SUSE alert SUSE-SU-2023:4124-1 (helm)
| From: | sle-security-updates@lists.suse.com | |
| To: | sle-security-updates@lists.suse.com | |
| Subject: | SUSE-SU-2023:4124-1: important: Security update for helm | |
| Date: | Thu, 19 Oct 2023 08:54:58 -0000 | |
| Message-ID: | <169770569852.29066.9514868370252376386@smelt2.prg2.suse.org> |
# Security update for helm Announcement ID: SUSE-SU-2023:4124-1 Rating: important References: * bsc#1183043 * bsc#1215588 * bsc#1215711 Cross-References: * CVE-2022-41723 * CVE-2023-25173 CVSS scores: * CVE-2022-41723 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2022-41723 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2023-25173 ( SUSE ): 5.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L * CVE-2023-25173 ( NVD ): 5.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L Affected Products: * Containers Module 15-SP4 * Containers Module 15-SP5 * SUSE Enterprise Storage 7.1 * SUSE Linux Enterprise Desktop 15 SP4 * SUSE Linux Enterprise Desktop 15 SP5 * SUSE Linux Enterprise High Performance Computing 15 SP3 * SUSE Linux Enterprise High Performance Computing 15 SP4 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 * SUSE Linux Enterprise Micro 5.3 * SUSE Linux Enterprise Micro 5.4 * SUSE Linux Enterprise Micro 5.5 * SUSE Linux Enterprise Real Time 15 SP4 * SUSE Linux Enterprise Real Time 15 SP5 * SUSE Linux Enterprise Server 15 SP3 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 * SUSE Linux Enterprise Server 15 SP4 * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 * SUSE Manager Proxy 4.3 * SUSE Manager Retail Branch Server 4.3 * SUSE Manager Server 4.3 * SUSE Package Hub 15 15-SP4 * SUSE Package Hub 15 15-SP5 An update that solves two vulnerabilities and has one security fix can now be installed. ## Description: This update for helm fixes the following issues: helm was updated to version 3.13.1: * Fixing precedence issue with the import of values. * Add missing with clause to release gh action * FIX Default ServiceAccount yaml * fix(registry): unswallow error * remove useless print during prepareUpgrade * fix(registry): address anonymous pull issue * Fix missing run statement on release action * Write latest version to get.helm.sh bucket * Increased release information key name max length. helm was updated to version 3.13.0 (bsc#1215588): * Fix leaking goroutines in Install * Update Helm to use k8s 1.28.2 libraries * make the dependabot k8s.io group explicit * use dependabot's group support for k8s.io dependencies * doc:Executing helm rollback release 0 will roll back to the previous release * Use labels instead of selectorLabels for pod labels * fix(helm): fix GetPodLogs, the hooks should be sorted before get the logs of each hook * chore: HTTPGetter add default timeout * Avoid nil dereference if passing a nil resolver * Add required changes after merge * Fix #3352, add support for --ignore-not-found just like kubectl delete * Fix helm may identify achieve of the application/x-gzip as application/vnd.ms-fontobject * Restore `helm get metadata` command * Revert "Add `helm get metadata` command" * test: replace `ensure.TempDir` with `t.TempDir` * use json api url + report curl/wget error on fail * Added error in case try to supply custom label with name of system label during install/upgrade * fix(main): fix basic auth for helm pull or push * cmd: support generating index in JSON format * repo: detect JSON and unmarshal efficiently * Tweaking new dry-run internal handling * bump kubernetes modules to v0.27.3 * Remove warning for template directory not found. * Added tests for created OCI annotation time format * Add created OCI annotation * Fix multiple bugs in values handling * chore: fix a typo in `manager.go` * add GetRegistryClient method * oci: add tests for plain HTTP and insecure HTTPS registries * oci: Add flag `--plain-http` to enable working with HTTP registries * docs: add an example for using the upgrade command with existing values * Replace `fmt.Fprintf` with `fmt.Fprint` in get_metadata.go * Replace `fmt.Fprintln` with `fmt.Fprintf` in get_metadata.go * update kubernetes dependencies from v0.27.0 to v0.27.1 * Add ClientOptResolver to test util file * Check that missing keys are still handled in tpl * tests: change crd golden file to match after #11870 * Adding details on the Factory interface * update autoscaling/v2beta1 to autoscaling/v2 in skeleton chart * feat(helm): add ability for --dry-run to do lookup functions When a helm command is run with the --dry-run flag, it will try to connect to the cluster to be able to render lookup functions. Closes #8137 * bugfix:(#11391) helm lint infinite loop when malformed template object * pkg/engine: fix nil-dereference * pkg/chartutil: fix nil-dereference * pkg/action: fix nil-dereference * full source path when output-dir is not provided * added Contributing.md section and ref link in the README * feat(helm): add ability for --dry-run to do lookup functions When a helm command is run with the --dry-run flag, it will try to connect to the cluster if the value is 'server' to be able to render lookup functions. Closes #8137 * feat(helm): add ability for --dry-run to do lookup functions * Add `CHART`, `VERSION` and `APP_VERSION` fields to `get all` command output * Adjust `get` command description to account metadata * add volumes and volumeMounts in chartutil * Seed a default switch to control `automountServiceAccountToken` * Avoid confusing error when passing in '\--version X.Y.Z' * Add `helm get metadata` command * Use wrapped error so that ErrNoObjectsVisited can be compared after return. * Add exact version test. * strict file permissions of repository.yaml * Check redefinition of define and include in tpl * Check that `.Template` is passed through `tpl` * Make sure empty `tpl` values render empty. * Pick the test improvement out of PR#8371 * # 11369 Use the correct index repo cache directory in the `parallelRepoUpdate` method as well * # 11369 Add a test case to prove the bug and its resolution * ref(helm): export DescriptorPullSummary fields * feat(helm): add 'ClientOptResolver' ClientOption * Fix flaky TestSQLCreate test by making sqlmock ignore order of sql requests * Fixing tests after adding labels to release fixture * Make default release fixture contain custom labels to make tests check that labels are not lost * Added support for storing custom labels in SQL storage driver * Adding support merging new custom labels with original release labels during upgrade * Added note to install/upgrade commands that original release labels wouldn't be persisted in upgraded release * Added unit tests for implemented install/upgrade labels logic * Remove redudant types from util_test.go * Added tests for newly introduced util.go functions * Fix broken tests for SQL storage driver * Fix broken tests for configmap and secret storage drivers * Make superseded releases keep labels * Support configmap storage driver for install/upgrade actions \--labels argument * Added upgrade --install labels argument support * Add labels support for install action with secret storage backend * test: added tests to load plugin from home dir with space * fix: plugin does not load when helm base dir contains space * Add priority class to kind sorter * Fixes #10566 * test(search): add mixedCase test case * fix(search): print repo search result in original case * Adjust error message wrongly claiming that there is a resource conflict * Throw an error from jobReady() if the job exceeds its BackoffLimit * github: add Asset Transparency action for GitHub releases Update to version 3.12.3: * bump kubernetes modules to v0.27.3 * Add priority class to kind sorter Update to version 3.12.2: * add GetRegistryClient method Update to version 3.12.1: * bugfix:(#11391) helm lint infinite loop when malformed template object * update autoscaling/v2beta1 to autoscaling/v2 in skeleton chart * test(search): add mixedCase test case * fix(search): print repo search result in original case * strict file permissions of repository.yaml * update kubernetes dependencies from v0.27.0 to v0.27.1 Update to version 3.12.0: * Attach annotations to OCI artifacts * Fix goroutine leak in action install * fix quiet lint does not fail on non-linting errors * create failing test for quietly linting a chart that doesn't exist * Fixes Readiness Check for statefulsets using partitioned rolling update. (#11774) * fix: failed testcase on windows * Fix 32bit-x86 typo in testsuite * Handle failed DNS case for Go 1.20+ * Updating the Go version in go.mod * Fix goroutine leak in perform * Properly invalidate client after CRD install * Provide a helper to set the registryClient in cmd * Reimplemented change in httpgetter for insecure TLS option * Added insecure option to login subcommand * Added support for insecure OCI registries * Enable custom certificates option for OCI * Add testing to default and release branches * Remove job dependency. Should have done when I moved job to new file * Remove check to run only in helm org * Add why comments * Convert remaining CircleCI config to GitHub Actions * Changed how the setup-go action sets go version * chore:Use http constants as http.request parameters * update k8s registry domain * don't mark issues as stale where a PR is in progress * Update to func handling * Add option to support cascade deletion options * the linter varcheck and deadcode are deprecated (since v1.49.0) * Check status code before retrying request * Fix improper use of Table request/response to k8s API * fix template --output-dir issue * Add protection for stack-overflows for nested keys * feature(helm): add --set-literal flag for literal string interpretation Update to version 3.11.3: * Fix goroutine leak in perform * Fix goroutine leak in action install * Fix 32bit-x86 typo in testsuite * Fixes Readiness Check for statefulsets using partitioned rolling update. (#11774) * avoid CGO to workaround missing gold dependency (bsc#1183043) ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * Containers Module 15-SP4 zypper in -t patch SUSE-SLE-Module-Containers-15-SP4-2023-4124=1 * Containers Module 15-SP5 zypper in -t patch SUSE-SLE-Module-Containers-15-SP5-2023-4124=1 * SUSE Package Hub 15 15-SP4 zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP4-2023-4124=1 * SUSE Package Hub 15 15-SP5 zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2023-4124=1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-ESPOS-2023-4124=1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2023-4124=1 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2023-4124=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2023-4124=1 * SUSE Enterprise Storage 7.1 zypper in -t patch SUSE-Storage-7.1-2023-4124=1 ## Package List: * Containers Module 15-SP4 (aarch64 ppc64le s390x x86_64) * helm-3.13.1-150000.1.26.1 * helm-debuginfo-3.13.1-150000.1.26.1 * Containers Module 15-SP4 (noarch) * helm-zsh-completion-3.13.1-150000.1.26.1 * helm-bash-completion-3.13.1-150000.1.26.1 * Containers Module 15-SP5 (aarch64 ppc64le s390x x86_64) * helm-3.13.1-150000.1.26.1 * helm-debuginfo-3.13.1-150000.1.26.1 * Containers Module 15-SP5 (noarch) * helm-zsh-completion-3.13.1-150000.1.26.1 * helm-bash-completion-3.13.1-150000.1.26.1 * SUSE Package Hub 15 15-SP4 (noarch) * helm-fish-completion-3.13.1-150000.1.26.1 * SUSE Package Hub 15 15-SP5 (noarch) * helm-fish-completion-3.13.1-150000.1.26.1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (aarch64 x86_64) * helm-3.13.1-150000.1.26.1 * helm-debuginfo-3.13.1-150000.1.26.1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (noarch) * helm-zsh-completion-3.13.1-150000.1.26.1 * helm-bash-completion-3.13.1-150000.1.26.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (aarch64 x86_64) * helm-3.13.1-150000.1.26.1 * helm-debuginfo-3.13.1-150000.1.26.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (noarch) * helm-zsh-completion-3.13.1-150000.1.26.1 * helm-bash-completion-3.13.1-150000.1.26.1 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (aarch64 ppc64le s390x x86_64) * helm-3.13.1-150000.1.26.1 * helm-debuginfo-3.13.1-150000.1.26.1 * SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (noarch) * helm-zsh-completion-3.13.1-150000.1.26.1 * helm-bash-completion-3.13.1-150000.1.26.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 (ppc64le x86_64) * helm-3.13.1-150000.1.26.1 * helm-debuginfo-3.13.1-150000.1.26.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP3 (noarch) * helm-zsh-completion-3.13.1-150000.1.26.1 * helm-bash-completion-3.13.1-150000.1.26.1 * SUSE Enterprise Storage 7.1 (aarch64 x86_64) * helm-3.13.1-150000.1.26.1 * helm-debuginfo-3.13.1-150000.1.26.1 * SUSE Enterprise Storage 7.1 (noarch) * helm-zsh-completion-3.13.1-150000.1.26.1 * helm-bash-completion-3.13.1-150000.1.26.1 ## References: * https://www.suse.com/security/cve/CVE-2022-41723.html * https://www.suse.com/security/cve/CVE-2023-25173.html * https://bugzilla.suse.com/show_bug.cgi?id=1183043 * https://bugzilla.suse.com/show_bug.cgi?id=1215588 * https://bugzilla.suse.com/show_bug.cgi?id=1215711