Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2022:3666-1

Опубликовано: 19 окт. 2022
Источник: suse-cvrf

Описание

Security update for helm

This update for helm fixes the following issues:

helm was updated to version 3.9.4:

  • CVE-2022-36055: Fixed denial of service through string value parsing (bsc#1203054).
  • Updating the certificates used for testing
  • Updating index handling

helm was updated to version 3.9.3:

  • CVE-2022-1996: Updated kube-openapi to fix an issue that could result in a CORS protection bypass (bsc#1200528).
  • Fix missing array length check on release

helm was updated to version 3.9.2:

  • Update of the circleci image

helm was updated to version 3.9.1:

  • Update to support Kubernetes 1.24.2
  • Improve logging and safety of statefulSetReady
  • Make token caching an opt-in feature
  • Bump github.com/lib/pq from 1.10.5 to 1.10.6
  • Bump github.com/Masterminds/squirrel from 1.5.2 to 1.5.3

helm was updated to version 3.9.0:

  • Added a --quiet flag to helm lint
  • Added a --post-renderer-args flag to support arguments being passed to the post renderer
  • Added more checks during the signing process
  • Updated to add Kubernetes 1.24 support

helm was updated to version 3.8.2:

  • Bump oras.land/oras-go from 1.1.0 to 1.1.1
  • Fixing downloader plugin error handling
  • Simplify testdata charts
  • Simplify testdata charts
  • Add tests for multi-level dependencies.
  • Fix value precedence
  • Bumping Kubernetes package versions
  • Updating vcs to latest version
  • Dont modify provided transport
  • Pass http getter as pointer in tests
  • Add docs block
  • Add transport option and tests
  • Reuse http transport
  • Updating Kubernetes libs to 0.23.4 (latest)
  • fix: remove deadcode
  • fix: helm package tests
  • fix: helm package with dependency update for charts with OCI dependencies
  • Fix typo Unset the env var before func return in Unit Test
  • add legal name check
  • maint: fix syntax error in deploy.sh
  • linting issue fixed
  • only apply overwrite if version is canary
  • overwrite flag added to az storage blob upload-batch
  • Avoid querying for OCI tags can explicit version provided in chart dependencies
  • Management of bearer tokens for tag listing
  • Updating Kubernetes packages to 1.23.3
  • refactor: use os.ReadDir for lightweight directory reading
  • Add IngressClass to manifests to be (un)installed
  • feat(comp): Shell completion for OCI
  • Fix install memory/goroutine leak

Список пакетов

Container suse/helm:latest
helm-3.9.4-150000.1.10.3
Image SLES15-SP4-SUSE-Rancher-Setup-BYOS
helm-3.9.4-150000.1.10.3
Image SLES15-SP4-SUSE-Rancher-Setup-BYOS-EC2
helm-3.9.4-150000.1.10.3
SUSE Linux Enterprise Module for Containers 15 SP3
helm-3.9.4-150000.1.10.3
helm-bash-completion-3.9.4-150000.1.10.3
helm-zsh-completion-3.9.4-150000.1.10.3
SUSE Linux Enterprise Module for Containers 15 SP4
helm-3.9.4-150000.1.10.3
helm-bash-completion-3.9.4-150000.1.10.3
helm-zsh-completion-3.9.4-150000.1.10.3
SUSE Linux Enterprise Module for Package Hub 15 SP3
helm-fish-completion-3.9.4-150000.1.10.3
SUSE Linux Enterprise Module for Package Hub 15 SP4
helm-fish-completion-3.9.4-150000.1.10.3
openSUSE Leap 15.3
helm-3.9.4-150000.1.10.3
helm-bash-completion-3.9.4-150000.1.10.3
helm-fish-completion-3.9.4-150000.1.10.3
helm-zsh-completion-3.9.4-150000.1.10.3
openSUSE Leap 15.4
helm-3.9.4-150000.1.10.3
helm-bash-completion-3.9.4-150000.1.10.3
helm-fish-completion-3.9.4-150000.1.10.3
helm-zsh-completion-3.9.4-150000.1.10.3

Ссылки

Описание

Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0.

Затронутые продукты
Container suse/helm:latest:helm-3.9.4-150000.1.10.3
Image SLES15-SP4-SUSE-Rancher-Setup-BYOS-EC2:helm-3.9.4-150000.1.10.3
Image SLES15-SP4-SUSE-Rancher-Setup-BYOS:helm-3.9.4-150000.1.10.3
SUSE Linux Enterprise Module for Containers 15 SP3:helm-3.9.4-150000.1.10.3
Ссылки

Описание

Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. Fuzz testing, provided by the CNCF, identified input to functions in the _strvals_ package that can cause an out of memory panic. The _strvals_ package contains a parser that turns strings in to Go structures. The _strvals_ package converts these strings into structures Go can work with. Some string inputs can cause array data structures to be created causing an out of memory panic. Applications that use the _strvals_ package in the Helm SDK to parse user supplied input can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with input to `--set`, `--set-string`, and other value setting flags that causes an out of memory panic. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been resolved in 3.9.4. SDK users can validate strings supplied by users won't create large arrays causing significant memory usage before passing them to the _strvals_ functions.

Затронутые продукты
Container suse/helm:latest:helm-3.9.4-150000.1.10.3
Image SLES15-SP4-SUSE-Rancher-Setup-BYOS-EC2:helm-3.9.4-150000.1.10.3
Image SLES15-SP4-SUSE-Rancher-Setup-BYOS:helm-3.9.4-150000.1.10.3
SUSE Linux Enterprise Module for Containers 15 SP3:helm-3.9.4-150000.1.10.3
Ссылки