SUSE alert SUSE-SU-2026:21461-1 (helm)
| From: | SLE-SECURITY-UPDATES <null@suse.de> | |
| To: | sle-security-updates@lists.suse.com | |
| Subject: | SUSE-SU-2026:21461-1: moderate: Security update for helm | |
| Date: | Mon, 04 May 2026 08:33:36 -0000 | |
| Message-ID: | <177788361618.1375.10581225933022793429@dde0e951fc7e> |
# Security update for helm Announcement ID: SUSE-SU-2026:21461-1 Release Date: 2026-04-30T13:26:15Z Rating: moderate References: * bsc#1248093 * bsc#1261938 Cross-References: * CVE-2025-55199 * CVE-2026-35206 CVSS scores: * CVE-2025-55199 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2025-55199 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2025-55199 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2026-35206 ( SUSE ): 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-35206 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L * CVE-2026-35206 ( NVD ): 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X * CVE-2026-35206 ( NVD ): 4.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L Affected Products: * SUSE Linux Micro 6.2 An update that solves two vulnerabilities can now be installed. ## Description: This update for helm fixes the following issues: Update to version 3.20.2. Security issued fixed: * CVE-2025-55199: specially crafted JSON Schema can lead to out of memory (OOM) termination (bsc#1248093). * CVE-2026-35206: specially crafted Chart will have contents extracted to immediate output directory rather than to expected output directory suffixed by the Chart's name (bsc#1261938). Other updates and bugfixes: * Version 3.20.1: * chore(deps): bump the k8s-io group with 7 updates a2369ca (dependabot[bot]) * add image index test 90e1056 (Pedro Tôrres) * fix pulling charts from OCI indices 911f2e9 (Pedro Tôrres) * Remove refactorring changes from coalesce_test.go 76dad33 (Evans Mungai) * Fix import 45c12f7 (Evans Mungai) * Update pkg/chart/common/util/coalesce_test.go 26c6f19 (Evans Mungai) * Fix lint warning 09f5129 (Evans Mungai) * Preserve nil values in chart already 417deb2 (Evans Mungai) * fix(values): preserve nil values when chart default is empty map 5417bfa (Evans Mungai) * Version 3.20.0: * SDK: bump k8s API versions to v0.35.0 * v3 backport: Fixed a bug where helm uninstall with --keep-history did not suspend previous deployed releases #12564 * v3 backport: Bump Go version to v1.25 * bump version to v3.20 * chore(deps): bump golang.org/x/text from 0.32.0 to 0.33.0 * chore(deps): bump golang.org/x/term from 0.38.0 to 0.39.0 * chore(deps): bump github.com/foxcpp/go-mockdns from 1.1.0 to 1.2.0 * chore(deps): bump the k8s-io group with 7 updates * [dev-v3] Replace deprecated `NewSimpleClientset` * [dev-v3] Bump Go v1.25, `golangci-lint` v2 * chore(deps): bump github.com/BurntSushi/toml from 1.5.0 to 1.6.0 * chore(deps): bump github.com/containerd/containerd from 1.7.29 to 1.7.30 * fix(rollback): `errors.Is` instead of string comp * fix(uninstall): supersede deployed releases * Use latest patch release of Go in releases * chore(deps): bump golang.org/x/crypto from 0.45.0 to 0.46.0 * chore(deps): bump golang.org/x/text from 0.31.0 to 0.32.0 * chore(deps): bump golang.org/x/term from 0.37.0 to 0.38.0 * chore(deps): bump github.com/spf13/cobra from 1.10.1 to 1.10.2 * chore(deps): bump github.com/rubenv/sql-migrate from 1.8.0 to 1.8.1 * chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0 * chore(deps): bump github.com/cyphar/filepath-securejoin * chore(deps): bump golang.org/x/text from 0.30.0 to 0.31.0 * chore(deps): bump golang.org/x/crypto from 0.43.0 to 0.44.0 * Remove dev-v3 `helm-latest-version` publish * chore(deps): bump golang.org/x/term from 0.36.0 to 0.37.0 1.7.28 to 1.7.29 * Revert "pkg/registry: Login option for passing TLS config in memory" * jsonschema: warn and ignore unresolved URN $ref to match v3.18.4 * Fix `helm pull` untar dir check with repo urls * chore(deps): bump golang.org/x/crypto from 0.42.0 to 0.43.0 * chore(deps): bump github.com/gofrs/flock from 0.12.1 to 0.13.0 * chore(deps): bump golang.org/x/text from 0.29.0 to 0.30.0 * [backport] fix: get-helm-3 script use helm3-latest-version * pkg/registry: Login option for passing TLS config in memory * Fix deprecation warning * chore(deps): bump golang.org/x/crypto from 0.41.0 to 0.42.0 * chore(deps): bump golang.org/x/term from 0.34.0 to 0.35.0 * Avoid "panic: interface conversion: interface {} is nil" * bump version to v3.19.0 * chore(deps): bump github.com/spf13/pflag from 1.0.7 to 1.0.10 * fix: set repo authorizer in registry.Client.Resolve() * fix null merge * Add timeout flag to repo add and update flags * Version 3.19.5: * Fixed bug where removing subchart value via override resulted in warning #31118 * Fixed bug where helm uninstall with --keep-history did not suspend previous deployed releases #12556 * fix(rollback): errors.Is instead of string comp 4a19a5b (Hidde Beydals) * fix(uninstall): supersede deployed releases 7a00235 (Hidde Beydals) * fix null merge 578564e (Ben Foster) * Version 3.19.4: * Use latest patch release of Go in releases 7cfb6e4 (Matt Farina) * chore(deps): bump github.com/gofrs/flock from 0.12.1 to 0.13.0 59c951f (dependabot[bot]) * chore(deps): bump github.com/cyphar/filepath-securejoin d45f3f1 * chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0 d459544 (dependabot[bot]) * chore(deps): bump golang.org/x/term from 0.36.0 to 0.37.0 becd387 (dependabot[bot]) * chore(deps): bump the k8s-io group with 7 updates edb1579 * Version 3.19.3: * Bump golang.org/x/crypto to v0.45.0 * Version 3.19.2: * [backport] fix: get-helm-3 script use helm3-latest-version 8766e71 (George Jenkins) ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Micro 6.2 zypper in -t patch SUSE-SL-Micro-6.2-661=1 ## Package List: * SUSE Linux Micro 6.2 (aarch64 ppc64le s390x x86_64) * helm-3.20.2-160000.1.1 * helm-debuginfo-3.20.2-160000.1.1 * SUSE Linux Micro 6.2 (noarch) * helm-bash-completion-3.20.2-160000.1.1 ## References: * https://www.suse.com/security/cve/CVE-2025-55199.html * https://www.suse.com/security/cve/CVE-2026-35206.html * https://bugzilla.suse.com/show_bug.cgi?id=1248093 * https://bugzilla.suse.com/show_bug.cgi?id=1261938
Attachment: None (type=text/html)
(HTML attachment elided)