SUSE-CU-2026:403-1: Security update of suse/kubectl
sle-container-updates at lists.suse.com
sle-container-updates at lists.suse.com
Wed Jan 28 08:18:03 UTC 2026
SUSE Container Update Advisory: suse/kubectl
-----------------------------------------------------------------
Container Advisory ID : SUSE-CU-2026:403-1
Container Tags : suse/kubectl:1.33 , suse/kubectl:1.33.7 , suse/kubectl:1.33.7-2.63.2 , suse/kubectl:oldstable , suse/kubectl:oldstable-2.63.2
Container Release : 63.2
Severity : important
Type : security
References : 1181419 1183043 1200441 1200528 1203054 1206467 1206469 1206471
1208084 1209670 1215588 1215711 1217013 1219969 1219969 1220207
1220207 1234482 1235318 1238688 1241802 1246152 1251442 1251649
CVE-2021-21272 CVE-2022-1996 CVE-2022-1996 CVE-2022-23524 CVE-2022-23525
CVE-2022-23526 CVE-2022-36055 CVE-2022-41723 CVE-2023-25165 CVE-2023-25173
CVE-2024-25620 CVE-2024-25620 CVE-2024-26147 CVE-2024-26147 CVE-2024-45337
CVE-2024-45338 CVE-2025-22870 CVE-2025-22872 CVE-2025-47911 CVE-2025-53547
CVE-2025-58190
-----------------------------------------------------------------
The container suse/kubectl was updated. The following patches have been included in this update:
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2022:1253-1
Released: Tue Apr 19 09:00:06 2022
Summary: Recommended update for helm
Type: recommended
Severity: moderate
References:
This update for helm delivers helm 3.8.0 to the Containers module.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:3666-1
Released: Wed Oct 19 20:44:55 2022
Summary: Security update for helm
Type: security
Severity: important
References: 1200528,1203054,CVE-2022-1996,CVE-2022-36055
This update for helm fixes the following issues:
helm was updated to version 3.9.4:
* CVE-2022-36055: Fixed denial of service through string value parsing (bsc#1203054).
* Updating the certificates used for testing
* Updating index handling
helm was updated to version 3.9.3:
- CVE-2022-1996: Updated kube-openapi to fix an issue that could result in a CORS protection bypass (bsc#1200528).
* Fix missing array length check on release
helm was updated to version 3.9.2:
* Update of the circleci image
helm was updated to version 3.9.1:
* Update to support Kubernetes 1.24.2
* Improve logging and safety of statefulSetReady
* Make token caching an opt-in feature
* Bump github.com/lib/pq from 1.10.5 to 1.10.6
* Bump github.com/Masterminds/squirrel from 1.5.2 to 1.5.3
helm was updated to version 3.9.0:
* Added a --quiet flag to helm lint
* Added a --post-renderer-args flag to support arguments being passed to the post renderer
* Added more checks during the signing process
* Updated to add Kubernetes 1.24 support
helm was updated to version 3.8.2:
* Bump oras.land/oras-go from 1.1.0 to 1.1.1
* Fixing downloader plugin error handling
* Simplify testdata charts
* Simplify testdata charts
* Add tests for multi-level dependencies.
* Fix value precedence
* Bumping Kubernetes package versions
* Updating vcs to latest version
* Dont modify provided transport
* Pass http getter as pointer in tests
* Add docs block
* Add transport option and tests
* Reuse http transport
* Updating Kubernetes libs to 0.23.4 (latest)
* fix: remove deadcode
* fix: helm package tests
* fix: helm package with dependency update for charts with OCI dependencies
* Fix typo Unset the env var before func return in Unit Test
* add legal name check
* maint: fix syntax error in deploy.sh
* linting issue fixed
* only apply overwrite if version is canary
* overwrite flag added to az storage blob upload-batch
* Avoid querying for OCI tags can explicit version provided in chart dependencies
* Management of bearer tokens for tag listing
* Updating Kubernetes packages to 1.23.3
* refactor: use `os.ReadDir` for lightweight directory reading
* Add IngressClass to manifests to be (un)installed
* feat(comp): Shell completion for OCI
* Fix install memory/goroutine leak
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2022:4606-1
Released: Thu Dec 22 09:32:03 2022
Summary: Security update for helm
Type: security
Severity: moderate
References: 1181419,1206467,1206469,1206471,CVE-2021-21272,CVE-2022-1996,CVE-2022-23524,CVE-2022-23525,CVE-2022-23526
This update for helm fixes the following issues:
Update to version 3.10.3:
- CVE-2022-23524: Fixed a denial of service in the string value parsing (bsc#1206467).
- CVE-2022-23525: Fixed a denial of service with the repository index file (bsc#1206469).
- CVE-2022-23526: Fixed a denial of service in the schema file handling (bsc#1206471).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:1571-1
Released: Fri Mar 24 13:45:05 2023
Summary: Security update for helm
Type: security
Severity: moderate
References: 1208084,CVE-2023-25165
This update for helm fixes the following issues:
Update to version 3.11.1 (bsc#1208084):
- CVE-2023-25165: Fixed a information disclosure problem via getHostByName injection inside a chart to get values to a malicious DNS server.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:1901-1
Released: Tue Apr 18 15:37:23 2023
Summary: Security update for helm
Type: security
Severity: moderate
References: 1209670
This update for helm fixes the following issues:
Update to version 3.11.2:
* chore(deps): bump github.com/rubenv/sql-migrate from 1.2.0 to 1.3.1
* the linter varcheck and deadcode are deprecated (since v1.49.0)
* fix template --output-dir issue
* build against a supported go version: go1.19 (bsc#1209670)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:2179-1
Released: Thu May 11 14:13:44 2023
Summary: Security update for helm
Type: security
Severity: important
References: 1200441
This update of helm fixes the following issues:
- rebuild the package with the go 19.9 secure release (bsc#1200441).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2023:4124-1
Released: Thu Oct 19 09:32:26 2023
Summary: Security update for helm
Type: security
Severity: important
References: 1183043,1215588,1215711,CVE-2022-41723,CVE-2023-25173
This update for helm fixes the following issues:
helm was updated to version 3.13.1:
* Fixing precedence issue with the import of values.
* Add missing with clause to release gh action
* FIX Default ServiceAccount yaml
* fix(registry): unswallow error
* remove useless print during prepareUpgrade
* fix(registry): address anonymous pull issue
* Fix missing run statement on release action
* Write latest version to get.helm.sh bucket
* Increased release information key name max length.
helm was updated to version 3.13.0 (bsc#1215588):
* Fix leaking goroutines in Install
* Update Helm to use k8s 1.28.2 libraries
* make the dependabot k8s.io group explicit
* use dependabot's group support for k8s.io dependencies
* doc:Executing helm rollback release 0 will roll back to the
previous release
* Use labels instead of selectorLabels for pod labels
* fix(helm): fix GetPodLogs, the hooks should be sorted before
get the logs of each hook
* chore: HTTPGetter add default timeout
* Avoid nil dereference if passing a nil resolver
* Add required changes after merge
* Fix #3352, add support for --ignore-not-found just like kubectl
delete
* Fix helm may identify achieve of the application/x-gzip as
application/vnd.ms-fontobject
* Restore `helm get metadata` command
* Revert 'Add `helm get metadata` command'
* test: replace `ensure.TempDir` with `t.TempDir`
* use json api url + report curl/wget error on fail
* Added error in case try to supply custom label with name of
system label during install/upgrade
* fix(main): fix basic auth for helm pull or push
* cmd: support generating index in JSON format
* repo: detect JSON and unmarshal efficiently
* Tweaking new dry-run internal handling
* bump kubernetes modules to v0.27.3
* Remove warning for template directory not found.
* Added tests for created OCI annotation time format
* Add created OCI annotation
* Fix multiple bugs in values handling
* chore: fix a typo in `manager.go`
* add GetRegistryClient method
* oci: add tests for plain HTTP and insecure HTTPS registries
* oci: Add flag `--plain-http` to enable working with HTTP
registries
* docs: add an example for using the upgrade command with
existing values
* Replace `fmt.Fprintf` with `fmt.Fprint` in get_metadata.go
* Replace `fmt.Fprintln` with `fmt.Fprintf` in get_metadata.go
* update kubernetes dependencies from v0.27.0 to v0.27.1
* Add ClientOptResolver to test util file
* Check that missing keys are still handled in tpl
* tests: change crd golden file to match after #11870
* Adding details on the Factory interface
* update autoscaling/v2beta1 to autoscaling/v2 in skeleton chart
* feat(helm): add ability for --dry-run to do lookup functions
When a helm command is run with the --dry-run flag, it will try
to connect to the cluster to be able to render lookup
functions. Closes #8137
* bugfix:(#11391) helm lint infinite loop when malformed
template object
* pkg/engine: fix nil-dereference
* pkg/chartutil: fix nil-dereference
* pkg/action: fix nil-dereference
* full source path when output-dir is not provided
* added Contributing.md section and ref link in the README
* feat(helm): add ability for --dry-run to do lookup functions
When a helm command is run with the --dry-run flag, it will try
to connect to the cluster if the value is 'server' to be able
to render lookup functions. Closes #8137
* feat(helm): add ability for --dry-run to do lookup functions
* Add `CHART`, `VERSION` and `APP_VERSION` fields to `get all`
command output
* Adjust `get` command description to account metadata
* add volumes and volumeMounts in chartutil
* Seed a default switch to control `automountServiceAccountToken`
* Avoid confusing error when passing in '--version X.Y.Z'
* Add `helm get metadata` command
* Use wrapped error so that ErrNoObjectsVisited can be compared
after return.
* Add exact version test.
* strict file permissions of repository.yaml
* Check redefinition of define and include in tpl
* Check that `.Template` is passed through `tpl`
* Make sure empty `tpl` values render empty.
* Pick the test improvement out of PR#8371
* #11369 Use the correct index repo cache directory in the
`parallelRepoUpdate` method as well
* #11369 Add a test case to prove the bug and its resolution
* ref(helm): export DescriptorPullSummary fields
* feat(helm): add 'ClientOptResolver' ClientOption
* Fix flaky TestSQLCreate test by making sqlmock ignore order of
sql requests
* Fixing tests after adding labels to release fixture
* Make default release fixture contain custom labels to make
tests check that labels are not lost
* Added support for storing custom labels in SQL storage driver
* Adding support merging new custom labels with original release
labels during upgrade
* Added note to install/upgrade commands that original release
labels wouldn't be persisted in upgraded release
* Added unit tests for implemented install/upgrade labels logic
* Remove redudant types from util_test.go
* Added tests for newly introduced util.go functions
* Fix broken tests for SQL storage driver
* Fix broken tests for configmap and secret storage drivers
* Make superseded releases keep labels
* Support configmap storage driver for install/upgrade actions
--labels argument
* Added upgrade --install labels argument support
* Add labels support for install action with secret storage
backend
* test: added tests to load plugin from home dir with space
* fix: plugin does not load when helm base dir contains space
* Add priority class to kind sorter
* Fixes #10566
* test(search): add mixedCase test case
* fix(search): print repo search result in original case
* Adjust error message wrongly claiming that there is a resource
conflict
* Throw an error from jobReady() if the job exceeds its
BackoffLimit
* github: add Asset Transparency action for GitHub releases
Update to version 3.12.3:
* bump kubernetes modules to v0.27.3
* Add priority class to kind sorter
Update to version 3.12.2:
* add GetRegistryClient method
Update to version 3.12.1:
* bugfix:(#11391) helm lint infinite loop when malformed
template object
* update autoscaling/v2beta1 to autoscaling/v2 in skeleton chart
* test(search): add mixedCase test case
* fix(search): print repo search result in original case
* strict file permissions of repository.yaml
* update kubernetes dependencies from v0.27.0 to v0.27.1
Update to version 3.12.0:
* Attach annotations to OCI artifacts
* Fix goroutine leak in action install
* fix quiet lint does not fail on non-linting errors
* create failing test for quietly linting a chart that doesn't
exist
* Fixes Readiness Check for statefulsets using partitioned
rolling update. (#11774)
* fix: failed testcase on windows
* Fix 32bit-x86 typo in testsuite
* Handle failed DNS case for Go 1.20+
* Updating the Go version in go.mod
* Fix goroutine leak in perform
* Properly invalidate client after CRD install
* Provide a helper to set the registryClient in cmd
* Reimplemented change in httpgetter for insecure TLS option
* Added insecure option to login subcommand
* Added support for insecure OCI registries
* Enable custom certificates option for OCI
* Add testing to default and release branches
* Remove job dependency. Should have done when I moved job to new
file
* Remove check to run only in helm org
* Add why comments
* Convert remaining CircleCI config to GitHub Actions
* Changed how the setup-go action sets go version
* chore:Use http constants as http.request parameters
* update k8s registry domain
* don't mark issues as stale where a PR is in progress
* Update to func handling
* Add option to support cascade deletion options
* the linter varcheck and deadcode are deprecated (since v1.49.0)
* Check status code before retrying request
* Fix improper use of Table request/response to k8s API
* fix template --output-dir issue
* Add protection for stack-overflows for nested keys
* feature(helm): add --set-literal flag for literal string
interpretation
Update to version 3.11.3:
* Fix goroutine leak in perform
* Fix goroutine leak in action install
* Fix 32bit-x86 typo in testsuite
* Fixes Readiness Check for statefulsets using partitioned rolling update. (#11774)
- avoid CGO to workaround missing gold dependency (bsc#1183043)
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2023:4509-1
Released: Tue Nov 21 13:36:00 2023
Summary: Recommended update for helm
Type: recommended
Severity: important
References: 1217013
This update for helm fixes the following issues:
- Update to version 3.13.2 (bsc#1217013)
- Fixes a regression when helm can't be pulled anonymously from registries. (bsc#1217013)
- Allow using label selectors for system labels for sql backend.
- Allow using label selectors for system labels for secrets and
configmap backends.
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2024:1137-1
Released: Mon Apr 8 11:30:49 2024
Summary: Security update for helm
Type: security
Severity: moderate
References: 1219969,1220207,CVE-2024-25620,CVE-2024-26147
This update for helm fixes the following issues:
- CVE-2024-25620: Fixed with dependency management path traversal (bsc#1219969).
- CVE-2024-26147: Fixed uninitialized variable in yaml parsing (bsc#1220207).
-----------------------------------------------------------------
Advisory ID: SUSE-RU-2024:4213-1
Released: Thu Dec 5 17:05:37 2024
Summary: Recommended update for helm
Type: recommended
Severity: moderate
References: 1219969,1220207,CVE-2024-25620,CVE-2024-26147
helm was updated to fix the following issues:
Update to version 3.16.3:
* fix: fix label name
* Fix typo in pkg/lint/rules/chartfile_test.go
* Increasing the size of the runner used for releases.
* fix(hooks): correct hooks delete order
* Bump github.com/containerd/containerd from 1.7.12 to 1.7.23
Update to version 3.16.2:
* Revering change unrelated to issue #13176
* adds tests for handling of Helm index with broken chart
versions #13176
* improves handling of Helm index with broken helm chart versions
#13176
* Bump the k8s-io group with 7 updates
* adding check-latest:true
* Grammar fixes
* Fix typos
Update to version 3.16.1:
* bumping version to 1.22.7
* Merge pull request #13327 from mattfarina/revert-11726
Update to version 3.16.0:
Helm v3.16.0 is a feature release. Users are encouraged to
upgrade for the best experience.
* Notable Changes
- added sha512sum template function
- added ActiveHelp for cmds that don't take any more args
- drops very old Kubernetes versions support in helm create
- add --skip-schema-validation flag to helm 'install',
'upgrade' and 'lint'
- fixed bug to now use burst limit setting for discovery
- Added windows arm64 support
* Full changelog see
https://github.com/helm/helm/releases/tag/v3.16.0
Update to version 3.15.4:
* Bump the k8s-io group across 1 directory with 7 updates
* Bump github.com/docker/docker
-------------------------------------------------------------------
Thu Jul 11 05:39:32 UTC 2024 - opensuse_buildservice at ojkastl.de
- Update to version 3.15.3:
* fix(helm): Use burst limit setting for discovery
* fixed dependency_update_test.go
* fix(dependencyBuild): prevent race condition in concurrent helm
dependency
* fix: respect proxy envvars on helm install/upgrade
* Merge pull request #13085 from
alex-kattathra-johnson/issue-12961
Update to version 3.15.2:
* fix: wrong cli description
* fix typo in load_plugins.go
* fix docs of DeployedAll
* Bump github.com/docker/docker
* bump oras minor version
* feat(load.go): add warning on requirements.lock
Update to version 3.15.1:
* Fixing build issue where wrong version is used
Update to version 3.15.0:
Helm v3.15.0 is a feature release. Users are encouraged to
upgrade for the best experience.
* Updating to k8s 1.30 c4e37b3 (Matt Farina)
* bump version to v3.15.0 d7afa3b (Matt Farina)
* bump version to 7743467 (Matt Farina)
* Fix namespace on kubeconfig error 214fb6e (Calvin Krist)
* Update testdata PKI with keys that have validity until 3393
(Fixes #12880) 1b75d48 (Dirk Müller)
* Modified how created annotation is populated based on package
creation time 0a69a0d (Andrew Block)
* Enabling hide secrets on install and upgrade dry run 25c4738
(Matt Farina)
* Fixing all the linting errors d58d7b3 (Robert Sirchia)
* Add a note about --dry-run displaying secrets a23dd9e (Matt
Farina)
* Updating .gitignore 8b424ba (Robert Sirchia)
* add error messages 8d19bcb (George Jenkins)
* Fix: Ignore alias validation error for index load 68294fd
(George Jenkins)
* validation fix 8e6a514 (Matt Farina)
* bug: add proxy support for oci getter 94c1dea (Ricardo
Maraschini)
* Update architecture detection method 57a1bb8 (weidongkl)
* Improve release action 4790bb9 (George Jenkins)
* Fix grammatical error c25736c (Matt Carr)
* Updated for review comments d2cf8c6 (MichaelMorris)
* Add robustness to wait status checks fc74964 (MichaelMorris)
* refactor: create a helper for checking if a release is
uninstalled f908379 (Alex Petrov)
* fix: reinstall previously uninstalled chart with --keep-history
9e198fa (Alex Petrov)
Update to version 3.14.4:
Helm v3.14.4 is a patch release. Users are encouraged to upgrade
for the best experience. Users are encouraged to upgrade for the
best experience.
* refactor: create a helper for checking if a release is
uninstalled 81c902a (Alex Petrov)
* fix: reinstall previously uninstalled chart with --keep-history
5a11c76 (Alex Petrov)
* bug: add proxy support for oci getter aa7d953 (Ricardo
Maraschini)
Update to version 3.14.3:
* Add a note about --dry-run displaying secrets
* add error messages
* Fix: Ignore alias validation error for index load
* Update architecture detection method
Update to version 3.14.2 (bsc#1220207, CVE-2024-26147):
* Fix for uninitialized variable in yaml parsing
Update to version 3.14.1 (bsc#1219969, CVE-2024-25620):
* validation fix
Update to version 3.14.0:
* Notable Changes
- New helm search flag of --fail-on-no-result
- Allow a nested tpl invocation access to defines
- Speed up the tpl function
- Added qps/HELM_QPS parameter that tells Kubernetes packages
how to operate
- Added --kube-version to lint command
- The ignore pkg is now public
* Changelog
- Improve release action
- Fix issues when verify generation readiness was merged
- fix test to use the default code's k8sVersionMinor
- lint: Add --kube-version flag to set capabilities and
deprecation rules
- Removing Asset Transparency
- tests(pkg/engine): test RenderWithClientProvider
- Make the `ignore` pkg public again
- feature(pkg/engine): introduce RenderWithClientProvider
- Updating Helm libraries for k8s 1.28.4
- Remove excessive logging
- Update CONTRIBUTING.md
- Fixing release labelling in rollback
- feat: move livenessProbe and readinessProbe values to default
values file
- Revert 'fix(main): fix basic auth for helm pull or push'
- Revert 'fix(registry): address anonymous pull issue'
- Update get-helm-3
- Drop filterSystemLabels usage from Query method
- Apply review suggestions
- Update get-helm-3 to get version through get.helm.sh
- feat: print failed hook name
- Fixing precedence issue with the import of values.
- chore(create): indent to spaces
- Allow using label selectors for system labels for sql
backend.
- Allow using label selectors for system labels for secrets and
configmap backends.
- remove useless print during prepareUpgrade
- Add missing with clause to release gh action
- FIX Default ServiceAccount yaml
- fix(registry): address anonymous pull issue
- fix(registry): unswallow error
- Fix missing run statement on release action
- Add qps/HELM_QPS parameter
- Write latest version to get.helm.sh bucket
- Increased release information key name max length.
- Pin gox to specific commit
- Remove `GoFish` from package managers for installing the
binary
- Test update for 'Allow a nested `tpl` invocation access to
`defines` in a containing one'
- Test update for 'Speed up `tpl`'
- Add support for RISC-V
- lint and validate dependency metadata to reference
dependencies with a unique key (name or alias)
- Work around template.Clone omitting options
- fix: pass 'passCredentialsAll' as env-var to getter
- feat: pass basic auth to env-vars when running download
plugins
- helm search: New CLI Flag --fail-on-no-result
- Update pkg/kube/ready.go
- fix post install hook deletion due to before-hook-creation
policy
- Allow a nested `tpl` invocation access to `defines` in a
containing one
- Remove the 'reference templates' concept
- Speed up `tpl`
- ready checker- comment update
- ready checker- remove duplicate statefulset generational
check
- Verify generation in readiness checks
- feat(helm): add --reset-then-reuse-values flag to 'helm
upgrade'
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:602-1
Released: Thu Feb 20 10:15:21 2025
Summary: Security update for helm
Type: security
Severity: important
References: 1234482,1235318,CVE-2024-45337,CVE-2024-45338
This update for helm fixes the following issues:
Update to version 3.17.1:
- CVE-2024-45338: Fixed denial of service due to non-linear parsing of case-insensitive content (bsc#1235318).
- CVE-2024-45337: Fixed misuse of ServerConfig.PublicKeyCallback to prevent authorization bypass in golang.org/x/crypto (bsc#1234482).
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:1007-1
Released: Tue Mar 25 09:44:39 2025
Summary: Security update for helm
Type: security
Severity: moderate
References: 1238688,CVE-2025-22870
This update for helm fixes the following issues:
- CVE-2025-22870: Fixed proxy bypass using IPv6 zone IDs (bsc#1238688).
Other fixes:
- Updated to version 3.17.2
- Updated to 0.37.0 for x/net
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:1596-1
Released: Tue May 20 09:55:02 2025
Summary: Security update for helm
Type: security
Severity: moderate
References:
This update for helm fixes the following issues:
help was updated to version 3.17.3:
Helm v3.17.3 is a security (patch) release. Users are strongly
recommended to update to this release.
* Changelog
- Unarchiving fix e4da497 (Matt Farina)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:2121-1
Released: Thu Jun 26 10:34:05 2025
Summary: Security update for helm
Type: security
Severity: important
References: 1241802,CVE-2025-22872
This update for helm fixes the following issues:
Update to version 3.18.3:
* build(deps): bump golang.org/x/crypto from 0.38.0 to 0.39.0
6838ebc (dependabot[bot])
* fix: user username password for login 5b9e2f6 (Terry Howe)
* Update pkg/registry/transport.go 2782412 (Terry Howe)
* Update pkg/registry/transport.go e66cf6a (Terry Howe)
* fix: add debug logging to oci transport 191f05c (Terry Howe)
Update to version 3.18.2:
* fix: legacy docker support broken for login 04cad46 (Terry
Howe)
* Handle an empty registry config file. bc9f8a2 (Matt Farina)
Update to version 3.18.1:
* Notes:
- This release fixes regressions around template generation and
OCI registry interaction in 3.18.0
- There are at least 2 known regressions unaddressed in this
release. They are being worked on.
- Empty registry configuration files. When the file exists
but it is empty.
- Login to Docker Hub on some domains fails.
* Changelog
- fix(client): skipnode utilization for PreCopy
- fix(client): layers now returns manifest - remove duplicate
from descriptors
- fix(client): return nil on non-allowed media types
- Prevent fetching newReference again as we have in calling
method
- Prevent failure when resolving version tags in oras memory
store
- Update pkg/plugin/plugin.go
- Update pkg/plugin/plugin.go
- Wait for Helm v4 before raising when platformCommand and
Command are set
- Fix 3.18.0 regression: registry login with scheme
- Revert 'fix (helm) : toToml` renders int as float [ backport
to v3 ]'
Update to version 3.18.0 (bsc#1241802, CVE-2025-22872):
* Notable Changes
- Add support for JSON Schema 2020
- Enabled cpu and memory profiling
- Add hook annotation to output hook logs to client on error
* Changelog
- build(deps): bump the k8s-io group with 7 updates
- fix: govulncheck workflow
- bump version to v3.18.0
- fix:add proxy support when mTLS configured
- docs: Note about http fallback for OCI registries
- Bump net package to avoid CVE on dev-v3
- Bump toml
- backport #30677to dev3
- build(deps): bump github.com/rubenv/sql-migrate from 1.7.2 to
1.8.0
- Add install test for TakeOwnership flag
- Fix --take-ownership
- build(deps): bump github.com/rubenv/sql-migrate from 1.7.1 to
1.7.2
- build(deps): bump golang.org/x/crypto from 0.36.0 to 0.37.0
- build(deps): bump golang.org/x/term from 0.30.0 to 0.31.0
- Testing text bump
- Permit more Go version and not only 1.23.8
- Bumps github.com/distribution/distribution/v3 from 3.0.0-rc.3
to 3.0.0
- Unarchiving fix
- Fix typo
- Report as debug log, the time spent waiting for resources
- build(deps): bump github.com/containerd/containerd from
1.7.26 to 1.7.27
- Update pkg/registry/fallback.go
- automatic fallback to http
- chore(oci): upgrade to ORAS v2
- Updating to 0.37.0 for x/net
- build(deps): bump the k8s-io group with 7 updates
- build(deps): bump golang.org/x/crypto from 0.35.0 to 0.36.0
- build(deps): bump github.com/opencontainers/image-spec
- build(deps): bump github.com/containerd/containerd from
1.7.25 to 1.7.26
- build(deps): bump golang.org/x/crypto from 0.33.0 to 0.35.0
- Fix cherry-pick helm.sh/helm/v4 -> helm.sh/helm/v3
- Add HookOutputFunc and generic yaml unmarshaller
- clarify fix error message
- fix err check
- add short circuit return
- Add hook annotations to output pod logs to client on success
and fail
- chore: use []error instead of []string
- Update cmd/helm/profiling.go
- chore: update profiling doc in CONTRIBUTING.md
- Update CONTRIBUTING guide
- Prefer environment variables to CLI flags
- Move pprof paths to HELM_PPROF env variable
- feat: Add flags to enable CPU and memory profiling
- build(deps): bump github.com/distribution/distribution/v3
- build(deps): bump github.com/spf13/cobra from 1.8.1 to 1.9.1
- Moving to SetOut and SetErr for Cobra
- build(deps): bump the k8s-io group with 7 updates
- build(deps): bump golang.org/x/crypto from 0.32.0 to 0.33.0
- build(deps): bump golang.org/x/term from 0.28.0 to 0.29.0
- build(deps): bump golang.org/x/text from 0.21.0 to 0.22.0
- build(deps): bump github.com/spf13/pflag from 1.0.5 to 1.0.6
- build(deps): bump github.com/cyphar/filepath-securejoin
- build(deps): bump github.com/evanphx/json-patch
- build(deps): bump the k8s-io group with 7 updates
- fix: check group for resource info match
- Bump github.com/cyphar/filepath-securejoin from 0.3.6 to
0.4.0
- add test for nullifying nested global value
- Ensuring the file paths are clean prior to passing to
securejoin
- Bump github.com/containerd/containerd from 1.7.24 to 1.7.25
- Bump golang.org/x/crypto from 0.31.0 to 0.32.0
- Bump golang.org/x/term from 0.27.0 to 0.28.0
- bump version to v3.17.0
- Bump github.com/moby/term from 0.5.0 to 0.5.2
- Add test case for removing an entire object
- Tests for bugfix: Override subcharts with null values #12879
- feat: Added multi-platform plugin hook support to v3
- This commit fixes the issue where the yaml.Unmarshaller
converts all int values into float64, this passes in option
to decoder, which enables conversion of int into .
- merge null child chart objects
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:4190-1
Released: Mon Nov 24 10:19:40 2025
Summary: Security update for helm
Type: security
Severity: important
References: 1246152,1251442,1251649,CVE-2025-47911,CVE-2025-53547,CVE-2025-58190
This update for helm fixes the following issues:
- Update to version 3.19.1
- CVE-2025-53547: Fixed local code execution in Helm Chart. (bsc#1246152)
- CVE-2025-58190: Fixed excessive memory consumption by `html.ParseFragment` when processing specially crafted input. (bsc#1251649)
- CVE-2025-47911: Fixed various algorithms with quadratic complexity when parsing HTML documents. (bsc#1251442)
-----------------------------------------------------------------
Advisory ID: SUSE-SU-2025:4437-1
Released: Wed Dec 17 15:44:48 2025
Summary: Security update for helm
Type: security
Severity: important
References:
This update for helm rebuilds it against current GO to fix security issues in go-stdlib.
The following package changes have been done:
- patterns-base-fips-20200124-150700.36.1 added
- helm-3.19.1-150000.1.59.1 added
- container:suse-sle15-15.7-7970b1398395a13b38e858c60a7b75db5f5265dd7c0ecdabe8919a458b2f34e5-0 updated
- container:registry.suse.com-bci-bci-micro-15.7-55883c76f750bdb0fa8cf3fe2e43f19f9babc501efce9801e94a9c0c8d115a20-0 updated
More information about the sle-container-updates
mailing list