Security update for helm
| Announcement ID: | SUSE-SU-2026:20685-1 |
|---|---|
| Release Date: | 2026-03-05T14:24:28Z |
| Rating: | moderate |
| References: | |
| Cross-References: | |
| CVSS scores: |
|
| Affected Products: |
|
An update that solves two vulnerabilities can now be installed.
Description:
This update for helm fixes the following issues:
- Update to version 3.19.1:
- CVE-2025-47911: golang.org/x/net/html: Fixed various algorithms with quadratic complexity when parsing HTML documents (bsc#1251442)
- CVE-2025-58190: golang.org/x/net/html: Fixed xcessive memory
consumption by
html.ParseFragmentwhen processing specially crafted input (bsc#1251649) - jsonschema: warn and ignore unresolved URN $ref to match v3.18.4
- Avoid "panic: interface conversion: interface {} is nil"
- Fix
helm pulluntar dir check with repo urls - Fix deprecation warning
-
Add timeout flag to repo add and update flags
-
Update to version 3.19.0:
- bump version to v3.19.0
- fix: use username and password if provided
- fix(helm-lint): fmt
- fix(helm-lint): Add TLSClientConfig
- fix(helm-lint): Add HTTP/HTTPS URL support for json schema references
- chore(deps): bump the k8s-io group with 7 updates
- fix: go mod tidy for v3
- fix Chart.yaml handling
- Handle messy index files
- json schema fix
- fix: k8s version parsing to match original
- Do not explicitly set SNI in HTTPGetter
- Disabling linter due to unknown issue
- Updating link handling
- fix: user username password for login
- Update pkg/registry/transport.go
- fix: add debug logging to oci transport
- fix: legacy docker support broken for login
- fix: plugin installer test with no Internet
- Handle an empty registry config file.
- Prevent fetching newReference again as we have in calling method
- Prevent failure when resolving version tags in oras memory store
- fix(client): skipnode utilization for PreCopy
- test: Skip instead of returning early. looks more intentional
- test: tests repo stripping functionality
- test: include tests for Login based on different protocol prefixes
- fix(client): layers now returns manifest - remove duplicate from descriptors
- fix(client): return nil on non-allowed media types
- Fix 3.18.0 regression: registry login with scheme
- Update pkg/plugin/plugin.go
- Wait for Helm v4 before raising when platformCommand and Command are set
- Revert "fix (helm) : toToml` renders int as float [ backport to v3 ]"
- build(deps): bump the k8s-io group with 7 updates
- chore: update generalization warning message
- fix: move warning to top of block
- fix: govulncheck workflow
- fix: replace fmt warning with slog
- fix: add warning when ignore repo flag
-
feat: add httproute from gateway-api to create chart template
-
Update to version 3.18.6:
- fix(helm-lint): fmt
- fix(helm-lint): Add TLSClientConfig
-
fix(helm-lint): Add HTTP/HTTPS URL support for json schema references
-
Update to version 3.18.5:
- fix Chart.yaml handling 7799b48 (Matt Farina)
- Handle messy index files dd8502f (Matt Farina)
-
json schema fix cb8595b (Robert Sirchia)
-
Fix shell completion dependencies
- Add BuildRequires to prevent inclusion of folders owned by shells.
-
Add Requires because installing completions without appropriate shell is questionable.
-
Fix zsh completion location
Patch Instructions:
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
-
SUSE Linux Micro 6.2
zypper in -t patch SUSE-SL-Micro-6.2-360=1
Package List:
-
SUSE Linux Micro 6.2 (aarch64 ppc64le s390x x86_64)
- helm-3.19.1-160000.1.1
- helm-debuginfo-3.19.1-160000.1.1
-
SUSE Linux Micro 6.2 (noarch)
- helm-bash-completion-3.19.1-160000.1.1