Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update module helm.sh/helm/v3 to v3.11.1 [security] #174

Merged
merged 1 commit into from
Apr 18, 2023
Merged

fix(deps): update module helm.sh/helm/v3 to v3.11.1 [security] #174

merged 1 commit into from
Apr 18, 2023

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Feb 9, 2023
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Type Update Change
helm.sh/helm/v3 require patch v3.11.0 -> v3.11.1

GitHub Vulnerability Alerts

CVE-2023-25165

A Helm contributor discovered an information disclosure vulnerability using the getHostByName template function.

Impact

getHostByName is a Helm template function introduced in Helm v3. The function is able to accept a hostname and return an IP address for that hostname. To get the IP address the function performs a DNS lookup. The DNS lookup happens when used with helm install|upgrade|template or when the Helm SDK is used to render a chart.

Information passed into the chart can be disclosed to the DNS servers used to lookup the IP address. For example, a malicious chart could inject getHostByName into a chart in order to disclose values to a malicious DNS server.

Patches

The issue has been fixed in Helm 3.11.1.

Workarounds

Prior to using a chart with Helm verify the getHostByName function is not being used in a template to disclose any information you do not want passed to DNS servers.

For more information

Helm's security policy is spelled out in detail in our SECURITY document.

Credits

Disclosed by Philipp Stehle at SAP.

Release Notes

helm/helm

v3.11.1: Helm v3.11.1

Compare Source

Helm v3.11.1 is a security (patch) release. Users are strongly recommended to update to this release.

The template function getHostByName can be used to disclose information. More details are available in the CVE.

This release introduces a breaking changes to Helm:

  • When using the helm client for the template, install, and upgrade commands there is a new flag. --enable-dns needs to be set for the getHostByName template function to attempt to lookup an IP address for a given hostname. If the flag is not set the template function will return an empty string and skip looping up an IP address for the host.
  • The Helm SDK has added the EnableDNS property to the install action, the upgrade action, and the Engine. This property must be set to true for the in order for the getHostByName template function to attempt to lookup an IP address.

The default for both of these cases is false.

Philipp Stehle at SAP disclosed the vulnerability to the Helm project.

Installation and Upgrading

Download Helm v3.11.1. The common platform binaries are here:

This release was signed with 672C 657B E06B 4B30 969C 4A57 4614 49C2 5E36 B98E and can be found at @​mattfarina keybase account. Please use the attached signatures for verifying this release using gpg.

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

  • 3.11.2 is the next patch/bug fix release and will be on March 08, 2023.
  • 3.12.0 is the next feature release and be on May 10, 2023.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@stale
Copy link

stale bot commented Mar 23, 2023

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix label Mar 23, 2023
@hayorov hayorov merged commit fbecaf1 into master Apr 18, 2023
@hayorov hayorov deleted the renovate/go-helm.sh/helm/v3-vulnerability branch April 18, 2023 13:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
wontfix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@hayorov