SUSE-SU-2026:20685-1: moderate: Security update for helm

SLE-SECURITY-UPDATES null at suse.de
Wed Mar 18 20:35:15 UTC 2026 


# Security update for helm

Announcement ID: SUSE-SU-2026:20685-1  
Release Date: 2026-03-05T14:24:28Z  
Rating: moderate  
References:

  * bsc#1251442
  * bsc#1251649

  
Cross-References:

  * CVE-2025-47911
  * CVE-2025-58190

  
CVSS scores:

  * CVE-2025-47911 ( SUSE ):  6.9
    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
  * CVE-2025-47911 ( SUSE ):  5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  * CVE-2025-47911 ( NVD ):  5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  * CVE-2025-47911 ( NVD ):  5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  * CVE-2025-58190 ( SUSE ):  6.9
    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
  * CVE-2025-58190 ( SUSE ):  5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  * CVE-2025-58190 ( NVD ):  5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  * CVE-2025-58190 ( NVD ):  5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

  
Affected Products:

  * SUSE Linux Micro 6.2

  
  
An update that solves two vulnerabilities can now be installed.

## Description:

This update for helm fixes the following issues:

  * Update to version 3.19.1:
  * CVE-2025-47911: golang.org/x/net/html: Fixed various algorithms with
    quadratic complexity when parsing HTML documents (bsc#1251442)
  * CVE-2025-58190: golang.org/x/net/html: Fixed xcessive memory consumption by
    `html.ParseFragment` when processing specially crafted input (bsc#1251649)
  * jsonschema: warn and ignore unresolved URN $ref to match v3.18.4
  * Avoid "panic: interface conversion: interface {} is nil"
  * Fix `helm pull` untar dir check with repo urls
  * Fix deprecation warning
  * Add timeout flag to repo add and update flags

  * Update to version 3.19.0:

  * bump version to v3.19.0
  * fix: use username and password if provided
  * fix(helm-lint): fmt
  * fix(helm-lint): Add TLSClientConfig
  * fix(helm-lint): Add HTTP/HTTPS URL support for json schema references
  * chore(deps): bump the k8s-io group with 7 updates
  * fix: go mod tidy for v3
  * fix Chart.yaml handling
  * Handle messy index files
  * json schema fix
  * fix: k8s version parsing to match original
  * Do not explicitly set SNI in HTTPGetter
  * Disabling linter due to unknown issue
  * Updating link handling
  * fix: user username password for login
  * Update pkg/registry/transport.go
  * fix: add debug logging to oci transport
  * fix: legacy docker support broken for login
  * fix: plugin installer test with no Internet
  * Handle an empty registry config file.
  * Prevent fetching newReference again as we have in calling method
  * Prevent failure when resolving version tags in oras memory store
  * fix(client): skipnode utilization for PreCopy
  * test: Skip instead of returning early. looks more intentional
  * test: tests repo stripping functionality
  * test: include tests for Login based on different protocol prefixes
  * fix(client): layers now returns manifest - remove duplicate from descriptors
  * fix(client): return nil on non-allowed media types
  * Fix 3.18.0 regression: registry login with scheme
  * Update pkg/plugin/plugin.go
  * Wait for Helm v4 before raising when platformCommand and Command are set
  * Revert "fix (helm) : toToml` renders int as float [ backport to v3 ]"
  * build(deps): bump the k8s-io group with 7 updates
  * chore: update generalization warning message
  * fix: move warning to top of block
  * fix: govulncheck workflow
  * fix: replace fmt warning with slog
  * fix: add warning when ignore repo flag
  * feat: add httproute from gateway-api to create chart template

  * Update to version 3.18.6:

  * fix(helm-lint): fmt
  * fix(helm-lint): Add TLSClientConfig
  * fix(helm-lint): Add HTTP/HTTPS URL support for json schema references

  * Update to version 3.18.5:

  * fix Chart.yaml handling 7799b48 (Matt Farina)
  * Handle messy index files dd8502f (Matt Farina)
  * json schema fix cb8595b (Robert Sirchia)

  * Fix shell completion dependencies

  * Add BuildRequires to prevent inclusion of folders owned by shells.
  * Add Requires because installing completions without appropriate shell is
    questionable.

  * Fix zsh completion location

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * SUSE Linux Micro 6.2  
    zypper in -t patch SUSE-SL-Micro-6.2-360=1

## Package List:

  * SUSE Linux Micro 6.2 (aarch64 ppc64le s390x x86_64)
    * helm-3.19.1-160000.1.1
    * helm-debuginfo-3.19.1-160000.1.1
  * SUSE Linux Micro 6.2 (noarch)
    * helm-bash-completion-3.19.1-160000.1.1

## References:

  * https://www.suse.com/security/cve/CVE-2025-47911.html
  * https://www.suse.com/security/cve/CVE-2025-58190.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1251442
  * https://bugzilla.suse.com/show_bug.cgi?id=1251649

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20260318/3778e298/attachment-0001.htm>

More information about the sle-security-updates mailing list