Security update for helm SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2026:20327-1 Final 1 1 2026-03-05T14:27:21Z current 2026-03-05T14:27:21Z 2026-03-05T14:27:21Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for helm This update for helm fixes the following issues: - Update to version 3.19.1: * CVE-2025-47911: golang.org/x/net/html: Fixed various algorithms with quadratic complexity when parsing HTML documents (bsc#1251442) * CVE-2025-58190: golang.org/x/net/html: Fixed xcessive memory consumption by `html.ParseFragment` when processing specially crafted input (bsc#1251649) * jsonschema: warn and ignore unresolved URN $ref to match v3.18.4 * Avoid "panic: interface conversion: interface {} is nil" * Fix `helm pull` untar dir check with repo urls * Fix deprecation warning * Add timeout flag to repo add and update flags - Update to version 3.19.0: * bump version to v3.19.0 * fix: use username and password if provided * fix(helm-lint): fmt * fix(helm-lint): Add TLSClientConfig * fix(helm-lint): Add HTTP/HTTPS URL support for json schema references * chore(deps): bump the k8s-io group with 7 updates * fix: go mod tidy for v3 * fix Chart.yaml handling * Handle messy index files * json schema fix * fix: k8s version parsing to match original * Do not explicitly set SNI in HTTPGetter * Disabling linter due to unknown issue * Updating link handling * fix: user username password for login * Update pkg/registry/transport.go * fix: add debug logging to oci transport * fix: legacy docker support broken for login * fix: plugin installer test with no Internet * Handle an empty registry config file. * Prevent fetching newReference again as we have in calling method * Prevent failure when resolving version tags in oras memory store * fix(client): skipnode utilization for PreCopy * test: Skip instead of returning early. looks more intentional * test: tests repo stripping functionality * test: include tests for Login based on different protocol prefixes * fix(client): layers now returns manifest - remove duplicate from descriptors * fix(client): return nil on non-allowed media types * Fix 3.18.0 regression: registry login with scheme * Update pkg/plugin/plugin.go * Wait for Helm v4 before raising when platformCommand and Command are set * Revert "fix (helm) : toToml` renders int as float [ backport to v3 ]" * build(deps): bump the k8s-io group with 7 updates * chore: update generalization warning message * fix: move warning to top of block * fix: govulncheck workflow * fix: replace fmt warning with slog * fix: add warning when ignore repo flag * feat: add httproute from gateway-api to create chart template - Update to version 3.18.6: * fix(helm-lint): fmt * fix(helm-lint): Add TLSClientConfig * fix(helm-lint): Add HTTP/HTTPS URL support for json schema references - Update to version 3.18.5: * fix Chart.yaml handling 7799b48 (Matt Farina) * Handle messy index files dd8502f (Matt Farina) * json schema fix cb8595b (Robert Sirchia) - Fix shell completion dependencies * Add BuildRequires to prevent inclusion of folders owned by shells. * Add Requires because installing completions without appropriate shell is questionable. - Fix zsh completion location The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Leap-16.0-360 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1251442 SUSE Bug 1251442 https://bugzilla.suse.com/1251649 SUSE Bug 1251649 https://www.suse.com/security/cve/CVE-2025-47911/ SUSE CVE CVE-2025-47911 page https://www.suse.com/security/cve/CVE-2025-58190/ SUSE CVE CVE-2025-58190 page openSUSE Leap 16.0 helm-3.19.1-160000.1.1 helm-bash-completion-3.19.1-160000.1.1 helm-fish-completion-3.19.1-160000.1.1 helm-zsh-completion-3.19.1-160000.1.1 helm-3.19.1-160000.1.1 as a component of openSUSE Leap 16.0 helm-bash-completion-3.19.1-160000.1.1 as a component of openSUSE Leap 16.0 helm-fish-completion-3.19.1-160000.1.1 as a component of openSUSE Leap 16.0 helm-zsh-completion-3.19.1-160000.1.1 as a component of openSUSE Leap 16.0 The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content. CVE-2025-47911 openSUSE Leap 16.0:helm-3.19.1-160000.1.1 openSUSE Leap 16.0:helm-bash-completion-3.19.1-160000.1.1 openSUSE Leap 16.0:helm-fish-completion-3.19.1-160000.1.1 openSUSE Leap 16.0:helm-zsh-completion-3.19.1-160000.1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-47911.html CVE-2025-47911 https://bugzilla.suse.com/1251308 SUSE Bug 1251308 The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content. CVE-2025-58190 openSUSE Leap 16.0:helm-3.19.1-160000.1.1 openSUSE Leap 16.0:helm-bash-completion-3.19.1-160000.1.1 openSUSE Leap 16.0:helm-fish-completion-3.19.1-160000.1.1 openSUSE Leap 16.0:helm-zsh-completion-3.19.1-160000.1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-58190.html CVE-2025-58190 https://bugzilla.suse.com/1251309 SUSE Bug 1251309