{"affected":[{"ecosystem_specific":{"binaries":[{"helm":"3.19.1-1.1","helm-bash-completion":"3.19.1-1.1"}]},"package":{"ecosystem":"SUSE:Linux Micro 6.0","name":"helm","purl":"pkg:rpm/suse/helm&distro=SUSE%20Linux%20Micro%206.0"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"3.19.1-1.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for helm fixes the following issues:\n\nUpdate to version 3.19.1 (bsc#1251649, CVE-2025-58190, bsc#1251442, CVE-2025-47911):\n\n  * chore(deps): bump github.com/containerd/containerd from 1.7.28 to 1.7.29\n  * jsonschema: warn and ignore unresolved URN $ref to match v3.18.4\n  * Avoid \"panic: interface conversion: interface {} is nil\"\n  * Fix `helm pull` untar dir check with repo urls\n  * chore(deps): bump github.com/spf13/pflag from 1.0.7 to 1.0.10\n  * Add timeout flag to repo add and update flags\n  * chore(deps): bump golang.org/x/crypto from 0.41.0 to 0.43.0\n\nUpdate to version 3.19.0:\n\n  * fix: use username and password if provided\n  * chore(deps): bump the k8s-io group with 7 updates\n  * chore(deps): bump github.com/spf13/cobra from 1.9.1 to 1.10.1\n  * chore(deps): bump github.com/stretchr/testify from 1.11.0 to 1.11.1\n  * chore(deps): bump github.com/stretchr/testify from 1.10.0 to 1.11.0\n  * fix(helm-lint): fmt\n  * fix(helm-lint): Add TLSClientConfig\n  * fix(helm-lint): Add HTTP/HTTPS URL support for json schema references\n  * chore(deps): bump the k8s-io group with 7 updates\n  * fix: go mod tidy for v3\n  * chore(deps): bump golang.org/x/crypto from 0.40.0 to 0.41.0\n  * chore(deps): bump golang.org/x/term from 0.33.0 to 0.34.0\n  * fix Chart.yaml handling\n  * Handle messy index files\n  * chore(deps): bump github.com/containerd/containerd from 1.7.27 to 1.7.28\n  * json schema fix\n  * fix: k8s version parsing to match original\n  * chore(deps): bump sigs.k8s.io/yaml from 1.5.0 to 1.6.0\n  * Do not explicitly set SNI in HTTPGetter\n  * chore(deps): bump github.com/spf13/pflag from 1.0.6 to 1.0.7\n  * chore(deps): bump the k8s-io group with 7 updates\n  * chore(deps): bump golang.org/x/crypto from 0.39.0 to 0.40.0\n  * chore(deps): bump golang.org/x/term from 0.32.0 to 0.33.0\n  * chore(deps): bump golang.org/x/text from 0.26.0 to 0.27.0\n  * Disabling linter due to unknown issue\n  * Updating link handling\n  * Bump github.com/Masterminds/semver/v3 from 3.3.0 to 3.3.1\n  * build(deps): bump the k8s-io group with 7 updates\n  * build(deps): bump sigs.k8s.io/yaml from 1.4.0 to 1.5.0\n  * fix: user username password for login\n  * Update pkg/registry/transport.go\n  * Update pkg/registry/transport.go\n  * fix: add debug logging to oci transport\n  * build(deps): bump golang.org/x/crypto from 0.38.0 to 0.39.0\n  * build(deps): bump golang.org/x/text from 0.25.0 to 0.26.0\n  * fix: legacy docker support broken for login\n  * fix: plugin installer test with no Internet\n  * Handle an empty registry config file.\n  * Prevent fetching newReference again as we have in calling method\n  * Prevent failure when resolving version tags in oras memory store\n  * fix(client): skipnode utilization for PreCopy\n  * test: Skip instead of returning early. looks more intentional\n  * test: tests repo stripping functionality\n  * test: include tests for Login based on different protocol prefixes\n  * fix(client): layers now returns manifest - remove duplicate from descriptors\n  * fix(client): return nil on non-allowed media types\n  * Fix 3.18.0 regression: registry login with scheme\n  * Update pkg/plugin/plugin.go\n  * Update pkg/plugin/plugin.go\n  * Wait for Helm v4 before raising when platformCommand and Command are set\n  * Revert \"fix (helm) : toToml` renders int as float [ backport to v3 ]\"\n  * build(deps): bump the k8s-io group with 7 updates\n  * chore: update generalization warning message\n  * build(deps): bump oras.land/oras-go/v2 from 2.5.0 to 2.6.0\n  * build(deps): bump the k8s-io group with 7 updates\n  * build(deps): bump golang.org/x/crypto from 0.37.0 to 0.38.0\n  * fix: move warning to top of block\n  * fix: govulncheck workflow\n  * fix: replace fmt warning with slog\n  * fix: add warning when ignore repo flag\n  * bump version to v3.18.0\n  * backport #30673 to dev-v3\n  * feat: add httproute from gateway-api to create chart template\n\nUpdate to version 3.18.6:\n\n  * fix(helm-lint): Add TLSClientConfig\n  * fix(helm-lint): Add HTTP/HTTPS URL support for json schema\n    references\n\nUpdate to version 3.18.5:\n\n  * fix Chart.yaml handling 7799b48 (Matt Farina)\n  * Handle messy index files dd8502f (Matt Farina)\n  * json schema fix cb8595b (Robert Sirchia)\n\nFix shell completion dependencies\n\n  * Add BuildRequires to prevent inclusion of folders owned by shells.\n  * Add Requires because installing completions without appropriate\n    shell is questionable.\n\n- Fix zsh completion location\n\n","id":"SUSE-SU-2025:21043-1","modified":"2025-11-14T08:40:12Z","published":"2025-11-14T08:40:12Z","references":[{"type":"ADVISORY","url":"https://www.suse.com/support/update/announcement/2025/suse-su-202521043-1/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1251442"},{"type":"REPORT","url":"https://bugzilla.suse.com/1251649"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-47911"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2025-58190"}],"related":["CVE-2025-47911","CVE-2025-58190"],"summary":"Security update for helm","upstream":["CVE-2025-47911","CVE-2025-58190"]}