Detections
Analytics

SUSE SLES15 / openSUSE 15 : Recommended update for helm (SUSE-SU-SUSE-RU-2024:4213-1)

medium Nessus Plugin ID 212280

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-SUSE-RU-2024:4213-1 advisory.

 helm was updated to fix the following issues:

 Update to version 3.16.3:

 * fix: fix label name
 * Fix typo in pkg/lint/rules/chartfile_test.go
 * Increasing the size of the runner used for releases.
 * fix(hooks): correct hooks delete order
 * Bump github.com/containerd/containerd from 1.7.12 to 1.7.23

 Update to version 3.16.2:

 * Revering change unrelated to issue #13176
 * adds tests for handling of Helm index with broken chart versions #13176
 * improves handling of Helm index with broken helm chart versions #13176
 * Bump the k8s-io group with 7 updates
 * adding check-latest:true
 * Grammar fixes
 * Fix typos

 Update to version 3.16.1:

 * bumping version to 1.22.7
 * Merge pull request #13327 from mattfarina/revert-11726

 Update to version 3.16.0:

 Helm v3.16.0 is a feature release. Users are encouraged to upgrade for the best experience.
 * Notable Changes
 - added sha512sum template function
 - added ActiveHelp for cmds that don't take any more args
 - drops very old Kubernetes versions support in helm create
 - add --skip-schema-validation flag to helm 'install', 'upgrade' and 'lint'
 - fixed bug to now use burst limit setting for discovery
 - Added windows arm64 support
 * Full changelog see https://github.com/helm/helm/releases/tag/v3.16.0

 Update to version 3.15.4:

 * Bump the k8s-io group across 1 directory with 7 updates
 * Bump github.com/docker/docker

 ------------------------------------------------------------------- Thu Jul 11 05:39:32 UTC 2024 - [email protected]

 - Update to version 3.15.3:
 * fix(helm): Use burst limit setting for discovery
 * fixed dependency_update_test.go
 * fix(dependencyBuild): prevent race condition in concurrent helm dependency
 * fix: respect proxy envvars on helm install/upgrade
 * Merge pull request #13085 from alex-kattathra-johnson/issue-12961

 Update to version 3.15.2:

 * fix: wrong cli description
 * fix typo in load_plugins.go
 * fix docs of DeployedAll
 * Bump github.com/docker/docker
 * bump oras minor version
 * feat(load.go): add warning on requirements.lock

 Update to version 3.15.1:

 * Fixing build issue where wrong version is used

 Update to version 3.15.0:

 Helm v3.15.0 is a feature release. Users are encouraged to upgrade for the best experience.

 * Updating to k8s 1.30 c4e37b3 (Matt Farina)
 * bump version to v3.15.0 d7afa3b (Matt Farina)
 * bump version to 7743467 (Matt Farina)
 * Fix namespace on kubeconfig error 214fb6e (Calvin Krist)
 * Update testdata PKI with keys that have validity until 3393 (Fixes #12880) 1b75d48 (Dirk M?ller)
 * Modified how created annotation is populated based on package creation time 0a69a0d (Andrew Block)
 * Enabling hide secrets on install and upgrade dry run 25c4738 (Matt Farina)
 * Fixing all the linting errors d58d7b3 (Robert Sirchia)
 * Add a note about --dry-run displaying secrets a23dd9e (Matt Farina)
 * Updating .gitignore 8b424ba (Robert Sirchia)
 * add error messages 8d19bcb (George Jenkins)
 * Fix: Ignore alias validation error for index load 68294fd (George Jenkins)
 * validation fix 8e6a514 (Matt Farina)
 * bug: add proxy support for oci getter 94c1dea (Ricardo Maraschini)
 * Update architecture detection method 57a1bb8 (weidongkl)
 * Improve release action 4790bb9 (George Jenkins)
 * Fix grammatical error c25736c (Matt Carr)
 * Updated for review comments d2cf8c6 (MichaelMorris)
 * Add robustness to wait status checks fc74964 (MichaelMorris)
 * refactor: create a helper for checking if a release is uninstalled f908379 (Alex Petrov)
 * fix: reinstall previously uninstalled chart with --keep-history 9e198fa (Alex Petrov)

 Update to version 3.14.4:

 Helm v3.14.4 is a patch release. Users are encouraged to upgrade for the best experience. Users are encouraged to upgrade for the best experience.

 * refactor: create a helper for checking if a release is uninstalled 81c902a (Alex Petrov)
 * fix: reinstall previously uninstalled chart with --keep-history 5a11c76 (Alex Petrov)
 * bug: add proxy support for oci getter aa7d953 (Ricardo Maraschini)

 Update to version 3.14.3:

 * Add a note about --dry-run displaying secrets
 * add error messages
 * Fix: Ignore alias validation error for index load
 * Update architecture detection method

 Update to version 3.14.2 (bsc#1220207, CVE-2024-26147):

 * Fix for uninitialized variable in yaml parsing

 Update to version 3.14.1 (bsc#1219969, CVE-2024-25620):

 * validation fix

 Update to version 3.14.0:

 * Notable Changes
 - New helm search flag of --fail-on-no-result
 - Allow a nested tpl invocation access to defines
 - Speed up the tpl function
 - Added qps/HELM_QPS parameter that tells Kubernetes packages how to operate
 - Added --kube-version to lint command
 - The ignore pkg is now public
 * Changelog
 - Improve release action
 - Fix issues when verify generation readiness was merged
 - fix test to use the default code's k8sVersionMinor
 - lint: Add --kube-version flag to set capabilities and deprecation rules
 - Removing Asset Transparency
 - tests(pkg/engine): test RenderWithClientProvider
 - Make the `ignore` pkg public again
 - feature(pkg/engine): introduce RenderWithClientProvider
 - Updating Helm libraries for k8s 1.28.4
 - Remove excessive logging
 - Update CONTRIBUTING.md
 - Fixing release labelling in rollback
 - feat: move livenessProbe and readinessProbe values to default values file
 - Revert 'fix(main): fix basic auth for helm pull or push'
 - Revert 'fix(registry): address anonymous pull issue'
 - Update get-helm-3
 - Drop filterSystemLabels usage from Query method
 - Apply review suggestions
 - Update get-helm-3 to get version through get.helm.sh
 - feat: print failed hook name
 - Fixing precedence issue with the import of values.
 - chore(create): indent to spaces
 - Allow using label selectors for system labels for sql backend.
 - Allow using label selectors for system labels for secrets and configmap backends.
 - remove useless print during prepareUpgrade
 - Add missing with clause to release gh action
 - FIX Default ServiceAccount yaml
 - fix(registry): address anonymous pull issue
 - fix(registry): unswallow error
 - Fix missing run statement on release action
 - Add qps/HELM_QPS parameter
 - Write latest version to get.helm.sh bucket
 - Increased release information key name max length.
 - Pin gox to specific commit
 - Remove `GoFish` from package managers for installing the binary
 - Test update for 'Allow a nested `tpl` invocation access to `defines` in a containing one'
 - Test update for 'Speed up `tpl`'
 - Add support for RISC-V
 - lint and validate dependency metadata to reference dependencies with a unique key (name or alias)
 - Work around template.Clone omitting options
 - fix: pass 'passCredentialsAll' as env-var to getter
 - feat: pass basic auth to env-vars when running download plugins
 - helm search: New CLI Flag --fail-on-no-result
 - Update pkg/kube/ready.go
 - fix post install hook deletion due to before-hook-creation policy
 - Allow a nested `tpl` invocation access to `defines` in a containing one
 - Remove the 'reference templates' concept
 - Speed up `tpl`
 - ready checker- comment update
 - ready checker- remove duplicate statefulset generational check
 - Verify generation in readiness checks
 - feat(helm): add --reset-then-reuse-values flag to 'helm upgrade'

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected helm, helm-bash-completion, helm-fish-completion and / or helm-zsh-completion packages.

See Also

https://bugzilla.suse.com/1219969

https://bugzilla.suse.com/1220207

https://www.suse.com/security/cve/CVE-2024-25620

https://www.suse.com/security/cve/CVE-2024-26147

https://lists.suse.com/pipermail/sle-updates/2024-December/037756.html

Plugin Details

Severity: Medium

ID: 212280

File Name: suse_SU-RU-2024-4213-1.nasl

Version: 1.1

Type: local

Agent: unix

Published: 12/11/2024

Updated: 12/11/2024

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.1

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N

CVSS Score Source: CVE-2024-25620

CVSS v3

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5.6

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:novell:suse_linux:15, p-cpe:/a:novell:suse_linux:helm, p-cpe:/a:novell:suse_linux:helm-bash-completion, p-cpe:/a:novell:suse_linux:helm-zsh-completion, p-cpe:/a:novell:suse_linux:helm-fish-completion

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 12/5/2024

Vulnerability Publication Date: 2/14/2024

Reference Information

CVE: CVE-2024-25620, CVE-2024-26147

SuSE: SUSE-RU-2024:4213-1