ChartMuseum Vulnerability: Authorization Bypass [CVE-2019-1000009]

Mon, Jan 14, 2019

Security researcher Bernard Wagner of Entersekt discovered a vulnerability in ChartMuseum, impacting all versions of ChartMuseum between ChartMuseum >=0.1.0 and < 0.8.1. A specially crafted chart could be uploaded that caused the uploaded archive to be saved outside of the intended location.

When ChartMuseum is configured for multitenancy the specially crafted chart could be uploaded to one tenant but saved in the location of another tenant. This includes overwriting a chart at a version in the other tenant.

Additionally, if ChartMuseum is configured to use a file system the uploaded Chart archive may be uploaded to locations outside of the storage directory. It could be uploaded to any place the ChartMuseum application binary has write permission to.

We are unaware of any public exploits caused by this issue.

Read More…

Helm Vulnerability: Client Unpacking Chart that Contains Malicious Content [CVE-2019-1000008]

Mon, Jan 14, 2019

Security researcher Bernard Wagner of Entersekt discovered a vulnerability in the Helm client, impacting all versions of Helm between Helm >=2.0.0 and < 2.12.2. Two Helm client commands may be coerced into unpacking unsafe content from a maliciously designed chart.

A specially crafted chart may be able to unpack content into locations on the filesystem outside of the chart’s path, potentially overwriting existing files.

No version of Tiller is known to be impacted. This is a client-only issue.

The following Helm commands may unsafely unpack malformed charts onto a local folder: helm fetch --untar and helm lint some.tgz.

We are unaware of any public exploits caused by this issue.

Read More…

Introducing the Helm Hub

Tue, Dec 11, 2018

Helm was designed with many distributed repositories in mind. Like Homebrew Taps and Debian APT repositories, Helm has the ability to add and work with many repositories. While the Helm stable and incubator repositories have been front and center from the beginning it was never our intent for these to be the only public repositories.

With this in mind, we are delighted to announce the launch of the Helm Hub. This hub provides a means for you to find charts hosted in many distributed repositories hosted by numerous people and organizations.

Read More…

New Governance And Elections

Fri, Sep 7, 2018

Being a top level incubating CNCF project requires having a governance structure to ensure that there is a publicly documented process for making decisions regarding the project and the community. While Helm was under Kubernetes, we relied on Kubernetes governance. As part of the transition to CNCF, the Helm project is required to have its own governance structure. To handle this we set up a provisional governance with a goal of creating a long term one. After a few months we are happy to announce that the new governance structure has been written and approved.

Read More…

Helm Moves To DCO

Mon, Aug 27, 2018

When Helm was part of the Kubernetes project it, like the rest of Kubernetes, used the CNCF Contributor License Agreement (CLA). This served Helm well for years. But, most of the CNCF projects use a Developers Certificate of Origin (DCO) instead of a CLA. The exceptions are Kubernetes and gRPC. Upon Helm becoming a CNCF project itself we were asked if we wanted to move Helm to a DCO. After some careful consideration and a little research, the Helm maintainers voted to move to a DCO.

Read More…

Helm Emeritus Maintainer Rimas Mocevicius

Tue, Jul 24, 2018

Rimas Mocevicius ( rimusz) has become the fourth Helm Emeritus Maintainer. Rimas is one of the three original founders of Helm. Author of CoreOS Essentials (Packt, 2016) and creator of Kube Solo, Rimas is a long-time member of the Kubernetes ecosystem. Rimas was an active contributor on Helm Classic, and has been a leading voice in the community ever since. Check out Rimas' latest blog post on Tillerless Helm.

Bringing Helm Home

Mon, Jul 23, 2018

Earlier this summer, we announced that Helm joined the CNCF as an official incubating project. Part of that transition involves moving the Helm project out of the Kubernetes GitHub org and into its org. We’re excited to announce that we’ve completed that process. As of last week, we have moved the Helm code repository to https://github.com/helm/helm.

Read More…

Helm Enters the CNCF

Fri, Jun 1, 2018

Today we are happy to announce that Helm has become an official top-level CNCF project, joining the ranks of Prometheus, Linkerd, OpenTracing, and others. Helm will enter the CNCF as an incubating project as we continue to work on the next-generation Helm 3 cloud-native package manager.

Read More…