to disclose values to a malicious DNS server.

Patches

The issue has been fixed in Helm 3.11.1.

Workarounds

Prior to using a chart with Helm verify the getHostByName function is not being used in a template to disclose any information you do not want passed to DNS servers.

For more information

Helm's security policy is spelled out in detail in our SECURITY document.

Credits

Disclosed by Philipp Stehle at SAP.

Release Notes

helm/helm (helm.sh/helm/v3)

v3.11.1: Helm v3.11.1

Compare Source

Helm v3.11.1 is a security (patch) release. Users are strongly recommended to update to this release.

The template function getHostByName can be used to disclose information. More details are available in the CVE.

This release introduces a breaking changes to Helm:

  • When using the helm client for the template, install, and upgrade commands there is a new flag. --enable-dns needs to be set for the getHostByName template function to attempt to lookup an IP address for a given hostname. If the flag is not set the template function will return an empty string and skip looping up an IP address for the host.
  • The Helm SDK has added the EnableDNS property to the install action, the upgrade action, and the Engine. This property must be set to true for the in order for the getHostByName template function to attempt to lookup an IP address.

The default for both of these cases is false.

Philipp Stehle at SAP disclosed the vulnerability to the Helm project.

Installation and Upgrading

Download Helm v3.11.1. The common platform binaries are here:

This release was signed with 672C 657B E06B 4B30 969C 4A57 4614 49C2 5E36 B98E and can be found at @​mattfarina keybase account. Please use the attached signatures for verifying this release using gpg.

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

  • 3.11.2 is the next patch/bug fix release and will be on March 08, 2023.
  • 3.12.0 is the next feature release and be on May 10, 2023.

v3.11.0: Helm v3.11.0

Compare Source

Helm v3.11.0 is a feature release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

  • Join the discussion in Kubernetes Slack:
    • for questions and just to hang out
    • for discussing PRs, code, and bugs
  • Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
  • Test, debug, and contribute charts: ArtifactHub/packages

Notable Changes

  • The Helm status command and the SDK can now show the status of core resources deployed in a chart (e.g., deployments). To use with helm status you need to use the --show-resources flag.
  • Add support for comma separated values in template --api-versions
  • Allow CGO_ENABLED to be overridden when building Helm from source

Installation and Upgrading

Download Helm v3.11.0. The common platform binaries are here:

This release was signed with F126 1BDE 9290 12C8 FF2E 501D 6EA5 D759 8529 A53E and can be found at @​hickeyma keybase account. Please use the attached signatures for verifying this release using gpg.

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

  • 3.11.1 is the next patch/bug fix release and will be on February 08, 2023.
  • 3.12.0 is the next feature release and be on May 10, 2023.

Changelog

  • Fix improper use of Table request/response to k8s API 472c573 (Matt Farina)
  • Check status code before retrying request ee1ec6e (Cenk Alti)
  • bump version to v3.11.0 9d8fee1 (Matt Farina)
  • Bump containerd to 1.6.15, oras-go to 1.2.2 and image-spec to v1.1.0-rc2 017785a (Luca Comellini)
  • change linting error messages for null values in arrays 6a5f240 (Daniel Strobusch)
  • Fix after CR 3d81ea2 (Jakub Warczarek)
  • Trigger CI f46ff13 (Jakub Warczarek)
  • Add test for User-Agent header setting and refactor 553f1e3 (Jakub Warczarek)
  • Fix User-Agent header in requests made by Helm 2fa7b3d (Jakub Warczarek)
  • Bump k8s.io deps to v0.26.0 1fc2a6a (Luca Comellini)
  • fix adopted resource not replaced 3181c7d (Vaibhav Sharma)
  • chore(deps): bump github.com/BurntSushi/toml from 1.2.0 to 1.2.1 8774890 (dependabot[bot])
  • Resolve conflicts for go.mod and go.sum 6c76abb (Soujanya Mangipudi)
  • Fix backwards compatibility b6fef6c (Martin Hickey)
  • docs: add docs for cli/values.Options 0fdfe05 (Zuhair AlSader)
  • Update chartrepo.go c8890e9 (caixisheng)
  • chore(deps): bump golang.org/x/text from 0.4.0 to 0.5.0 b307d0f (dependabot[bot])
  • bump sprig version 3.2.3 fda1a0b (yxxhero)
  • Update string handling a59e584 (Martin Hickey)
  • Update repo handling 256e976 (Martin Hickey)
  • improve error message on plugin install 965f859 (Philipp Stehle)
  • harmonize URL reference resolving dfb25e1 (Philipp Stehle)
  • Update logic of non-git situation just to print warning logs 0ebd620 (Wonyeong Choi)
  • Add a flag var to check git is installed or not c027014 (Wonyeong Choi)
  • Add support for CSVs in template --api-versions arg 5aa316e (Ryan Drew)
  • update .golangci for go1.18 61374f6 (yanggang)
  • redirect registry client output to stderr 1535ad5 (Cyril Jouve)
  • chore(deps): bump github.com/spf13/cobra from 1.5.0 to 1.6.1 b3afe43 (dependabot[bot])
  • Readiness & liveness probes correct port 9d027ea (Peter Leong)
  • Update schema validation handling 775af2a (Martin Hickey)
  • fix a few function names on comments 09d3f31 (cui fliter)
  • use intstr.GetScaledValueFromIntOrPercent instead of the deprecated 9d59d92 (Qifan Shen)
  • Updating the deb location for azure cli 70a3df4 (Matt Farina)
  • retry http request on temporary errors b5378b3 (Cenk Alti)
  • Revert "Tolerate temporary errors from etcdserver" d32c623 (Cenk Alti)
  • Updating the repo the azure cli is installed from 9fbf1b3 (Matt Farina)
  • Updating to kubernetes 1.25.2 packages 221b0f5 (Matt Farina)
  • Allow CGO_ENABLED to be overridden for build 6f6c0d8 (Joe Julian)
  • chore(deps): bump github.com/sirupsen/logrus from 1.8.1 to 1.9.0 98077dd (dependabot[bot])
  • chore(deps): bump github.com/lib/pq from 1.10.6 to 1.10.7 bfd1890 (dependabot[bot])
  • chore(deps): bump github.com/BurntSushi/toml from 1.1.0 to 1.2.0 1478a09 (dependabot[bot])
  • chore(deps): bump github.com/rubenv/sql-migrate from 1.1.2 to 1.2.0 4376d2f (dependabot[bot])
  • Tolerate temporary errors from etcdserver ebc79fa (Davanum Srinivas)
  • update: Optimize the error message 4fcec24 (wujunwei)
  • add nil judge for dependency , maintainers validate and some testcase. a7a1117 (wujunwei)
  • Fix code style ae828ce (Martin Hickey)
  • bump version to v3.10.0 cd809f9 (Matt Farina)
  • Addressing review comments - move printing code out of client.go ffa19a4 (Soujanya Mangipudi)
  • Addressing review comments: Extend Interface with new InterfaceResources to avoid breaking changes Move change to staus command behind --show-resources flag 20e3577 (Soujanya Mangipudi)
  • feat(helm): Supporting helm3 to show up resource names that were deployed as part of release in helm status command 9d5be80 (Soujanya Mangipudi)
  • During deletion, explicitly log already deleted resource name. b7c35d2 (Marcin Owsiany)
  • fix: add cases.NoLower option for we can get same effect to strings.Title f0037e5 (wujunwei)
  • one defer 3b19dde (CI)
  • don't change r.CachePath 781ddba (CI)
  • avoid adding new public function cd76fcd (CI)
  • fix tests 32a41fc (CI)
  • fix: clean up temp files in FindChartInAuthAndTLSAndPassRepoURL (#​11171) 24fa3d9 (CI)
  • Fix URL with encoded path support for ChartDownloader d9e5bbc (Mathieu Parent)

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@stackable-bot stackable-bot added the dependencies Pull requests that update a dependency file label Dec 13, 2023
@stackable-bot stackable-bot requested a review from a team December 13, 2023 20:52
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@stackable-bot