ChartMuseum Vulnerability: Authorization Bypass [CVE-2019-1000009]
Mon, Jan 14, 2019
Security researcher Bernard Wagner of Entersekt discovered a vulnerability in ChartMuseum, impacting all versions of ChartMuseum between ChartMuseum >=0.1.0 and < 0.8.1. A specially crafted chart could be uploaded that caused the uploaded archive to be saved outside of the intended location.
When ChartMuseum is configured for multitenancy the specially crafted chart could be uploaded to one tenant but saved in the location of another tenant. This includes overwriting a chart at a version in the other tenant.
Additionally, if ChartMuseum is configured to use a file system the uploaded Chart archive may be uploaded to locations outside of the storage directory. It could be uploaded to any place the ChartMuseum application binary has write permission to.
We are unaware of any public exploits caused by this issue.
Read More…Helm Vulnerability: Client Unpacking Chart that Contains Malicious Content [CVE-2019-1000008]
Mon, Jan 14, 2019
Security researcher Bernard Wagner of Entersekt discovered a vulnerability in the Helm client, impacting all versions of Helm between Helm >=2.0.0 and < 2.12.2. Two Helm client commands may be coerced into unpacking unsafe content from a maliciously designed chart.
A specially crafted chart may be able to unpack content into locations on the filesystem outside of the chart’s path, potentially overwriting existing files.
No version of Tiller is known to be impacted. This is a client-only issue.
The following Helm commands may unsafely unpack malformed charts onto a local folder: helm fetch --untar
and helm lint some.tgz
.
We are unaware of any public exploits caused by this issue.
Read More…Introducing the Helm Hub
Tue, Dec 11, 2018
Helm was designed with many distributed repositories in mind. Like Homebrew Taps and Debian APT repositories, Helm has the ability to add and work with many repositories. While the Helm stable and incubator repositories have been front and center from the beginning it was never our intent for these to be the only public repositories.
With this in mind, we are delighted to announce the launch of the Helm Hub. This hub provides a means for you to find charts hosted in many distributed repositories hosted by numerous people and organizations.
Read More…Introducing the Helm Org Maintainers
Thu, Oct 4, 2018
The first major action under the new Helm governance was to elect a set of Helm Org Maintainers. In the initial election we were looking to select 7 people to represent Helm core, charts, and other projects under the Helm umbrella. The election is now complete and I would like to introduce the first set of Org Maintainers.
Read More…Using the Community Chart Testing Tools Yourself
Tue, Sep 25, 2018
The Helm community charts,
available as the stable and incubator repositories, have long had testing. That testing has grown and improved a significant amount in the past year; from Helm linting and testing if an application runs in a cluster to now include YAML linting, some validation on maintainers, Chart.yaml
schema validation, tests on chart version increments, and more.
New Governance And Elections
Fri, Sep 7, 2018
Being a top level incubating CNCF project requires having a governance structure to ensure that there is a publicly documented process for making decisions regarding the project and the community. While Helm was under Kubernetes, we relied on Kubernetes governance. As part of the transition to CNCF, the Helm project is required to have its own governance structure. To handle this we set up a provisional governance with a goal of creating a long term one. After a few months we are happy to announce that the new governance structure has been written and approved.
Read More…Helm Moves To DCO
Mon, Aug 27, 2018
When Helm was part of the Kubernetes project it, like the rest of Kubernetes, used the CNCF Contributor License Agreement (CLA). This served Helm well for years. But, most of the CNCF projects use a Developers Certificate of Origin (DCO) instead of a CLA. The exceptions are Kubernetes and gRPC. Upon Helm becoming a CNCF project itself we were asked if we wanted to move Helm to a DCO. After some careful consideration and a little research, the Helm maintainers voted to move to a DCO.
Read More…Helm Emeritus Maintainer Rimas Mocevicius
Tue, Jul 24, 2018
Rimas Mocevicius ( rimusz) has become the fourth Helm Emeritus Maintainer. Rimas is one of the three original founders of Helm. Author of CoreOS Essentials (Packt, 2016) and creator of Kube Solo, Rimas is a long-time member of the Kubernetes ecosystem. Rimas was an active contributor on Helm Classic, and has been a leading voice in the community ever since. Check out Rimas' latest blog post on Tillerless Helm.
Bringing Helm Home
Mon, Jul 23, 2018
Earlier this summer, we announced that Helm joined the CNCF as an official incubating project. Part of that transition involves moving the Helm project out of the Kubernetes GitHub org and into its org. We’re excited to announce that we’ve completed that process. As of last week, we have moved the Helm code repository to https://github.com/helm/helm.
Read More…Helm Enters the CNCF
Fri, Jun 1, 2018
Today we are happy to announce that Helm has become an official top-level CNCF project, joining the ranks of Prometheus, Linkerd, OpenTracing, and others. Helm will enter the CNCF as an incubating project as we continue to work on the next-generation Helm 3 cloud-native package manager.
Read More…