Security update for helm-mirror SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2022:1888-1 Final 1 1 2022-05-31T08:44:57Z current 2022-05-31T08:44:57Z 2022-05-31T08:44:57Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for helm-mirror This update for helm-mirror fixes the following issues: - Updated to version 0.3.1: - CVE-2019-18658: Fixed a potential symbolic link issue in helm that could be used to leak sensitive files (bsc#1156646). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2022-1888,SUSE-SLE-Module-Containers-15-SP3-2022-1888,SUSE-SLE-Module-Containers-15-SP4-2022-1888,openSUSE-SLE-15.3-2022-1888,openSUSE-SLE-15.4-2022-1888 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2022/suse-su-20221888-1/ Link for SUSE-SU-2022:1888-1 https://lists.suse.com/pipermail/sle-security-updates/2022-May/011203.html E-Mail link for SUSE-SU-2022:1888-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1156646 SUSE Bug 1156646 https://bugzilla.suse.com/1197728 SUSE Bug 1197728 https://www.suse.com/security/cve/CVE-2019-18658/ SUSE CVE CVE-2019-18658 page SUSE Linux Enterprise Module for Containers 15 SP3 SUSE Linux Enterprise Module for Containers 15 SP4 openSUSE Leap 15.3 openSUSE Leap 15.4 helm-mirror-0.3.1-150000.1.13.1 helm-mirror-0.3.1-150000.1.13.1 as a component of SUSE Linux Enterprise Module for Containers 15 SP3 helm-mirror-0.3.1-150000.1.13.1 as a component of SUSE Linux Enterprise Module for Containers 15 SP4 helm-mirror-0.3.1-150000.1.13.1 as a component of openSUSE Leap 15.3 helm-mirror-0.3.1-150000.1.13.1 as a component of openSUSE Leap 15.4 In Helm 2.x before 2.15.2, commands that deal with loading a chart as a directory or packaging a chart provide an opportunity for a maliciously designed chart to include sensitive content such as /etc/passwd, or to execute a denial of service (DoS) via a special file such as /dev/urandom, via symlinks. No version of Tiller is known to be impacted. This is a client-only issue. CVE-2019-18658 SUSE Linux Enterprise Module for Containers 15 SP3:helm-mirror-0.3.1-150000.1.13.1 SUSE Linux Enterprise Module for Containers 15 SP4:helm-mirror-0.3.1-150000.1.13.1 openSUSE Leap 15.3:helm-mirror-0.3.1-150000.1.13.1 openSUSE Leap 15.4:helm-mirror-0.3.1-150000.1.13.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2022/suse-su-20221888-1/ https://www.suse.com/security/cve/CVE-2019-18658.html CVE-2019-18658 https://bugzilla.suse.com/1156646 SUSE Bug 1156646