SUSE alert openSUSE-SU-2026:20655-1 (helm)
| From: | null@suse.de | |
| To: | security-announce@lists.opensuse.org | |
| Subject: | openSUSE-SU-2026:20655-1: moderate: Security update for helm | |
| Date: | Mon, 04 May 2026 15:29:28 +0200 | |
| Message-ID: | <20260504132928.201EFF79C@maintenance.suse.de> | |
| Archive-link: | Article |
openSUSE security update: security update for helm ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20655-1 Rating: moderate References: * bsc#1248093 * bsc#1261938 Cross-References: * CVE-2025-55199 * CVE-2026-35206 CVSS scores: * CVE-2025-55199 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H * CVE-2025-55199 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-35206 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L * CVE-2026-35206 ( SUSE ): 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Affected Products: openSUSE Leap 16.0 ------------------------------------------------------------- An update that solves 2 vulnerabilities and has 2 bug fixes can now be installed. Description: This update for helm fixes the following issues: Update to version 3.20.2. Security issued fixed: - CVE-2025-55199: specially crafted JSON Schema can lead to out of memory (OOM) termination (bsc#1248093). - CVE-2026-35206: specially crafted Chart will have contents extracted to immediate output directory rather than to expected output directory suffixed by the Chart's name (bsc#1261938). Other updates and bugfixes: - Version 3.20.1: - chore(deps): bump the k8s-io group with 7 updates a2369ca (dependabot[bot]) - add image index test 90e1056 (Pedro T\xf4rres) - fix pulling charts from OCI indices 911f2e9 (Pedro T\xf4rres) - Remove refactorring changes from coalesce_test.go 76dad33 (Evans Mungai) - Fix import 45c12f7 (Evans Mungai) - Update pkg/chart/common/util/coalesce_test.go 26c6f19 (Evans Mungai) - Fix lint warning 09f5129 (Evans Mungai) - Preserve nil values in chart already 417deb2 (Evans Mungai) - fix(values): preserve nil values when chart default is empty map 5417bfa (Evans Mungai) - Version 3.20.0: - SDK: bump k8s API versions to v0.35.0 - v3 backport: Fixed a bug where helm uninstall with --keep-history did not suspend previous deployed releases #12564 - v3 backport: Bump Go version to v1.25 - bump version to v3.20 - chore(deps): bump golang.org/x/text from 0.32.0 to 0.33.0 - chore(deps): bump golang.org/x/term from 0.38.0 to 0.39.0 - chore(deps): bump github.com/foxcpp/go-mockdns from 1.1.0 to 1.2.0 - chore(deps): bump the k8s-io group with 7 updates - [dev-v3] Replace deprecated `NewSimpleClientset` - [dev-v3] Bump Go v1.25, `golangci-lint` v2 - chore(deps): bump github.com/BurntSushi/toml from 1.5.0 to 1.6.0 - chore(deps): bump github.com/containerd/containerd from 1.7.29 to 1.7.30 - fix(rollback): `errors.Is` instead of string comp - fix(uninstall): supersede deployed releases - Use latest patch release of Go in releases - chore(deps): bump golang.org/x/crypto from 0.45.0 to 0.46.0 - chore(deps): bump golang.org/x/text from 0.31.0 to 0.32.0 - chore(deps): bump golang.org/x/term from 0.37.0 to 0.38.0 - chore(deps): bump github.com/spf13/cobra from 1.10.1 to 1.10.2 - chore(deps): bump github.com/rubenv/sql-migrate from 1.8.0 to 1.8.1 - chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0 - chore(deps): bump github.com/cyphar/filepath-securejoin - chore(deps): bump golang.org/x/text from 0.30.0 to 0.31.0 - chore(deps): bump golang.org/x/crypto from 0.43.0 to 0.44.0 - Remove dev-v3 `helm-latest-version` publish - chore(deps): bump golang.org/x/term from 0.36.0 to 0.37.0 1.7.28 to 1.7.29 - Revert "pkg/registry: Login option for passing TLS config in memory" - jsonschema: warn and ignore unresolved URN $ref to match v3.18.4 - Fix `helm pull` untar dir check with repo urls - chore(deps): bump golang.org/x/crypto from 0.42.0 to 0.43.0 - chore(deps): bump github.com/gofrs/flock from 0.12.1 to 0.13.0 - chore(deps): bump golang.org/x/text from 0.29.0 to 0.30.0 - [backport] fix: get-helm-3 script use helm3-latest-version - pkg/registry: Login option for passing TLS config in memory - Fix deprecation warning - chore(deps): bump golang.org/x/crypto from 0.41.0 to 0.42.0 - chore(deps): bump golang.org/x/term from 0.34.0 to 0.35.0 - Avoid "panic: interface conversion: interface {} is nil" - bump version to v3.19.0 - chore(deps): bump github.com/spf13/pflag from 1.0.7 to 1.0.10 - fix: set repo authorizer in registry.Client.Resolve() - fix null merge - Add timeout flag to repo add and update flags - Version 3.19.5: - Fixed bug where removing subchart value via override resulted in warning #31118 - Fixed bug where helm uninstall with --keep-history did not suspend previous deployed releases #12556 - fix(rollback): errors.Is instead of string comp 4a19a5b (Hidde Beydals) - fix(uninstall): supersede deployed releases 7a00235 (Hidde Beydals) - fix null merge 578564e (Ben Foster) - Version 3.19.4: - Use latest patch release of Go in releases 7cfb6e4 (Matt Farina) - chore(deps): bump github.com/gofrs/flock from 0.12.1 to 0.13.0 59c951f (dependabot[bot]) - chore(deps): bump github.com/cyphar/filepath-securejoin d45f3f1 - chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0 d459544 (dependabot[bot]) - chore(deps): bump golang.org/x/term from 0.36.0 to 0.37.0 becd387 (dependabot[bot]) - chore(deps): bump the k8s-io group with 7 updates edb1579 - Version 3.19.3: - Bump golang.org/x/crypto to v0.45.0 - Version 3.19.2: - [backport] fix: get-helm-3 script use helm3-latest-version 8766e71 (George Jenkins) Patch instructions: To install this openSUSE security update use the suse recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 16.0 zypper in -t patch openSUSE-Leap-16.0-661=1 Package List: - openSUSE Leap 16.0: helm-3.20.2-160000.1.1 helm-bash-completion-3.20.2-160000.1.1 helm-fish-completion-3.20.2-160000.1.1 helm-zsh-completion-3.20.2-160000.1.1 References: * https://www.suse.com/security/cve/CVE-2025-55199.html * https://www.suse.com/security/cve/CVE-2026-35206.html