helm3-3.19.2-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:15779-1 Final 1 1 2025-11-28T00:00:00Z current 2025-11-28T00:00:00Z 2025-11-28T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z helm3-3.19.2-1.1 on GA media These are all security issues fixed in the helm3-3.19.2-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-15779 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2018-16873/ SUSE CVE CVE-2018-16873 page https://www.suse.com/security/cve/CVE-2018-16874/ SUSE CVE CVE-2018-16874 page https://www.suse.com/security/cve/CVE-2018-16875/ SUSE CVE CVE-2018-16875 page https://www.suse.com/security/cve/CVE-2021-21272/ SUSE CVE CVE-2021-21272 page https://www.suse.com/security/cve/CVE-2022-1996/ SUSE CVE CVE-2022-1996 page https://www.suse.com/security/cve/CVE-2022-23524/ SUSE CVE CVE-2022-23524 page https://www.suse.com/security/cve/CVE-2022-23525/ SUSE CVE CVE-2022-23525 page https://www.suse.com/security/cve/CVE-2022-23526/ SUSE CVE CVE-2022-23526 page https://www.suse.com/security/cve/CVE-2022-36055/ SUSE CVE CVE-2022-36055 page https://www.suse.com/security/cve/CVE-2023-25165/ SUSE CVE CVE-2023-25165 page https://www.suse.com/security/cve/CVE-2023-25173/ SUSE CVE CVE-2023-25173 page https://www.suse.com/security/cve/CVE-2024-25620/ SUSE CVE CVE-2024-25620 page https://www.suse.com/security/cve/CVE-2024-26147/ SUSE CVE CVE-2024-26147 page https://www.suse.com/security/cve/CVE-2024-45337/ SUSE CVE CVE-2024-45337 page https://www.suse.com/security/cve/CVE-2024-45338/ SUSE CVE CVE-2024-45338 page https://www.suse.com/security/cve/CVE-2025-22870/ SUSE CVE CVE-2025-22870 page https://www.suse.com/security/cve/CVE-2025-22872/ SUSE CVE CVE-2025-22872 page https://www.suse.com/security/cve/CVE-2025-47911/ SUSE CVE CVE-2025-47911 page https://www.suse.com/security/cve/CVE-2025-53547/ SUSE CVE CVE-2025-53547 page https://www.suse.com/security/cve/CVE-2025-58190/ SUSE CVE CVE-2025-58190 page openSUSE Tumbleweed helm3-3.19.2-1.1 helm3-bash-completion-3.19.2-1.1 helm3-fish-completion-3.19.2-1.1 helm3-zsh-completion-3.19.2-1.1 helm3-3.19.2-1.1 as a component of openSUSE Tumbleweed helm3-bash-completion-3.19.2-1.1 as a component of openSUSE Tumbleweed helm3-fish-completion-3.19.2-1.1 as a component of openSUSE Tumbleweed helm3-zsh-completion-3.19.2-1.1 as a component of openSUSE Tumbleweed In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to remote code execution when executed with the -u flag and the import path of a malicious Go package, or a package that imports it directly or indirectly. Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). Using custom domains, it's possible to arrange things so that a Git repository is cloned to a folder named ".git" by using a vanity import path that ends with "/.git". If the Git repository root contains a "HEAD" file, a "config" file, an "objects" directory, a "refs" directory, with some work to ensure the proper ordering of operations, "go get -u" can be tricked into considering the parent directory as a repository root, and running Git commands on it. That will use the "config" file in the original Git repository root for its configuration, and if that config file contains malicious commands, they will execute on the system running "go get -u". CVE-2018-16873 openSUSE Tumbleweed:helm3-3.19.2-1.1 openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1 openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1 openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-16873.html CVE-2018-16873 https://bugzilla.suse.com/1118897 SUSE Bug 1118897 https://bugzilla.suse.com/1118898 SUSE Bug 1118898 https://bugzilla.suse.com/1118899 SUSE Bug 1118899 In Go before 1.10.6 and 1.11.x before 1.11.3, the "go get" command is vulnerable to directory traversal when executed with the import path of a malicious Go package which contains curly braces (both '{' and '}' characters). Specifically, it is only vulnerable in GOPATH mode, but not in module mode (the distinction is documented at https://golang.org/cmd/go/#hdr-Module_aware_go_get). The attacker can cause an arbitrary filesystem write, which can lead to code execution. CVE-2018-16874 openSUSE Tumbleweed:helm3-3.19.2-1.1 openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1 openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1 openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-16874.html CVE-2018-16874 https://bugzilla.suse.com/1118897 SUSE Bug 1118897 https://bugzilla.suse.com/1118898 SUSE Bug 1118898 https://bugzilla.suse.com/1118899 SUSE Bug 1118899 The crypto/x509 package of Go before 1.10.6 and 1.11.x before 1.11.3 does not limit the amount of work performed for each chain verification, which might allow attackers to craft pathological inputs leading to a CPU denial of service. Go TLS servers accepting client certificates and TLS clients are affected. CVE-2018-16875 openSUSE Tumbleweed:helm3-3.19.2-1.1 openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1 openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1 openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1 moderate 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-16875.html CVE-2018-16875 https://bugzilla.suse.com/1118897 SUSE Bug 1118897 https://bugzilla.suse.com/1118898 SUSE Bug 1118898 https://bugzilla.suse.com/1118899 SUSE Bug 1118899 ORAS is open source software which enables a way to push OCI Artifacts to OCI Conformant registries. ORAS is both a CLI for initial testing and a Go Module. In ORAS from version 0.4.0 and before version 0.9.0, there is a "zip-slip" vulnerability. The directory support feature allows the downloaded gzipped tarballs to be automatically extracted to the user-specified directory where the tarball can have symbolic links and hard links. A well-crafted tarball or tarballs allow malicious artifact providers linking, writing, or overwriting specific files on the host filesystem outside of the user-specified directory unexpectedly with the same permissions as the user who runs `oras pull`. Users of the affected versions are impacted if they are `oras` CLI users who runs `oras pull`, or if they are Go programs, which invoke `github.com/deislabs/oras/pkg/content.FileStore`. The problem has been fixed in version 0.9.0. For `oras` CLI users, there is no workarounds other than pulling from a trusted artifact provider. For `oras` package users, the workaround is to not use `github.com/deislabs/oras/pkg/content.FileStore`, and use other content stores instead, or pull from a trusted artifact provider. CVE-2021-21272 openSUSE Tumbleweed:helm3-3.19.2-1.1 openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1 openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1 openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1 moderate 4 AV:N/AC:L/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-21272.html CVE-2021-21272 https://bugzilla.suse.com/1181419 SUSE Bug 1181419 Authorization Bypass Through User-Controlled Key in GitHub repository emicklei/go-restful prior to v3.8.0. CVE-2022-1996 openSUSE Tumbleweed:helm3-3.19.2-1.1 openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1 openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1 openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1 moderate 6.4 AV:N/AC:L/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-1996.html CVE-2022-1996 https://bugzilla.suse.com/1200528 SUSE Bug 1200528 Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to Uncontrolled Resource Consumption, resulting in Denial of Service. Input to functions in the _strvals_ package can cause a stack overflow. In Go, a stack overflow cannot be recovered from. Applications that use functions from the _strvals_ package in the Helm SDK can have a Denial of Service attack when they use this package and it panics. This issue has been patched in 3.10.3. SDK users can validate strings supplied by users won't create large arrays causing significant memory usage before passing them to the _strvals_ functions. CVE-2022-23524 openSUSE Tumbleweed:helm3-3.19.2-1.1 openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1 openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1 openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-23524.html CVE-2022-23524 https://bugzilla.suse.com/1206467 SUSE Bug 1206467 Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to NULL Pointer Dereference in the _repo_package. The _repo_ package contains a handler that processes the index file of a repository. For example, the Helm client adds references to chart repositories where charts are managed. The _repo_ package parses the index file of the repository and loads it into structures Go can work with. Some index files can cause array data structures to be created causing a memory violation. Applications that use the _repo_ package in the Helm SDK to parse an index file can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with an index file that causes a memory violation panic. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been patched in 3.10.3. SDK users can validate index files that are correctly formatted before passing them to the _repo_ functions. CVE-2022-23525 openSUSE Tumbleweed:helm3-3.19.2-1.1 openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1 openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1 openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-23525.html CVE-2022-23525 https://bugzilla.suse.com/1206469 SUSE Bug 1206469 Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to NULL Pointer Dereference in the_chartutil_ package that can cause a segmentation violation. The _chartutil_ package contains a parser that loads a JSON Schema validation file. For example, the Helm client when rendering a chart will validate its values with the schema file. The _chartutil_ package parses the schema file and loads it into structures Go can work with. Some schema files can cause array data structures to be created causing a memory violation. Applications that use the _chartutil_ package in the Helm SDK to parse a schema file can suffer a Denial of Service when that input causes a panic that cannot be recovered from. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been patched in 3.10.3. SDK users can validate schema files that are correctly formatted before passing them to the _chartutil_ functions. CVE-2022-23526 openSUSE Tumbleweed:helm3-3.19.2-1.1 openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1 openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1 openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-23526.html CVE-2022-23526 https://bugzilla.suse.com/1206471 SUSE Bug 1206471 Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. Fuzz testing, provided by the CNCF, identified input to functions in the _strvals_ package that can cause an out of memory panic. The _strvals_ package contains a parser that turns strings in to Go structures. The _strvals_ package converts these strings into structures Go can work with. Some string inputs can cause array data structures to be created causing an out of memory panic. Applications that use the _strvals_ package in the Helm SDK to parse user supplied input can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with input to `--set`, `--set-string`, and other value setting flags that causes an out of memory panic. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been resolved in 3.9.4. SDK users can validate strings supplied by users won't create large arrays causing significant memory usage before passing them to the _strvals_ functions. CVE-2022-36055 openSUSE Tumbleweed:helm3-3.19.2-1.1 openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1 openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1 openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-36055.html CVE-2022-36055 https://bugzilla.suse.com/1203054 SUSE Bug 1203054 Helm is a tool that streamlines installing and managing Kubernetes applications.`getHostByName` is a Helm template function introduced in Helm v3. The function is able to accept a hostname and return an IP address for that hostname. To get the IP address the function performs a DNS lookup. The DNS lookup happens when used with `helm install|upgrade|template` or when the Helm SDK is used to render a chart. Information passed into the chart can be disclosed to the DNS servers used to lookup the IP address. For example, a malicious chart could inject `getHostByName` into a chart in order to disclose values to a malicious DNS server. The issue has been fixed in Helm 3.11.1. Prior to using a chart with Helm verify the `getHostByName` function is not being used in a template to disclose any information you do not want passed to DNS servers. CVE-2023-25165 openSUSE Tumbleweed:helm3-3.19.2-1.1 openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1 openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1 openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-25165.html CVE-2023-25165 https://bugzilla.suse.com/1208083 SUSE Bug 1208083 containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well. This bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd's client library should check that application for a separate advisory and instructions. As a workaround, ensure that the `"USER $USERNAME"` Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to `ENTRYPOINT ["su", "-", "user"]` to allow `su` to properly set up supplementary groups. CVE-2023-25173 openSUSE Tumbleweed:helm3-3.19.2-1.1 openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1 openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1 openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-25173.html CVE-2023-25173 https://bugzilla.suse.com/1208426 SUSE Bug 1208426 https://bugzilla.suse.com/1215588 SUSE Bug 1215588 Helm is a tool for managing Charts. Charts are packages of pre-configured Kubernetes resources. When either the Helm client or SDK is used to save a chart whose name within the `Chart.yaml` file includes a relative path change, the chart would be saved outside its expected directory based on the changes in the relative path. The validation and linting did not detect the path changes in the name. This issue has been resolved in Helm v3.14.1. Users unable to upgrade should check all charts used by Helm for path changes in their name as found in the `Chart.yaml` file. This includes dependencies. CVE-2024-25620 openSUSE Tumbleweed:helm3-3.19.2-1.1 openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1 openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1 openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-25620.html CVE-2024-25620 https://bugzilla.suse.com/1219969 SUSE Bug 1219969 Helm is a package manager for Charts for Kubernetes. Versions prior to 3.14.2 contain an uninitialized variable vulnerability when Helm parses index and plugin yaml files missing expected content. When either an `index.yaml` file or a plugins `plugin.yaml` file were missing all metadata a panic would occur in Helm. In the Helm SDK, this is found when using the `LoadIndexFile` or `DownloadIndexFile` functions in the `repo` package or the `LoadDir` function in the `plugin` package. For the Helm client this impacts functions around adding a repository and all Helm functions if a malicious plugin is added as Helm inspects all known plugins on each invocation. This issue has been resolved in Helm v3.14.2. If a malicious plugin has been added which is causing all Helm client commands to panic, the malicious plugin can be manually removed from the filesystem. If using Helm SDK versions prior to 3.14.2, calls to affected functions can use `recover` to catch the panic. CVE-2024-26147 openSUSE Tumbleweed:helm3-3.19.2-1.1 openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1 openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1 openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-26147.html CVE-2024-26147 https://bugzilla.suse.com/1220207 SUSE Bug 1220207 Applications and libraries which misuse connection.serverAuthenticate (via callback field ServerConfig.PublicKeyCallback) may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance. CVE-2024-45337 openSUSE Tumbleweed:helm3-3.19.2-1.1 openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1 openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1 openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-45337.html CVE-2024-45337 https://bugzilla.suse.com/1234482 SUSE Bug 1234482 An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service. CVE-2024-45338 openSUSE Tumbleweed:helm3-3.19.2-1.1 openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1 openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1 openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-45338.html CVE-2024-45338 https://bugzilla.suse.com/1234794 SUSE Bug 1234794 Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied. CVE-2025-22870 openSUSE Tumbleweed:helm3-3.19.2-1.1 openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1 openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1 openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-22870.html CVE-2025-22870 https://bugzilla.suse.com/1238572 SUSE Bug 1238572 https://bugzilla.suse.com/1238611 SUSE Bug 1238611 The tokenizer incorrectly interprets tags with unquoted attribute values that end with a solidus character (/) as self-closing. When directly using Tokenizer, this can result in such tags incorrectly being marked as self-closing, and when using the Parse functions, this can result in content following such tags as being placed in the wrong scope during DOM construction, but only when tags are in foreign content (e.g. <math>, <svg>, etc contexts). CVE-2025-22872 openSUSE Tumbleweed:helm3-3.19.2-1.1 openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1 openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1 openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-22872.html CVE-2025-22872 https://bugzilla.suse.com/1241710 SUSE Bug 1241710 unknown CVE-2025-47911 openSUSE Tumbleweed:helm3-3.19.2-1.1 openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1 openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1 openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-47911.html CVE-2025-47911 https://bugzilla.suse.com/1251308 SUSE Bug 1251308 Helm is a package manager for Charts for Kubernetes. Prior to 3.18.4, a specially crafted Chart.yaml file along with a specially linked Chart.lock file can lead to local code execution when dependencies are updated. Fields in a Chart.yaml file, that are carried over to a Chart.lock file when dependencies are updated and this file is written, can be crafted in a way that can cause execution if that same content were in a file that is executed (e.g., a bash.rc file or shell script). If the Chart.lock file is symlinked to one of these files updating dependencies will write the lock file content to the symlinked file. This can lead to unwanted execution. Helm warns of the symlinked file but did not stop execution due to symlinking. This issue has been resolved in Helm v3.18.4. CVE-2025-53547 openSUSE Tumbleweed:helm3-3.19.2-1.1 openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1 openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1 openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-53547.html CVE-2025-53547 https://bugzilla.suse.com/1246150 SUSE Bug 1246150 unknown CVE-2025-58190 openSUSE Tumbleweed:helm3-3.19.2-1.1 openSUSE Tumbleweed:helm3-bash-completion-3.19.2-1.1 openSUSE Tumbleweed:helm3-fish-completion-3.19.2-1.1 openSUSE Tumbleweed:helm3-zsh-completion-3.19.2-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-58190.html CVE-2025-58190 https://bugzilla.suse.com/1251309 SUSE Bug 1251309