Security update for helm
| Announcement ID: | SUSE-SU-2026:21434-1 |
|---|---|
| Release Date: | 2026-04-30T13:26:15Z |
| Rating: | moderate |
| References: | |
| Cross-References: | |
| CVSS scores: |
|
| Affected Products: |
|
An update that solves two vulnerabilities can now be installed.
Description:
This update for helm fixes the following issues:
Update to version 3.20.2.
Security issued fixed:
- CVE-2025-55199: specially crafted JSON Schema can lead to out of memory (OOM) termination (bsc#1248093).
- CVE-2026-35206: specially crafted Chart will have contents extracted to immediate output directory rather than to expected output directory suffixed by the Chart's name (bsc#1261938).
Other updates and bugfixes:
- Version 3.20.1:
- chore(deps): bump the k8s-io group with 7 updates a2369ca (dependabot[bot])
- add image index test 90e1056 (Pedro Tôrres)
- fix pulling charts from OCI indices 911f2e9 (Pedro Tôrres)
- Remove refactorring changes from coalesce_test.go 76dad33 (Evans Mungai)
- Fix import 45c12f7 (Evans Mungai)
- Update pkg/chart/common/util/coalesce_test.go 26c6f19 (Evans Mungai)
- Fix lint warning 09f5129 (Evans Mungai)
- Preserve nil values in chart already 417deb2 (Evans Mungai)
- fix(values): preserve nil values when chart default is empty map 5417bfa (Evans Mungai)
- Version 3.20.0:
- SDK: bump k8s API versions to v0.35.0
- v3 backport: Fixed a bug where helm uninstall with --keep-history did not suspend previous deployed releases #12564
- v3 backport: Bump Go version to v1.25
- bump version to v3.20
- chore(deps): bump golang.org/x/text from 0.32.0 to 0.33.0
- chore(deps): bump golang.org/x/term from 0.38.0 to 0.39.0
- chore(deps): bump github.com/foxcpp/go-mockdns from 1.1.0 to 1.2.0
- chore(deps): bump the k8s-io group with 7 updates
- [dev-v3] Replace deprecated
NewSimpleClientset - [dev-v3] Bump Go v1.25,
golangci-lintv2 - chore(deps): bump github.com/BurntSushi/toml from 1.5.0 to 1.6.0
- chore(deps): bump github.com/containerd/containerd from 1.7.29 to 1.7.30
- fix(rollback):
errors.Isinstead of string comp - fix(uninstall): supersede deployed releases
- Use latest patch release of Go in releases
- chore(deps): bump golang.org/x/crypto from 0.45.0 to 0.46.0
- chore(deps): bump golang.org/x/text from 0.31.0 to 0.32.0
- chore(deps): bump golang.org/x/term from 0.37.0 to 0.38.0
- chore(deps): bump github.com/spf13/cobra from 1.10.1 to 1.10.2
- chore(deps): bump github.com/rubenv/sql-migrate from 1.8.0 to 1.8.1
- chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0
- chore(deps): bump github.com/cyphar/filepath-securejoin
- chore(deps): bump golang.org/x/text from 0.30.0 to 0.31.0
- chore(deps): bump golang.org/x/crypto from 0.43.0 to 0.44.0
- Remove dev-v3
helm-latest-versionpublish - chore(deps): bump golang.org/x/term from 0.36.0 to 0.37.0 1.7.28 to 1.7.29
- Revert "pkg/registry: Login option for passing TLS config in memory"
- jsonschema: warn and ignore unresolved URN $ref to match v3.18.4
- Fix
helm pulluntar dir check with repo urls - chore(deps): bump golang.org/x/crypto from 0.42.0 to 0.43.0
- chore(deps): bump github.com/gofrs/flock from 0.12.1 to 0.13.0
- chore(deps): bump golang.org/x/text from 0.29.0 to 0.30.0
- [backport] fix: get-helm-3 script use helm3-latest-version
- pkg/registry: Login option for passing TLS config in memory
- Fix deprecation warning
- chore(deps): bump golang.org/x/crypto from 0.41.0 to 0.42.0
- chore(deps): bump golang.org/x/term from 0.34.0 to 0.35.0
- Avoid "panic: interface conversion: interface {} is nil"
- bump version to v3.19.0
- chore(deps): bump github.com/spf13/pflag from 1.0.7 to 1.0.10
- fix: set repo authorizer in registry.Client.Resolve()
- fix null merge
- Add timeout flag to repo add and update flags
- Version 3.19.5:
- Fixed bug where removing subchart value via override resulted in warning #31118
- Fixed bug where helm uninstall with --keep-history did not suspend previous deployed releases #12556
- fix(rollback): errors.Is instead of string comp 4a19a5b (Hidde Beydals)
- fix(uninstall): supersede deployed releases 7a00235 (Hidde Beydals)
- fix null merge 578564e (Ben Foster)
- Version 3.19.4:
- Use latest patch release of Go in releases 7cfb6e4 (Matt Farina)
- chore(deps): bump github.com/gofrs/flock from 0.12.1 to 0.13.0 59c951f (dependabot[bot])
- chore(deps): bump github.com/cyphar/filepath-securejoin d45f3f1
- chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0 d459544 (dependabot[bot])
- chore(deps): bump golang.org/x/term from 0.36.0 to 0.37.0 becd387 (dependabot[bot])
- chore(deps): bump the k8s-io group with 7 updates edb1579
- Version 3.19.3:
- Bump golang.org/x/crypto to v0.45.0
- Version 3.19.2:
- [backport] fix: get-helm-3 script use helm3-latest-version 8766e71 (George Jenkins)
Patch Instructions:
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
-
SUSE Linux Enterprise Server for SAP applications 16.0
zypper in -t patch SUSE-SLES-16.0-661=1 -
SUSE Linux Enterprise Server 16.0
zypper in -t patch SUSE-SLES-16.0-661=1
Package List:
-
SUSE Linux Enterprise Server for SAP applications 16.0 (ppc64le x86_64)
- helm-3.20.2-160000.1.1
- helm-debuginfo-3.20.2-160000.1.1
-
SUSE Linux Enterprise Server for SAP applications 16.0 (noarch)
- helm-fish-completion-3.20.2-160000.1.1
- helm-bash-completion-3.20.2-160000.1.1
- helm-zsh-completion-3.20.2-160000.1.1
-
SUSE Linux Enterprise Server 16.0 (aarch64 ppc64le s390x x86_64)
- helm-3.20.2-160000.1.1
- helm-debuginfo-3.20.2-160000.1.1
-
SUSE Linux Enterprise Server 16.0 (noarch)
- helm-fish-completion-3.20.2-160000.1.1
- helm-bash-completion-3.20.2-160000.1.1
- helm-zsh-completion-3.20.2-160000.1.1