-
Notifications
You must be signed in to change notification settings - Fork 158
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bumping helm and oras for security updates #169
Conversation
- helm/v3@v3.9.0 is importing oras v1.1.0 - oras@v1.1.0 is importing microsoft/hcsshim v0.8.7 - hcsshim@v0.8.7 is directly importing k8s.io/kubernetes 1.13.0, which is the subject of the CVE helm/v3's main branch resolves this, but the specific fix has not yet been promoted to a numbered release tag
Unsure why
Helm 3.9 is requiring go 1.17 - is the ci worker running with an old go compiler? |
Thank you for this patch! Yep, the project is currently built against Go 1.16. I guess we can update Go to 1.17 in a separate PR and then rebase this branch onto it. WDYT? |
Bumping to 1.17 makes sense to me, Go 1.18 has been out for months now :) |
Go 1.17 update in #170 |
Please rebase this branch onto master after Go 1.17 update. |
// Thought I already did this?
Codecov Report
@@ Coverage Diff @@
## master #169 +/- ##
=======================================
Coverage 45.27% 45.27%
=======================================
Files 18 18
Lines 466 466
=======================================
Hits 211 211
Misses 245 245
Partials 10 10 Continue to review full report at Codecov.
|
Trying to find why helm 3.9 wasn't tested... |
@hypnoglow -- OKAY. I believe we're good now. Two notes about the change:
One other thing I observed while looking at this - CircleCI is complaining about deprecated docker images. I attempted a switch to use their newer containers, but there are problems with root permissions and that change is best made in isolation of any other changes. |
@allaryin thank you!
We are in the process of migrating to GitHub Actions, so hopefully this will not be an issue in the near future. |
Helm v3.9.0 patches against CVE-2022-21235 by intentionally updating its dependency on mastermind/vcs.
It unfortunately does not resolve CVE-2021-25741, which is caused by importing an old version of k8s.io/kubernetes.
Directly importing k8s.io/kubernetes is unsupported, so fixing that issue directly does not work, but a minor bump to ORAS (from v1.1.0 to v1.1.1) and reiterating that bump by ensuring that microsoft/hcsshim is also updated to the version requested by oras v1.1.1 means that hcsshim is no longer importing the old k8s.io/kubernetes release.
Helm's main branch has this ORAS version update, but this has not yet been published in a numbered release tag.