<div class="container">
<h1>Security update for helm</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2023:4124-1</td>
</tr>
<tr>
<th>Rating:</th>
<td>important</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1183043">bsc#1183043</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1215588">bsc#1215588</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1215711">bsc#1215711</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2022-41723.html">CVE-2022-41723</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2023-25173.html">CVE-2023-25173</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2022-41723</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2022-41723</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2023-25173</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">5.3</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2023-25173</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">5.3</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">Containers Module 15-SP4</li>
<li class="list-group-item">Containers Module 15-SP5</li>
<li class="list-group-item">SUSE Enterprise Storage 7.1</li>
<li class="list-group-item">SUSE Linux Enterprise Desktop 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise Desktop 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP3</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing LTSS 15 SP3</li>
<li class="list-group-item">SUSE Linux Enterprise Micro 5.3</li>
<li class="list-group-item">SUSE Linux Enterprise Micro 5.4</li>
<li class="list-group-item">SUSE Linux Enterprise Micro 5.5</li>
<li class="list-group-item">SUSE Linux Enterprise Real Time 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise Real Time 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP3</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP3</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP5</li>
<li class="list-group-item">SUSE Manager Proxy 4.3</li>
<li class="list-group-item">SUSE Manager Retail Branch Server 4.3</li>
<li class="list-group-item">SUSE Manager Server 4.3</li>
<li class="list-group-item">SUSE Package Hub 15 15-SP4</li>
<li class="list-group-item">SUSE Package Hub 15 15-SP5</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves two vulnerabilities and has one security fix can now be installed.</p>
<h2>Description:</h2>
<p>This update for helm fixes the following issues:</p>
<p>helm was updated to version 3.13.1:</p>
<ul>
<li>Fixing precedence issue with the import of values.</li>
<li>Add missing with clause to release gh action</li>
<li>FIX Default ServiceAccount yaml</li>
<li>fix(registry): unswallow error</li>
<li>remove useless print during prepareUpgrade</li>
<li>fix(registry): address anonymous pull issue</li>
<li>Fix missing run statement on release action</li>
<li>Write latest version to get.helm.sh bucket</li>
<li>Increased release information key name max length.</li>
</ul>
<p>helm was updated to version 3.13.0 (bsc#1215588):</p>
<ul>
<li>Fix leaking goroutines in Install</li>
<li>Update Helm to use k8s 1.28.2 libraries</li>
<li>make the dependabot k8s.io group explicit</li>
<li>use dependabot's group support for k8s.io dependencies</li>
<li>doc:Executing helm rollback release 0 will roll back to the
previous release</li>
<li>Use labels instead of selectorLabels for pod labels</li>
<li>fix(helm): fix GetPodLogs, the hooks should be sorted before
get the logs of each hook</li>
<li>chore: HTTPGetter add default timeout</li>
<li>Avoid nil dereference if passing a nil resolver</li>
<li>Add required changes after merge</li>
<li>Fix #3352, add support for --ignore-not-found just like kubectl
delete</li>
<li>Fix helm may identify achieve of the application/x-gzip as
application/vnd.ms-fontobject</li>
<li>Restore <code>helm get metadata</code> command</li>
<li>Revert "Add <code>helm get metadata</code> command"</li>
<li>test: replace <code>ensure.TempDir</code> with <code>t.TempDir</code></li>
<li>use json api url + report curl/wget error on fail</li>
<li>Added error in case try to supply custom label with name of
system label during install/upgrade</li>
<li>fix(main): fix basic auth for helm pull or push</li>
<li>cmd: support generating index in JSON format</li>
<li>repo: detect JSON and unmarshal efficiently</li>
<li>Tweaking new dry-run internal handling</li>
<li>bump kubernetes modules to v0.27.3</li>
<li>Remove warning for template directory not found.</li>
<li>Added tests for created OCI annotation time format</li>
<li>Add created OCI annotation</li>
<li>Fix multiple bugs in values handling</li>
<li>chore: fix a typo in <code>manager.go</code></li>
<li>add GetRegistryClient method</li>
<li>oci: add tests for plain HTTP and insecure HTTPS registries</li>
<li>oci: Add flag <code>--plain-http</code> to enable working with HTTP
registries</li>
<li>docs: add an example for using the upgrade command with
existing values</li>
<li>Replace <code>fmt.Fprintf</code> with <code>fmt.Fprint</code> in get_metadata.go</li>
<li>Replace <code>fmt.Fprintln</code> with <code>fmt.Fprintf</code> in get_metadata.go</li>
<li>update kubernetes dependencies from v0.27.0 to v0.27.1</li>
<li>Add ClientOptResolver to test util file</li>
<li>Check that missing keys are still handled in tpl</li>
<li>tests: change crd golden file to match after #11870</li>
<li>Adding details on the Factory interface</li>
<li>update autoscaling/v2beta1 to autoscaling/v2 in skeleton chart</li>
<li>feat(helm): add ability for --dry-run to do lookup functions
When a helm command is run with the --dry-run flag, it will try
to connect to the cluster to be able to render lookup
functions. Closes #8137</li>
<li>bugfix:(#11391) helm lint infinite loop when malformed
template object</li>
<li>pkg/engine: fix nil-dereference</li>
<li>pkg/chartutil: fix nil-dereference</li>
<li>pkg/action: fix nil-dereference</li>
<li>full source path when output-dir is not provided</li>
<li>added Contributing.md section and ref link in the README</li>
<li>feat(helm): add ability for --dry-run to do lookup functions
When a helm command is run with the --dry-run flag, it will try
to connect to the cluster if the value is 'server' to be able
to render lookup functions. Closes #8137</li>
<li>feat(helm): add ability for --dry-run to do lookup functions</li>
<li>Add <code>CHART</code>, <code>VERSION</code> and <code>APP_VERSION</code> fields to <code>get all</code>
command output</li>
<li>Adjust <code>get</code> command description to account metadata</li>
<li>add volumes and volumeMounts in chartutil</li>
<li>Seed a default switch to control <code>automountServiceAccountToken</code></li>
<li>Avoid confusing error when passing in '--version X.Y.Z'</li>
<li>Add <code>helm get metadata</code> command</li>
<li>Use wrapped error so that ErrNoObjectsVisited can be compared
after return.</li>
<li>Add exact version test.</li>
<li>strict file permissions of repository.yaml</li>
<li>Check redefinition of define and include in tpl</li>
<li>Check that <code>.Template</code> is passed through <code>tpl</code></li>
<li>Make sure empty <code>tpl</code> values render empty.</li>
<li>Pick the test improvement out of PR#8371</li>
<li>
<h1>11369 Use the correct index repo cache directory in the</h1>
<p><code>parallelRepoUpdate</code> method as well</p>
</li>
<li>
<h1>11369 Add a test case to prove the bug and its resolution</h1>
</li>
<li>ref(helm): export DescriptorPullSummary fields</li>
<li>feat(helm): add 'ClientOptResolver' ClientOption</li>
<li>Fix flaky TestSQLCreate test by making sqlmock ignore order of
sql requests</li>
<li>Fixing tests after adding labels to release fixture</li>
<li>Make default release fixture contain custom labels to make
tests check that labels are not lost</li>
<li>Added support for storing custom labels in SQL storage driver</li>
<li>Adding support merging new custom labels with original release
labels during upgrade</li>
<li>Added note to install/upgrade commands that original release
labels wouldn't be persisted in upgraded release</li>
<li>Added unit tests for implemented install/upgrade labels logic</li>
<li>Remove redudant types from util_test.go</li>
<li>Added tests for newly introduced util.go functions</li>
<li>Fix broken tests for SQL storage driver</li>
<li>Fix broken tests for configmap and secret storage drivers</li>
<li>Make superseded releases keep labels</li>
<li>Support configmap storage driver for install/upgrade actions
--labels argument</li>
<li>Added upgrade --install labels argument support</li>
<li>Add labels support for install action with secret storage
backend</li>
<li>test: added tests to load plugin from home dir with space</li>
<li>fix: plugin does not load when helm base dir contains space</li>
<li>Add priority class to kind sorter</li>
<li>Fixes #10566</li>
<li>test(search): add mixedCase test case</li>
<li>fix(search): print repo search result in original case</li>
<li>Adjust error message wrongly claiming that there is a resource
conflict</li>
<li>Throw an error from jobReady() if the job exceeds its
BackoffLimit</li>
<li>github: add Asset Transparency action for GitHub releases</li>
</ul>
<p>Update to version 3.12.3:</p>
<ul>
<li>bump kubernetes modules to v0.27.3</li>
<li>Add priority class to kind sorter</li>
</ul>
<p>Update to version 3.12.2:</p>
<ul>
<li>add GetRegistryClient method</li>
</ul>
<p>Update to version 3.12.1:</p>
<ul>
<li>bugfix:(#11391) helm lint infinite loop when malformed
template object</li>
<li>update autoscaling/v2beta1 to autoscaling/v2 in skeleton chart</li>
<li>test(search): add mixedCase test case</li>
<li>fix(search): print repo search result in original case</li>
<li>strict file permissions of repository.yaml</li>
<li>update kubernetes dependencies from v0.27.0 to v0.27.1</li>
</ul>
<p>Update to version 3.12.0:</p>
<ul>
<li>Attach annotations to OCI artifacts</li>
<li>Fix goroutine leak in action install</li>
<li>fix quiet lint does not fail on non-linting errors</li>
<li>create failing test for quietly linting a chart that doesn't
exist</li>
<li>Fixes Readiness Check for statefulsets using partitioned
rolling update. (#11774)</li>
<li>fix: failed testcase on windows</li>
<li>Fix 32bit-x86 typo in testsuite</li>
<li>Handle failed DNS case for Go 1.20+</li>
<li>Updating the Go version in go.mod</li>
<li>Fix goroutine leak in perform</li>
<li>Properly invalidate client after CRD install</li>
<li>Provide a helper to set the registryClient in cmd</li>
<li>Reimplemented change in httpgetter for insecure TLS option</li>
<li>Added insecure option to login subcommand</li>
<li>Added support for insecure OCI registries</li>
<li>Enable custom certificates option for OCI</li>
<li>Add testing to default and release branches</li>
<li>Remove job dependency. Should have done when I moved job to new
file</li>
<li>Remove check to run only in helm org</li>
<li>Add why comments</li>
<li>Convert remaining CircleCI config to GitHub Actions</li>
<li>Changed how the setup-go action sets go version</li>
<li>chore:Use http constants as http.request parameters</li>
<li>update k8s registry domain</li>
<li>don't mark issues as stale where a PR is in progress</li>
<li>Update to func handling</li>
<li>Add option to support cascade deletion options</li>
<li>the linter varcheck and deadcode are deprecated (since v1.49.0)</li>
<li>Check status code before retrying request</li>
<li>Fix improper use of Table request/response to k8s API</li>
<li>fix template --output-dir issue</li>
<li>Add protection for stack-overflows for nested keys</li>
<li>feature(helm): add --set-literal flag for literal string
interpretation</li>
</ul>
<p>Update to version 3.11.3:</p>
<ul>
<li>Fix goroutine leak in perform</li>
<li>Fix goroutine leak in action install</li>
<li>Fix 32bit-x86 typo in testsuite</li>
<li>
<p>Fixes Readiness Check for statefulsets using partitioned rolling update. (#11774)</p>
</li>
<li>
<p>avoid CGO to workaround missing gold dependency (bsc#1183043)</p>
</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
Containers Module 15-SP4
<br/>
<code>zypper in -t patch SUSE-SLE-Module-Containers-15-SP4-2023-4124=1</code>
</li>
<li class="list-group-item">
Containers Module 15-SP5
<br/>
<code>zypper in -t patch SUSE-SLE-Module-Containers-15-SP5-2023-4124=1</code>
</li>
<li class="list-group-item">
SUSE Package Hub 15 15-SP4
<br/>
<code>zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP4-2023-4124=1</code>
</li>
<li class="list-group-item">
SUSE Package Hub 15 15-SP5
<br/>
<code>zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP5-2023-4124=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3
<br/>
<code>zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-ESPOS-2023-4124=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
<br/>
<code>zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2023-4124=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3
<br/>
<code>zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2023-4124=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server for SAP Applications 15 SP3
<br/>
<code>zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2023-4124=1</code>
</li>
<li class="list-group-item">
SUSE Enterprise Storage 7.1
<br/>
<code>zypper in -t patch SUSE-Storage-7.1-2023-4124=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
Containers Module 15-SP4 (aarch64 ppc64le s390x x86_64)
<ul>
<li>helm-3.13.1-150000.1.26.1</li>
<li>helm-debuginfo-3.13.1-150000.1.26.1</li>
</ul>
</li>
<li>
Containers Module 15-SP4 (noarch)
<ul>
<li>helm-zsh-completion-3.13.1-150000.1.26.1</li>
<li>helm-bash-completion-3.13.1-150000.1.26.1</li>
</ul>
</li>
<li>
Containers Module 15-SP5 (aarch64 ppc64le s390x x86_64)
<ul>
<li>helm-3.13.1-150000.1.26.1</li>
<li>helm-debuginfo-3.13.1-150000.1.26.1</li>
</ul>
</li>
<li>
Containers Module 15-SP5 (noarch)
<ul>
<li>helm-zsh-completion-3.13.1-150000.1.26.1</li>
<li>helm-bash-completion-3.13.1-150000.1.26.1</li>
</ul>
</li>
<li>
SUSE Package Hub 15 15-SP4 (noarch)
<ul>
<li>helm-fish-completion-3.13.1-150000.1.26.1</li>
</ul>
</li>
<li>
SUSE Package Hub 15 15-SP5 (noarch)
<ul>
<li>helm-fish-completion-3.13.1-150000.1.26.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (aarch64 x86_64)
<ul>
<li>helm-3.13.1-150000.1.26.1</li>
<li>helm-debuginfo-3.13.1-150000.1.26.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (noarch)
<ul>
<li>helm-zsh-completion-3.13.1-150000.1.26.1</li>
<li>helm-bash-completion-3.13.1-150000.1.26.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (aarch64 x86_64)
<ul>
<li>helm-3.13.1-150000.1.26.1</li>
<li>helm-debuginfo-3.13.1-150000.1.26.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (noarch)
<ul>
<li>helm-zsh-completion-3.13.1-150000.1.26.1</li>
<li>helm-bash-completion-3.13.1-150000.1.26.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (aarch64 ppc64le s390x x86_64)
<ul>
<li>helm-3.13.1-150000.1.26.1</li>
<li>helm-debuginfo-3.13.1-150000.1.26.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (noarch)
<ul>
<li>helm-zsh-completion-3.13.1-150000.1.26.1</li>
<li>helm-bash-completion-3.13.1-150000.1.26.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (ppc64le x86_64)
<ul>
<li>helm-3.13.1-150000.1.26.1</li>
<li>helm-debuginfo-3.13.1-150000.1.26.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (noarch)
<ul>
<li>helm-zsh-completion-3.13.1-150000.1.26.1</li>
<li>helm-bash-completion-3.13.1-150000.1.26.1</li>
</ul>
</li>
<li>
SUSE Enterprise Storage 7.1 (aarch64 x86_64)
<ul>
<li>helm-3.13.1-150000.1.26.1</li>
<li>helm-debuginfo-3.13.1-150000.1.26.1</li>
</ul>
</li>
<li>
SUSE Enterprise Storage 7.1 (noarch)
<ul>
<li>helm-zsh-completion-3.13.1-150000.1.26.1</li>
<li>helm-bash-completion-3.13.1-150000.1.26.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2022-41723.html">https://www.suse.com/security/cve/CVE-2022-41723.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2023-25173.html">https://www.suse.com/security/cve/CVE-2023-25173.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1183043">https://bugzilla.suse.com/show_bug.cgi?id=1183043</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1215588">https://bugzilla.suse.com/show_bug.cgi?id=1215588</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1215711">https://bugzilla.suse.com/show_bug.cgi?id=1215711</a>
</li>
</ul>
</div>