Helm v2.16.8 is a security release, patching a high-severity security vulnerability found in Go's crypto
package affecting all versions of Helm 2 prior to 2.16.8.
On 32-bit architectures, Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte
package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients resulting in a panic via a malformed X.509 certificate. This may allow a remote attacker to cause a denial of service.
Users are urged to upgrade. More information on the security disclosure is available here.
Thanks to @ravin9249 for identifying the vulnerability.
The community keeps growing, and we'd love to see you there!
- Join the discussion in Kubernetes Slack:
#helm-users
for questions and just to hang out#helm-dev
for discussing PRs, code, and bugs
- Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
- Test, debug, and contribute charts: GitHub/helm/charts
Installation and Upgrading
Download Helm 2.16. The common platform binaries are here:
- MacOS amd64 (checksum)
- Linux amd64 (checksum)
- Linux arm (checksum)
- Linux arm64 (checksum)
- Linux i386 (checksum)
- Linux ppc64le (checksum)
- Linux s390x (checksum)
- Windows amd64 (checksum)
This release was signed with 967F 8AC5 E221 6F9F 4FD2 70AD 92AA 783C BAAE 8E3B
and can be found at @bacongobbler's keybase account. Please use the attached signatures for verifying this release using gpg
.
Once you have the client installed, upgrade Tiller with helm init --upgrade
.
The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash
.
What's Next
- v2.16.9 will contain only bug fixes.
Changelog
- fix(ci): use go 1.14 7606f08 (Adam Reese)