Security update for helm

Announcement ID:	SUSE-SU-2025:02121-1
Release Date:	2025-06-26T08:34:33Z
Rating:	important
References:	bsc#1241802
Cross-References:	CVE-2025-22872
CVSS scores:	CVE-2025-22872 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L CVE-2025-22872 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L CVE-2025-22872 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
Affected Products:	Containers Module 15-SP6 Containers Module 15-SP7 openSUSE Leap 15.6 SUSE Linux Enterprise Desktop 15 SP6 SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise Micro 5.5 SUSE Linux Enterprise Real Time 15 SP6 SUSE Linux Enterprise Real Time 15 SP7 SUSE Linux Enterprise Server 15 SP6 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP6 SUSE Linux Enterprise Server for SAP Applications 15 SP7 SUSE Package Hub 15 15-SP6 SUSE Package Hub 15 15-SP7

An update that solves one vulnerability can now be installed.

Description:

This update for helm fixes the following issues:

Update to version 3.18.3:

build(deps): bump golang.org/x/crypto from 0.38.0 to 0.39.0 6838ebc (dependabot[bot])
fix: user username password for login 5b9e2f6 (Terry Howe)
Update pkg/registry/transport.go 2782412 (Terry Howe)
Update pkg/registry/transport.go e66cf6a (Terry Howe)
fix: add debug logging to oci transport 191f05c (Terry Howe)

Update to version 3.18.2:

fix: legacy docker support broken for login 04cad46 (Terry Howe)
Handle an empty registry config file. bc9f8a2 (Matt Farina)

Update to version 3.18.1:

Notes:
- This release fixes regressions around template generation and OCI registry interaction in 3.18.0
- There are at least 2 known regressions unaddressed in this release. They are being worked on.
- Empty registry configuration files. When the file exists but it is empty.
- Login to Docker Hub on some domains fails.
Changelog
- fix(client): skipnode utilization for PreCopy
- fix(client): layers now returns manifest - remove duplicate from descriptors
- fix(client): return nil on non-allowed media types
- Prevent fetching newReference again as we have in calling method
- Prevent failure when resolving version tags in oras memory store
- Update pkg/plugin/plugin.go
- Update pkg/plugin/plugin.go
- Wait for Helm v4 before raising when platformCommand and Command are set
- Fix 3.18.0 regression: registry login with scheme
- Revert "fix (helm) : toToml` renders int as float [ backport to v3 ]"

Update to version 3.18.0 (bsc#1241802, CVE-2025-22872):

Notable Changes
- Add support for JSON Schema 2020
- Enabled cpu and memory profiling
- Add hook annotation to output hook logs to client on error
Changelog
- build(deps): bump the k8s-io group with 7 updates
- fix: govulncheck workflow
- bump version to v3.18.0
- fix:add proxy support when mTLS configured
- docs: Note about http fallback for OCI registries
- Bump net package to avoid CVE on dev-v3
- Bump toml
- backport #30677to dev3
- build(deps): bump github.com/rubenv/sql-migrate from 1.7.2 to 1.8.0
- Add install test for TakeOwnership flag
- Fix --take-ownership
- build(deps): bump github.com/rubenv/sql-migrate from 1.7.1 to 1.7.2
- build(deps): bump golang.org/x/crypto from 0.36.0 to 0.37.0
- build(deps): bump golang.org/x/term from 0.30.0 to 0.31.0
- Testing text bump
- Permit more Go version and not only 1.23.8
- Bumps github.com/distribution/distribution/v3 from 3.0.0-rc.3 to 3.0.0
- Unarchiving fix
- Fix typo
- Report as debug log, the time spent waiting for resources
- build(deps): bump github.com/containerd/containerd from 1.7.26 to 1.7.27
- Update pkg/registry/fallback.go
- automatic fallback to http
- chore(oci): upgrade to ORAS v2
- Updating to 0.37.0 for x/net
- build(deps): bump the k8s-io group with 7 updates
- build(deps): bump golang.org/x/crypto from 0.35.0 to 0.36.0
- build(deps): bump github.com/opencontainers/image-spec
- build(deps): bump github.com/containerd/containerd from 1.7.25 to 1.7.26
- build(deps): bump golang.org/x/crypto from 0.33.0 to 0.35.0
- Fix cherry-pick helm.sh/helm/v4 -> helm.sh/helm/v3
- Add HookOutputFunc and generic yaml unmarshaller
- clarify fix error message
- fix err check
- add short circuit return
- Add hook annotations to output pod logs to client on success and fail
- chore: use []error instead of []string
- Update cmd/helm/profiling.go
- chore: update profiling doc in CONTRIBUTING.md
- Update CONTRIBUTING guide
- Prefer environment variables to CLI flags
- Move pprof paths to HELM_PPROF env variable
- feat: Add flags to enable CPU and memory profiling
- build(deps): bump github.com/distribution/distribution/v3
- build(deps): bump github.com/spf13/cobra from 1.8.1 to 1.9.1
- Moving to SetOut and SetErr for Cobra
- build(deps): bump the k8s-io group with 7 updates
- build(deps): bump golang.org/x/crypto from 0.32.0 to 0.33.0
- build(deps): bump golang.org/x/term from 0.28.0 to 0.29.0
- build(deps): bump golang.org/x/text from 0.21.0 to 0.22.0
- build(deps): bump github.com/spf13/pflag from 1.0.5 to 1.0.6
- build(deps): bump github.com/cyphar/filepath-securejoin
- build(deps): bump github.com/evanphx/json-patch
- build(deps): bump the k8s-io group with 7 updates
- fix: check group for resource info match
- Bump github.com/cyphar/filepath-securejoin from 0.3.6 to 0.4.0
- add test for nullifying nested global value
- Ensuring the file paths are clean prior to passing to securejoin
- Bump github.com/containerd/containerd from 1.7.24 to 1.7.25
- Bump golang.org/x/crypto from 0.31.0 to 0.32.0
- Bump golang.org/x/term from 0.27.0 to 0.28.0
- bump version to v3.17.0
- Bump github.com/moby/term from 0.5.0 to 0.5.2
- Add test case for removing an entire object
- Tests for bugfix: Override subcharts with null values #12879
- feat: Added multi-platform plugin hook support to v3
- This commit fixes the issue where the yaml.Unmarshaller converts all int values into float64, this passes in option to decoder, which enables conversion of int into .
- merge null child chart objects

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

openSUSE Leap 15.6
zypper in -t patch openSUSE-SLE-15.6-2025-2121=1
SUSE Linux Enterprise Micro 5.5
zypper in -t patch SUSE-SLE-Micro-5.5-2025-2121=1
Containers Module 15-SP6
zypper in -t patch SUSE-SLE-Module-Containers-15-SP6-2025-2121=1
Containers Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Containers-15-SP7-2025-2121=1
SUSE Package Hub 15 15-SP6
zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2025-2121=1
SUSE Package Hub 15 15-SP7
zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP7-2025-2121=1

Package List:

openSUSE Leap 15.6 (aarch64 ppc64le s390x x86_64)
- helm-3.18.3-150000.1.50.1
- helm-debuginfo-3.18.3-150000.1.50.1
openSUSE Leap 15.6 (noarch)
- helm-fish-completion-3.18.3-150000.1.50.1
- helm-bash-completion-3.18.3-150000.1.50.1
- helm-zsh-completion-3.18.3-150000.1.50.1
SUSE Linux Enterprise Micro 5.5 (aarch64 ppc64le s390x x86_64)
- helm-3.18.3-150000.1.50.1
- helm-debuginfo-3.18.3-150000.1.50.1
SUSE Linux Enterprise Micro 5.5 (noarch)
- helm-bash-completion-3.18.3-150000.1.50.1
Containers Module 15-SP6 (aarch64 ppc64le s390x x86_64)
- helm-3.18.3-150000.1.50.1
- helm-debuginfo-3.18.3-150000.1.50.1
Containers Module 15-SP6 (noarch)
- helm-zsh-completion-3.18.3-150000.1.50.1
- helm-bash-completion-3.18.3-150000.1.50.1
Containers Module 15-SP7 (aarch64 ppc64le s390x x86_64)
- helm-3.18.3-150000.1.50.1
- helm-debuginfo-3.18.3-150000.1.50.1
Containers Module 15-SP7 (noarch)
- helm-zsh-completion-3.18.3-150000.1.50.1
- helm-bash-completion-3.18.3-150000.1.50.1
SUSE Package Hub 15 15-SP6 (noarch)
- helm-fish-completion-3.18.3-150000.1.50.1
SUSE Package Hub 15 15-SP7 (noarch)
- helm-fish-completion-3.18.3-150000.1.50.1

Security update for helm

Description:

Patch Instructions:

Package List:

References: