chartmuseum icon indicating copy to clipboard operation
chartmuseum copied to clipboard

Published 20 hours ago verified publisher icon helm

security: Track Possible Image Vulnerabilities

Open scbizu opened this issue 2 years ago • 15 comments

Here will be a long issue track possible image vulnerabilities or CVEs reported by the community or our dependabot .

scbizu avatar Mar 24 '22 03:03 scbizu

https://github.com/helm/helm/pull/10717 tracks the containerd containerd CRI plugin: Insecure handling of image volumes issue , will upgrade CM after helm upgrade this dependency.

scbizu avatar Mar 24 '22 03:03 scbizu

Artifacthub.io shows issues with the base image (busybox) and a few of our deps (etcd, contained, docker) https://artifacthub.io/packages/helm/chartmuseum/chartmuseum

slachiewicz avatar May 31 '22 14:05 slachiewicz

Hi @scbizu, any update on the security vulnerability reported with #607 please.

Kiran-38 avatar Aug 26 '22 03:08 Kiran-38

@Kiran-38 Thank you for the report , The storage PR will deprecate the old etcd dependency :) https://github.com/chartmuseum/storage/pull/649

scbizu avatar Sep 11 '22 07:09 scbizu

@scbizu Thank you for the response. Can we have any date of fix for the etcd, or this fix will be in this version 0.15.0 or later. please let us know.

Kiran-38 avatar Sep 14 '22 06:09 Kiran-38

Hi, The chartMuseum binary contains the helm.sh/helm/v3 v3.9.3 library with is flagged as a security risk and need to update to the latest version 3.9.4 or later and above available for resolving the issue.

I see there is a branch dependabot created already to fix this can you merge with the main branch so that I can use it.

Kiran-38 avatar Oct 13 '22 05:10 Kiran-38

@scbizu Thank you for the quick fix. It means a lot. Keep up the great work.

Kiran-38 avatar Oct 25 '22 04:10 Kiran-38

Hi @scbizu, there are few vulnerability found in building chartmuseum. please find below list.

github.com/containerd/containerd-v1.6.3    helm.sh/helm/v3-v3.9.0    golang.org/x/net-v0.0.0-20220531201128-c960675eff93    github.com/emicklei/go-restful-v2.9.5+incompatible    golang.org/x/text-v0.3.7 

Kiran-38 avatar Mar 05 '23 05:03 Kiran-38

@Kiran-38 ok , I will check it

scbizu avatar Mar 06 '23 02:03 scbizu

Thanks for the quick fix, I just wanted to know is there any latest release planned with this fix. As the fix is still in main branch, or if there is any tentative date to be released.

Kiran-38 avatar Mar 09 '23 06:03 Kiran-38

@cbuto @jdolitsky Can you please update all the current Vulnerability fix in any latest release. As there has been a while, if there is any latest release been planned can you please give any date. That will help alot to users like us.

Kiran-38 avatar Mar 20 '23 04:03 Kiran-38

#737

scbizu avatar Dec 31 '23 11:12 scbizu

@cbuto @jdolitsky apologies for the tag, do we know when a new release is planned? it would be great if we could have any open dependabot PRs containing vulnerability fixes included.

macox avatar Apr 24 '24 15:04 macox

@macox hi , we already open the automated dependabot PRs , and if you want the new release with these PRs , you can try our canary tag , thank you for your advice , but we do not plan to release new release tag about every vulnerability fix.

scbizu avatar Apr 28 '24 08:04 scbizu

Thanks for your reply @scbizu, sorry I didn’t mean a release for every vulnerability. I was just wondering if a release was planned and if current open dependabot PRs could be merged and included in it.

macox avatar Apr 28 '24 14:04 macox