Recommended update for helm SUSE Patch security@suse.de SUSE Security Team SUSE-RU-2024:4213-1 Final 1 1 2024-12-05T16:05:58Z current 2024-12-05T16:05:58Z 2024-12-05T16:05:58Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Recommended update for helm helm was updated to fix the following issues: Update to version 3.16.3: * fix: fix label name * Fix typo in pkg/lint/rules/chartfile_test.go * Increasing the size of the runner used for releases. * fix(hooks): correct hooks delete order * Bump github.com/containerd/containerd from 1.7.12 to 1.7.23 Update to version 3.16.2: * Revering change unrelated to issue #13176 * adds tests for handling of Helm index with broken chart versions #13176 * improves handling of Helm index with broken helm chart versions #13176 * Bump the k8s-io group with 7 updates * adding check-latest:true * Grammar fixes * Fix typos Update to version 3.16.1: * bumping version to 1.22.7 * Merge pull request #13327 from mattfarina/revert-11726 Update to version 3.16.0: Helm v3.16.0 is a feature release. Users are encouraged to upgrade for the best experience. * Notable Changes - added sha512sum template function - added ActiveHelp for cmds that don't take any more args - drops very old Kubernetes versions support in helm create - add --skip-schema-validation flag to helm 'install', 'upgrade' and 'lint' - fixed bug to now use burst limit setting for discovery - Added windows arm64 support * Full changelog see https://github.com/helm/helm/releases/tag/v3.16.0 Update to version 3.15.4: * Bump the k8s-io group across 1 directory with 7 updates * Bump github.com/docker/docker ------------------------------------------------------------------- Thu Jul 11 05:39:32 UTC 2024 - opensuse_buildservice@ojkastl.de - Update to version 3.15.3: * fix(helm): Use burst limit setting for discovery * fixed dependency_update_test.go * fix(dependencyBuild): prevent race condition in concurrent helm dependency * fix: respect proxy envvars on helm install/upgrade * Merge pull request #13085 from alex-kattathra-johnson/issue-12961 Update to version 3.15.2: * fix: wrong cli description * fix typo in load_plugins.go * fix docs of DeployedAll * Bump github.com/docker/docker * bump oras minor version * feat(load.go): add warning on requirements.lock Update to version 3.15.1: * Fixing build issue where wrong version is used Update to version 3.15.0: Helm v3.15.0 is a feature release. Users are encouraged to upgrade for the best experience. * Updating to k8s 1.30 c4e37b3 (Matt Farina) * bump version to v3.15.0 d7afa3b (Matt Farina) * bump version to 7743467 (Matt Farina) * Fix namespace on kubeconfig error 214fb6e (Calvin Krist) * Update testdata PKI with keys that have validity until 3393 (Fixes #12880) 1b75d48 (Dirk Müller) * Modified how created annotation is populated based on package creation time 0a69a0d (Andrew Block) * Enabling hide secrets on install and upgrade dry run 25c4738 (Matt Farina) * Fixing all the linting errors d58d7b3 (Robert Sirchia) * Add a note about --dry-run displaying secrets a23dd9e (Matt Farina) * Updating .gitignore 8b424ba (Robert Sirchia) * add error messages 8d19bcb (George Jenkins) * Fix: Ignore alias validation error for index load 68294fd (George Jenkins) * validation fix 8e6a514 (Matt Farina) * bug: add proxy support for oci getter 94c1dea (Ricardo Maraschini) * Update architecture detection method 57a1bb8 (weidongkl) * Improve release action 4790bb9 (George Jenkins) * Fix grammatical error c25736c (Matt Carr) * Updated for review comments d2cf8c6 (MichaelMorris) * Add robustness to wait status checks fc74964 (MichaelMorris) * refactor: create a helper for checking if a release is uninstalled f908379 (Alex Petrov) * fix: reinstall previously uninstalled chart with --keep-history 9e198fa (Alex Petrov) Update to version 3.14.4: Helm v3.14.4 is a patch release. Users are encouraged to upgrade for the best experience. Users are encouraged to upgrade for the best experience. * refactor: create a helper for checking if a release is uninstalled 81c902a (Alex Petrov) * fix: reinstall previously uninstalled chart with --keep-history 5a11c76 (Alex Petrov) * bug: add proxy support for oci getter aa7d953 (Ricardo Maraschini) Update to version 3.14.3: * Add a note about --dry-run displaying secrets * add error messages * Fix: Ignore alias validation error for index load * Update architecture detection method Update to version 3.14.2 (bsc#1220207, CVE-2024-26147): * Fix for uninitialized variable in yaml parsing Update to version 3.14.1 (bsc#1219969, CVE-2024-25620): * validation fix Update to version 3.14.0: * Notable Changes - New helm search flag of --fail-on-no-result - Allow a nested tpl invocation access to defines - Speed up the tpl function - Added qps/HELM_QPS parameter that tells Kubernetes packages how to operate - Added --kube-version to lint command - The ignore pkg is now public * Changelog - Improve release action - Fix issues when verify generation readiness was merged - fix test to use the default code's k8sVersionMinor - lint: Add --kube-version flag to set capabilities and deprecation rules - Removing Asset Transparency - tests(pkg/engine): test RenderWithClientProvider - Make the `ignore` pkg public again - feature(pkg/engine): introduce RenderWithClientProvider - Updating Helm libraries for k8s 1.28.4 - Remove excessive logging - Update CONTRIBUTING.md - Fixing release labelling in rollback - feat: move livenessProbe and readinessProbe values to default values file - Revert 'fix(main): fix basic auth for helm pull or push' - Revert 'fix(registry): address anonymous pull issue' - Update get-helm-3 - Drop filterSystemLabels usage from Query method - Apply review suggestions - Update get-helm-3 to get version through get.helm.sh - feat: print failed hook name - Fixing precedence issue with the import of values. - chore(create): indent to spaces - Allow using label selectors for system labels for sql backend. - Allow using label selectors for system labels for secrets and configmap backends. - remove useless print during prepareUpgrade - Add missing with clause to release gh action - FIX Default ServiceAccount yaml - fix(registry): address anonymous pull issue - fix(registry): unswallow error - Fix missing run statement on release action - Add qps/HELM_QPS parameter - Write latest version to get.helm.sh bucket - Increased release information key name max length. - Pin gox to specific commit - Remove `GoFish` from package managers for installing the binary - Test update for 'Allow a nested `tpl` invocation access to `defines` in a containing one' - Test update for 'Speed up `tpl`' - Add support for RISC-V - lint and validate dependency metadata to reference dependencies with a unique key (name or alias) - Work around template.Clone omitting options - fix: pass 'passCredentialsAll' as env-var to getter - feat: pass basic auth to env-vars when running download plugins - helm search: New CLI Flag --fail-on-no-result - Update pkg/kube/ready.go - fix post install hook deletion due to before-hook-creation policy - Allow a nested `tpl` invocation access to `defines` in a containing one - Remove the 'reference templates' concept - Speed up `tpl` - ready checker- comment update - ready checker- remove duplicate statefulset generational check - Verify generation in readiness checks - feat(helm): add --reset-then-reuse-values flag to 'helm upgrade' The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container suse/helm:latest-2024-4213,SUSE-2024-4213,SUSE-SLE-Micro-5.5-2024-4213,SUSE-SLE-Module-Containers-15-SP5-2024-4213,SUSE-SLE-Module-Containers-15-SP6-2024-4213,SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2024-4213,SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2024-4213,openSUSE-Leap-Micro-5.5-2024-4213,openSUSE-SLE-15.5-2024-4213,openSUSE-SLE-15.6-2024-4213 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/-2024-4213/suse-ru-20244213-1/ Link for SUSE-RU-2024:4213-1 https://lists.suse.com/pipermail/sle-updates/2024-December/037756.html E-Mail link for SUSE-RU-2024:4213-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1219969 SUSE Bug 1219969 https://bugzilla.suse.com/1220207 SUSE Bug 1220207 https://www.suse.com/security/cve/CVE-2024-25620/ SUSE CVE CVE-2024-25620 page https://www.suse.com/security/cve/CVE-2024-26147/ SUSE CVE CVE-2024-26147 page Container suse/helm:latest SUSE Linux Enterprise Micro 5.5 SUSE Linux Enterprise Module for Containers 15 SP5 SUSE Linux Enterprise Module for Containers 15 SP6 SUSE Linux Enterprise Module for Package Hub 15 SP5 SUSE Linux Enterprise Module for Package Hub 15 SP6 openSUSE Leap 15.5 openSUSE Leap 15.6 openSUSE Leap Micro 5.5 helm-3.16.3-150000.1.38.1 helm-bash-completion-3.16.3-150000.1.38.1 helm-fish-completion-3.16.3-150000.1.38.1 helm-zsh-completion-3.16.3-150000.1.38.1 helm-3.16.3-150000.1.38.1 as a component of Container suse/helm:latest helm-3.16.3-150000.1.38.1 as a component of SUSE Linux Enterprise Micro 5.5 helm-bash-completion-3.16.3-150000.1.38.1 as a component of SUSE Linux Enterprise Micro 5.5 helm-3.16.3-150000.1.38.1 as a component of SUSE Linux Enterprise Module for Containers 15 SP5 helm-bash-completion-3.16.3-150000.1.38.1 as a component of SUSE Linux Enterprise Module for Containers 15 SP5 helm-zsh-completion-3.16.3-150000.1.38.1 as a component of SUSE Linux Enterprise Module for Containers 15 SP5 helm-3.16.3-150000.1.38.1 as a component of SUSE Linux Enterprise Module for Containers 15 SP6 helm-bash-completion-3.16.3-150000.1.38.1 as a component of SUSE Linux Enterprise Module for Containers 15 SP6 helm-zsh-completion-3.16.3-150000.1.38.1 as a component of SUSE Linux Enterprise Module for Containers 15 SP6 helm-fish-completion-3.16.3-150000.1.38.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP5 helm-fish-completion-3.16.3-150000.1.38.1 as a component of SUSE Linux Enterprise Module for Package Hub 15 SP6 helm-3.16.3-150000.1.38.1 as a component of openSUSE Leap 15.5 helm-bash-completion-3.16.3-150000.1.38.1 as a component of openSUSE Leap 15.5 helm-fish-completion-3.16.3-150000.1.38.1 as a component of openSUSE Leap 15.5 helm-zsh-completion-3.16.3-150000.1.38.1 as a component of openSUSE Leap 15.5 helm-3.16.3-150000.1.38.1 as a component of openSUSE Leap 15.6 helm-bash-completion-3.16.3-150000.1.38.1 as a component of openSUSE Leap 15.6 helm-fish-completion-3.16.3-150000.1.38.1 as a component of openSUSE Leap 15.6 helm-zsh-completion-3.16.3-150000.1.38.1 as a component of openSUSE Leap 15.6 helm-3.16.3-150000.1.38.1 as a component of openSUSE Leap Micro 5.5 helm-bash-completion-3.16.3-150000.1.38.1 as a component of openSUSE Leap Micro 5.5 helm-fish-completion-3.16.3-150000.1.38.1 as a component of openSUSE Leap Micro 5.5 helm-zsh-completion-3.16.3-150000.1.38.1 as a component of openSUSE Leap Micro 5.5 Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. When either the Helm client or SDK is used to save a chart whose name within the `Chart.yaml` file includes a relative path change, the chart would be saved outside its expected directory based on the changes in the relative path. The validation and linting did not detect the path changes in the name. This issue has been resolved in Helm v3.14.1. Users unable to upgrade should check all charts used by Helm for path changes in their name as found in the `Chart.yaml` file. This includes dependencies. CVE-2024-25620 Container suse/helm:latest:helm-3.16.3-150000.1.38.1 SUSE Linux Enterprise Micro 5.5:helm-3.16.3-150000.1.38.1 SUSE Linux Enterprise Micro 5.5:helm-bash-completion-3.16.3-150000.1.38.1 SUSE Linux Enterprise Module for Containers 15 SP5:helm-3.16.3-150000.1.38.1 SUSE Linux Enterprise Module for Containers 15 SP5:helm-bash-completion-3.16.3-150000.1.38.1 SUSE Linux Enterprise Module for Containers 15 SP5:helm-zsh-completion-3.16.3-150000.1.38.1 SUSE Linux Enterprise Module for Containers 15 SP6:helm-3.16.3-150000.1.38.1 SUSE Linux Enterprise Module for Containers 15 SP6:helm-bash-completion-3.16.3-150000.1.38.1 SUSE Linux Enterprise Module for Containers 15 SP6:helm-zsh-completion-3.16.3-150000.1.38.1 SUSE Linux Enterprise Module for Package Hub 15 SP5:helm-fish-completion-3.16.3-150000.1.38.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:helm-fish-completion-3.16.3-150000.1.38.1 openSUSE Leap 15.5:helm-3.16.3-150000.1.38.1 openSUSE Leap 15.5:helm-bash-completion-3.16.3-150000.1.38.1 openSUSE Leap 15.5:helm-fish-completion-3.16.3-150000.1.38.1 openSUSE Leap 15.5:helm-zsh-completion-3.16.3-150000.1.38.1 openSUSE Leap 15.6:helm-3.16.3-150000.1.38.1 openSUSE Leap 15.6:helm-bash-completion-3.16.3-150000.1.38.1 openSUSE Leap 15.6:helm-fish-completion-3.16.3-150000.1.38.1 openSUSE Leap 15.6:helm-zsh-completion-3.16.3-150000.1.38.1 openSUSE Leap Micro 5.5:helm-3.16.3-150000.1.38.1 openSUSE Leap Micro 5.5:helm-bash-completion-3.16.3-150000.1.38.1 openSUSE Leap Micro 5.5:helm-fish-completion-3.16.3-150000.1.38.1 openSUSE Leap Micro 5.5:helm-zsh-completion-3.16.3-150000.1.38.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/-2024-4213/suse-ru-20244213-1/ https://www.suse.com/security/cve/CVE-2024-25620.html CVE-2024-25620 https://bugzilla.suse.com/1219969 SUSE Bug 1219969 Helm is a package manager for Charts for Kubernetes. Versions prior to 3.14.2 contain an uninitialized variable vulnerability when Helm parses index and plugin yaml files missing expected content. When either an `index.yaml` file or a plugins `plugin.yaml` file were missing all metadata a panic would occur in Helm. In the Helm SDK, this is found when using the `LoadIndexFile` or `DownloadIndexFile` functions in the `repo` package or the `LoadDir` function in the `plugin` package. For the Helm client this impacts functions around adding a repository and all Helm functions if a malicious plugin is added as Helm inspects all known plugins on each invocation. This issue has been resolved in Helm v3.14.2. If a malicious plugin has been added which is causing all Helm client commands to panic, the malicious plugin can be manually removed from the filesystem. If using Helm SDK versions prior to 3.14.2, calls to affected functions can use `recover` to catch the panic. CVE-2024-26147 Container suse/helm:latest:helm-3.16.3-150000.1.38.1 SUSE Linux Enterprise Micro 5.5:helm-3.16.3-150000.1.38.1 SUSE Linux Enterprise Micro 5.5:helm-bash-completion-3.16.3-150000.1.38.1 SUSE Linux Enterprise Module for Containers 15 SP5:helm-3.16.3-150000.1.38.1 SUSE Linux Enterprise Module for Containers 15 SP5:helm-bash-completion-3.16.3-150000.1.38.1 SUSE Linux Enterprise Module for Containers 15 SP5:helm-zsh-completion-3.16.3-150000.1.38.1 SUSE Linux Enterprise Module for Containers 15 SP6:helm-3.16.3-150000.1.38.1 SUSE Linux Enterprise Module for Containers 15 SP6:helm-bash-completion-3.16.3-150000.1.38.1 SUSE Linux Enterprise Module for Containers 15 SP6:helm-zsh-completion-3.16.3-150000.1.38.1 SUSE Linux Enterprise Module for Package Hub 15 SP5:helm-fish-completion-3.16.3-150000.1.38.1 SUSE Linux Enterprise Module for Package Hub 15 SP6:helm-fish-completion-3.16.3-150000.1.38.1 openSUSE Leap 15.5:helm-3.16.3-150000.1.38.1 openSUSE Leap 15.5:helm-bash-completion-3.16.3-150000.1.38.1 openSUSE Leap 15.5:helm-fish-completion-3.16.3-150000.1.38.1 openSUSE Leap 15.5:helm-zsh-completion-3.16.3-150000.1.38.1 openSUSE Leap 15.6:helm-3.16.3-150000.1.38.1 openSUSE Leap 15.6:helm-bash-completion-3.16.3-150000.1.38.1 openSUSE Leap 15.6:helm-fish-completion-3.16.3-150000.1.38.1 openSUSE Leap 15.6:helm-zsh-completion-3.16.3-150000.1.38.1 openSUSE Leap Micro 5.5:helm-3.16.3-150000.1.38.1 openSUSE Leap Micro 5.5:helm-bash-completion-3.16.3-150000.1.38.1 openSUSE Leap Micro 5.5:helm-fish-completion-3.16.3-150000.1.38.1 openSUSE Leap Micro 5.5:helm-zsh-completion-3.16.3-150000.1.38.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/-2024-4213/suse-ru-20244213-1/ https://www.suse.com/security/cve/CVE-2024-26147.html CVE-2024-26147 https://bugzilla.suse.com/1220207 SUSE Bug 1220207