Skip to content

Upgrade golang.org/x/net to v0.33.0 to address CVE-2024-45338#13581

Merged
mattfarina merged 1 commit intohelm:mainfrom
ldlb9527:fix-cve
Dec 31, 2024
Merged

Upgrade golang.org/x/net to v0.33.0 to address CVE-2024-45338#13581
mattfarina merged 1 commit intohelm:mainfrom
ldlb9527:fix-cve

Conversation

@ldlb9527
Copy link
Copy Markdown
Contributor

@ldlb9527 ldlb9527 commented Dec 29, 2024

fixed: #13551

@ldlb9527
Upgrade golang.org/x/net to v0.33.0 to address CVE-2024-45338
e00ab86 
fixed: helm#13551

Signed-off-by: cx <1249843194@qq.com>
@pull-request-size pull-request-size bot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Dec 29, 2024
@nikvin15
Copy link
Copy Markdown

nikvin15 commented Dec 31, 2024

Thanks for the work. Is there any timeframe we are looking to release this PR ?

@mattfarina
Copy link
Copy Markdown
Collaborator

mattfarina commented Dec 31, 2024

You should see this in the upcoming v3.17.0 release in mid January.

Helm does not directly use the package with the issue. But, it is a transitive dependency of the spdy transport layer for client-go (which Helm uses). If I understand it right, for this to be exploited Helm would need to connect to a compromised Kubernetes API server and the result would be Helm operating more slowly. The exploit, in general, enables DDOS attacks which could impact software built on the Helm SDK. Though, if your API server is compromised then Helm being slow is likely a lower priority issue.

@mattfarina mattfarina added the Needs v3 backport Label PRs for v4/main, which are still applicable to v3 so need a separate backport PR label Dec 31, 2024
@mattfarina mattfarina merged commit 0e03571 into helm:main Dec 31, 2024
This was referenced Dec 31, 2024
Closed
Merged
@mattfarina mattfarina added v3 port complete For completed v2->v3 ports and removed Needs v3 backport Label PRs for v4/main, which are still applicable to v3 so need a separate backport PR labels Jan 1, 2025
@scottrigby scottrigby added the dependencies Pull requests that update a dependency file label Nov 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mattfarina mattfarina mattfarina approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. v3 port complete For completed v2->v3 ports

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CVE-2024-45338

4 participants

@ldlb9527 @nikvin15 @mattfarina @scottrigby