"Fuzz testing, provided by the CNCF, identified input to functions in the strvals package that can cause an out of memory panic. Out of memory panics cannot be recovered from. Applications that use functions from the strvals package in the Helm SDK can have a Denial of Service attack when they use this package and it panics." Fix is in 3.9.4, please bump.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a2c41d36a874cba2f7adcc8f0aaa1f317c1ab6ac commit a2c41d36a874cba2f7adcc8f0aaa1f317c1ab6ac Author: William Hubbs <williamh@gentoo.org> AuthorDate: 2022-09-09 17:14:51 +0000 Commit: William Hubbs <williamh@gentoo.org> CommitDate: 2022-09-09 17:19:31 +0000 app-admin/helm: add 3.9.4 Bug: https://bugs.gentoo.org/866401 Signed-off-by: William Hubbs <williamh@gentoo.org> app-admin/helm/Manifest | 2 ++ app-admin/helm/helm-3.9.4.ebuild | 41 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 43 insertions(+)
Thanks! Please stabilize when ready.
(In reply to John Helmert III from comment #2) > Thanks! Please stabilize when ready. 3.9.4 is stable since September.
(In reply to Ulrich Müller from comment #3) > (In reply to John Helmert III from comment #2) > > Thanks! Please stabilize when ready. > > 3.9.4 is stable since September. Of course, nobody told the bug..
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c3666d2e7ea144e78d67aa7b6d00c19c3fbc95a0 commit c3666d2e7ea144e78d67aa7b6d00c19c3fbc95a0 Author: John Helmert III <ajak@gentoo.org> AuthorDate: 2022-11-29 23:01:14 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2022-11-29 23:09:57 +0000 app-admin/helm: drop 3.8.1 Bug: https://bugs.gentoo.org/866401 Signed-off-by: John Helmert III <ajak@gentoo.org> app-admin/helm/Manifest | 2 -- app-admin/helm/helm-3.8.1.ebuild | 41 ---------------------------------------- 2 files changed, 43 deletions(-)
Only DoS, only reachable from reverse dependencies. No GLSA.