Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 796533 (CVE-2021-32690) - <app-admin/helm-3.6.3: Improper credential passing (CVE-2021-32690)
Summary: <app-admin/helm-3.6.3: Improper credential passing (CVE-2021-32690)
Status: RESOLVED FIXED
Alias: CVE-2021-32690
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2021-06-18 03:08 UTC by Sam James
Modified: 2021-08-07 21:48 UTC (History)
1 user (show)

See Also:
Package list:
app-admin/helm-3.6.3 *
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-06-18 03:08:41 UTC 
Description:
"Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This issue has been resolved in 3.6.1. There is a workaround through which one may check for improperly passed credentials. One may use a username and password for a Helm repository and may audit the Helm repository in order to check for another domain being used that could have received the credentials. In the `index.yaml` file for that repository, one may look for another domain in the `urls` list for the chart versions. If there is another domain found and that chart version was pulled or installed, the credentials would be passed on."
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-06-18 03:08:58 UTC 
Please bump to 3.6.1.
Comment 2 NATTkA bot gentoo-dev 2021-07-29 17:21:42 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:29:52 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:37:51 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 17:45:56 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 18:01:53 UTC Comment hidden (obsolete)
Comment 7 NATTkA bot gentoo-dev 2021-07-29 18:10:13 UTC Comment hidden (obsolete)
Comment 8 Larry the Git Cow gentoo-dev 2021-08-07 21:46:23 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9c803742080a52c10219d7488850bcc48b4b8893

commit 9c803742080a52c10219d7488850bcc48b4b8893
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2021-08-07 21:44:17 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2021-08-07 21:46:16 +0000

    app-admin/helm: remove vulnerable version
    
    Bug: https://bugs.gentoo.org/796533
    Package-Manager: Portage-3.0.20, Repoman-3.0.2
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 app-admin/helm/Manifest          |   83 ---
 app-admin/helm/helm-3.5.4.ebuild | 1113 --------------------------------------
 2 files changed, 1196 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3b607d1d537f24d91f9493f50d811d8464b2309e

commit 3b607d1d537f24d91f9493f50d811d8464b2309e
Author:     William Hubbs <williamh@gentoo.org>
AuthorDate: 2021-08-07 21:42:52 +0000
Commit:     William Hubbs <williamh@gentoo.org>
CommitDate: 2021-08-07 21:46:15 +0000

    app-admin/helm: stabilize 3.6.3 on amd64
    
    Bug: https://bugs.gentoo.org/796533
    Package-Manager: Portage-3.0.20, Repoman-3.0.2
    Signed-off-by: William Hubbs <williamh@gentoo.org>

 app-admin/helm/helm-3.6.3.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 9 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-08-07 21:48:28 UTC 
Thanks! No GLSA, closing