SUSE-SU-2026:21434-1: moderate: Security update for helm
SLE-UPDATES
null at suse.de
Mon May 4 08:36:19 UTC 2026
# Security update for helm
Announcement ID: SUSE-SU-2026:21434-1
Release Date: 2026-04-30T13:26:15Z
Rating: moderate
References:
* bsc#1248093
* bsc#1261938
Cross-References:
* CVE-2025-55199
* CVE-2026-35206
CVSS scores:
* CVE-2025-55199 ( SUSE ): 6.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-55199 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2025-55199 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
* CVE-2026-35206 ( SUSE ): 4.8
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-35206 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
* CVE-2026-35206 ( NVD ): 4.8
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
* CVE-2026-35206 ( NVD ): 4.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Affected Products:
* SUSE Linux Enterprise Server 16.0
* SUSE Linux Enterprise Server for SAP applications 16.0
An update that solves two vulnerabilities can now be installed.
## Description:
This update for helm fixes the following issues:
Update to version 3.20.2.
Security issued fixed:
* CVE-2025-55199: specially crafted JSON Schema can lead to out of memory
(OOM) termination (bsc#1248093).
* CVE-2026-35206: specially crafted Chart will have contents extracted to
immediate output directory rather than to expected output directory suffixed
by the Chart's name (bsc#1261938).
Other updates and bugfixes:
* Version 3.20.1:
* chore(deps): bump the k8s-io group with 7 updates a2369ca (dependabot[bot])
* add image index test 90e1056 (Pedro Tôrres)
* fix pulling charts from OCI indices 911f2e9 (Pedro Tôrres)
* Remove refactorring changes from coalesce_test.go 76dad33 (Evans Mungai)
* Fix import 45c12f7 (Evans Mungai)
* Update pkg/chart/common/util/coalesce_test.go 26c6f19 (Evans Mungai)
* Fix lint warning 09f5129 (Evans Mungai)
* Preserve nil values in chart already 417deb2 (Evans Mungai)
* fix(values): preserve nil values when chart default is empty map 5417bfa
(Evans Mungai)
* Version 3.20.0:
* SDK: bump k8s API versions to v0.35.0
* v3 backport: Fixed a bug where helm uninstall with --keep-history did not
suspend previous deployed releases #12564
* v3 backport: Bump Go version to v1.25
* bump version to v3.20
* chore(deps): bump golang.org/x/text from 0.32.0 to 0.33.0
* chore(deps): bump golang.org/x/term from 0.38.0 to 0.39.0
* chore(deps): bump github.com/foxcpp/go-mockdns from 1.1.0 to 1.2.0
* chore(deps): bump the k8s-io group with 7 updates
* [dev-v3] Replace deprecated `NewSimpleClientset`
* [dev-v3] Bump Go v1.25, `golangci-lint` v2
* chore(deps): bump github.com/BurntSushi/toml from 1.5.0 to 1.6.0
* chore(deps): bump github.com/containerd/containerd from 1.7.29 to 1.7.30
* fix(rollback): `errors.Is` instead of string comp
* fix(uninstall): supersede deployed releases
* Use latest patch release of Go in releases
* chore(deps): bump golang.org/x/crypto from 0.45.0 to 0.46.0
* chore(deps): bump golang.org/x/text from 0.31.0 to 0.32.0
* chore(deps): bump golang.org/x/term from 0.37.0 to 0.38.0
* chore(deps): bump github.com/spf13/cobra from 1.10.1 to 1.10.2
* chore(deps): bump github.com/rubenv/sql-migrate from 1.8.0 to 1.8.1
* chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0
* chore(deps): bump github.com/cyphar/filepath-securejoin
* chore(deps): bump golang.org/x/text from 0.30.0 to 0.31.0
* chore(deps): bump golang.org/x/crypto from 0.43.0 to 0.44.0
* Remove dev-v3 `helm-latest-version` publish
* chore(deps): bump golang.org/x/term from 0.36.0 to 0.37.0 1.7.28 to 1.7.29
* Revert "pkg/registry: Login option for passing TLS config in memory"
* jsonschema: warn and ignore unresolved URN $ref to match v3.18.4
* Fix `helm pull` untar dir check with repo urls
* chore(deps): bump golang.org/x/crypto from 0.42.0 to 0.43.0
* chore(deps): bump github.com/gofrs/flock from 0.12.1 to 0.13.0
* chore(deps): bump golang.org/x/text from 0.29.0 to 0.30.0
* [backport] fix: get-helm-3 script use helm3-latest-version
* pkg/registry: Login option for passing TLS config in memory
* Fix deprecation warning
* chore(deps): bump golang.org/x/crypto from 0.41.0 to 0.42.0
* chore(deps): bump golang.org/x/term from 0.34.0 to 0.35.0
* Avoid "panic: interface conversion: interface {} is nil"
* bump version to v3.19.0
* chore(deps): bump github.com/spf13/pflag from 1.0.7 to 1.0.10
* fix: set repo authorizer in registry.Client.Resolve()
* fix null merge
* Add timeout flag to repo add and update flags
* Version 3.19.5:
* Fixed bug where removing subchart value via override resulted in warning
#31118
* Fixed bug where helm uninstall with --keep-history did not suspend previous
deployed releases #12556
* fix(rollback): errors.Is instead of string comp 4a19a5b (Hidde Beydals)
* fix(uninstall): supersede deployed releases 7a00235 (Hidde Beydals)
* fix null merge 578564e (Ben Foster)
* Version 3.19.4:
* Use latest patch release of Go in releases 7cfb6e4 (Matt Farina)
* chore(deps): bump github.com/gofrs/flock from 0.12.1 to 0.13.0 59c951f
(dependabot[bot])
* chore(deps): bump github.com/cyphar/filepath-securejoin d45f3f1
* chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0 d459544
(dependabot[bot])
* chore(deps): bump golang.org/x/term from 0.36.0 to 0.37.0 becd387
(dependabot[bot])
* chore(deps): bump the k8s-io group with 7 updates edb1579
* Version 3.19.3:
* Bump golang.org/x/crypto to v0.45.0
* Version 3.19.2:
* [backport] fix: get-helm-3 script use helm3-latest-version 8766e71 (George
Jenkins)
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Enterprise Server for SAP applications 16.0
zypper in -t patch SUSE-SLES-16.0-661=1
* SUSE Linux Enterprise Server 16.0
zypper in -t patch SUSE-SLES-16.0-661=1
## Package List:
* SUSE Linux Enterprise Server for SAP applications 16.0 (ppc64le x86_64)
* helm-3.20.2-160000.1.1
* helm-debuginfo-3.20.2-160000.1.1
* SUSE Linux Enterprise Server for SAP applications 16.0 (noarch)
* helm-fish-completion-3.20.2-160000.1.1
* helm-bash-completion-3.20.2-160000.1.1
* helm-zsh-completion-3.20.2-160000.1.1
* SUSE Linux Enterprise Server 16.0 (aarch64 ppc64le s390x x86_64)
* helm-3.20.2-160000.1.1
* helm-debuginfo-3.20.2-160000.1.1
* SUSE Linux Enterprise Server 16.0 (noarch)
* helm-fish-completion-3.20.2-160000.1.1
* helm-bash-completion-3.20.2-160000.1.1
* helm-zsh-completion-3.20.2-160000.1.1
## References:
* https://www.suse.com/security/cve/CVE-2025-55199.html
* https://www.suse.com/security/cve/CVE-2026-35206.html
* https://bugzilla.suse.com/show_bug.cgi?id=1248093
* https://bugzilla.suse.com/show_bug.cgi?id=1261938
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20260504/8d302d33/attachment-0001.htm>
More information about the sle-updates
mailing list