Synopsis
The remote SUSE host is missing one or more security updates.
Description
The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:4124-1 advisory.
helm was updated to version 3.13.1:
* Fixing precedence issue with the import of values.
* Add missing with clause to release gh action
* FIX Default ServiceAccount yaml
* fix(registry): unswallow error
* remove useless print during prepareUpgrade
* fix(registry): address anonymous pull issue
* Fix missing run statement on release action
* Write latest version to get.helm.sh bucket
* Increased release information key name max length.
helm was updated to version 3.13.0 (bsc#1215588):
* Fix leaking goroutines in Install
* Update Helm to use k8s 1.28.2 libraries
* make the dependabot k8s.io group explicit
* use dependabot's group support for k8s.io dependencies
* doc:Executing helm rollback release 0 will roll back to the previous release
* Use labels instead of selectorLabels for pod labels
* fix(helm): fix GetPodLogs, the hooks should be sorted before get the logs of each hook
* chore: HTTPGetter add default timeout
* Avoid nil dereference if passing a nil resolver
* Add required changes after merge
* Fix #3352, add support for --ignore-not-found just like kubectl delete
* Fix helm may identify achieve of the application/x-gzip as application/vnd.ms-fontobject
* Restore `helm get metadata` command
* Revert 'Add `helm get metadata` command'
* test: replace `ensure.TempDir` with `t.TempDir`
* use json api url + report curl/wget error on fail
* Added error in case try to supply custom label with name of system label during install/upgrade
* fix(main): fix basic auth for helm pull or push
* cmd: support generating index in JSON format
* repo: detect JSON and unmarshal efficiently
* Tweaking new dry-run internal handling
* bump kubernetes modules to v0.27.3
* Remove warning for template directory not found.
* Added tests for created OCI annotation time format
* Add created OCI annotation
* Fix multiple bugs in values handling
* chore: fix a typo in `manager.go`
* add GetRegistryClient method
* oci: add tests for plain HTTP and insecure HTTPS registries
* oci: Add flag `--plain-http` to enable working with HTTP registries
* docs: add an example for using the upgrade command with existing values
* Replace `fmt.Fprintf` with `fmt.Fprint` in get_metadata.go
* Replace `fmt.Fprintln` with `fmt.Fprintf` in get_metadata.go
* update kubernetes dependencies from v0.27.0 to v0.27.1
* Add ClientOptResolver to test util file
* Check that missing keys are still handled in tpl
* tests: change crd golden file to match after #11870
* Adding details on the Factory interface
* update autoscaling/v2beta1 to autoscaling/v2 in skeleton chart
* feat(helm): add ability for --dry-run to do lookup functions When a helm command is run with the --dry-run flag, it will try to connect to the cluster to be able to render lookup functions. Closes #8137
* bugfix:(#11391) helm lint infinite loop when malformed template object
* pkg/engine: fix nil-dereference
* pkg/chartutil: fix nil-dereference
* pkg/action: fix nil-dereference
* full source path when output-dir is not provided
* added Contributing.md section and ref link in the README
* feat(helm): add ability for --dry-run to do lookup functions When a helm command is run with the --dry-run flag, it will try to connect to the cluster if the value is 'server' to be able to render lookup functions. Closes #8137
* feat(helm): add ability for --dry-run to do lookup functions
* Add `CHART`, `VERSION` and `APP_VERSION` fields to `get all` command output
* Adjust `get` command description to account metadata
* add volumes and volumeMounts in chartutil
* Seed a default switch to control `automountServiceAccountToken`
* Avoid confusing error when passing in '--version X.Y.Z'
* Add `helm get metadata` command
* Use wrapped error so that ErrNoObjectsVisited can be compared after return.
* Add exact version test.
* strict file permissions of repository.yaml
* Check redefinition of define and include in tpl
* Check that `.Template` is passed through `tpl`
* Make sure empty `tpl` values render empty.
* Pick the test improvement out of PR#8371
* #11369 Use the correct index repo cache directory in the `parallelRepoUpdate` method as well
* #11369 Add a test case to prove the bug and its resolution
* ref(helm): export DescriptorPullSummary fields
* feat(helm): add 'ClientOptResolver' ClientOption
* Fix flaky TestSQLCreate test by making sqlmock ignore order of sql requests
* Fixing tests after adding labels to release fixture
* Make default release fixture contain custom labels to make tests check that labels are not lost
* Added support for storing custom labels in SQL storage driver
* Adding support merging new custom labels with original release labels during upgrade
* Added note to install/upgrade commands that original release labels wouldn't be persisted in upgraded release
* Added unit tests for implemented install/upgrade labels logic
* Remove redudant types from util_test.go
* Added tests for newly introduced util.go functions
* Fix broken tests for SQL storage driver
* Fix broken tests for configmap and secret storage drivers
* Make superseded releases keep labels
* Support configmap storage driver for install/upgrade actions
--labels argument
* Added upgrade --install labels argument support
* Add labels support for install action with secret storage backend
* test: added tests to load plugin from home dir with space
* fix: plugin does not load when helm base dir contains space
* Add priority class to kind sorter
* Fixes #10566
* test(search): add mixedCase test case
* fix(search): print repo search result in original case
* Adjust error message wrongly claiming that there is a resource conflict
* Throw an error from jobReady() if the job exceeds its BackoffLimit
* github: add Asset Transparency action for GitHub releases
Update to version 3.12.3:
* bump kubernetes modules to v0.27.3
* Add priority class to kind sorter
Update to version 3.12.2:
* add GetRegistryClient method
Update to version 3.12.1:
* bugfix:(#11391) helm lint infinite loop when malformed template object
* update autoscaling/v2beta1 to autoscaling/v2 in skeleton chart
* test(search): add mixedCase test case
* fix(search): print repo search result in original case
* strict file permissions of repository.yaml
* update kubernetes dependencies from v0.27.0 to v0.27.1
Update to version 3.12.0:
* Attach annotations to OCI artifacts
* Fix goroutine leak in action install
* fix quiet lint does not fail on non-linting errors
* create failing test for quietly linting a chart that doesn't exist
* Fixes Readiness Check for statefulsets using partitioned rolling update. (#11774)
* fix: failed testcase on windows
* Fix 32bit-x86 typo in testsuite
* Handle failed DNS case for Go 1.20+
* Updating the Go version in go.mod
* Fix goroutine leak in perform
* Properly invalidate client after CRD install
* Provide a helper to set the registryClient in cmd
* Reimplemented change in httpgetter for insecure TLS option
* Added insecure option to login subcommand
* Added support for insecure OCI registries
* Enable custom certificates option for OCI
* Add testing to default and release branches
* Remove job dependency. Should have done when I moved job to new file
* Remove check to run only in helm org
* Add why comments
* Convert remaining CircleCI config to GitHub Actions
* Changed how the setup-go action sets go version
* chore:Use http constants as http.request parameters
* update k8s registry domain
* don't mark issues as stale where a PR is in progress
* Update to func handling
* Add option to support cascade deletion options
* the linter varcheck and deadcode are deprecated (since v1.49.0)
* Check status code before retrying request
* Fix improper use of Table request/response to k8s API
* fix template --output-dir issue
* Add protection for stack-overflows for nested keys
* feature(helm): add --set-literal flag for literal string interpretation
Update to version 3.11.3:
* Fix goroutine leak in perform
* Fix goroutine leak in action install
* Fix 32bit-x86 typo in testsuite
* Fixes Readiness Check for statefulsets using partitioned rolling update. (#11774)
- avoid CGO to workaround missing gold dependency (bsc#1183043)
Tenable has extracted the preceding description block directly from the SUSE security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Update the affected helm, helm-bash-completion, helm-fish-completion and / or helm-zsh-completion packages.
Plugin Details
File Name: suse_SU-2023-4124-1.nasl
Agent: unix
Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security, Nessus
Risk Information
Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
Vulnerability Information
CPE: p-cpe:/a:novell:suse_linux:helm, p-cpe:/a:novell:suse_linux:helm-zsh-completion, p-cpe:/a:novell:suse_linux:helm-fish-completion, p-cpe:/a:novell:suse_linux:helm-bash-completion, cpe:/o:novell:suse_linux:15
Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list
Exploit Ease: Exploits are available
Patch Publication Date: 10/19/2023
Vulnerability Publication Date: 2/15/2023