Detections
Analytics

openSUSE 16 Security Update : helm (openSUSE-SU-2026:20655-1)

medium Nessus Plugin ID 312145

Synopsis

The remote openSUSE host is missing one or more security updates.

Description

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20655-1 advisory.

 Update to version 3.20.2.

 Security issued fixed:

 - CVE-2025-55199: specially crafted JSON Schema can lead to out of memory (OOM) termination (bsc#1248093).
 - CVE-2026-35206: specially crafted Chart will have contents extracted to immediate output directory rather than to expected output directory suffixed by the Chart's name (bsc#1261938).

 Other updates and bugfixes:

 - Version 3.20.1:
 - chore(deps): bump the k8s-io group with 7 updates a2369ca (dependabot[bot])
 - add image index test 90e1056 (Pedro T?rres)
 - fix pulling charts from OCI indices 911f2e9 (Pedro T?rres)
 - Remove refactorring changes from coalesce_test.go 76dad33 (Evans Mungai)
 - Fix import 45c12f7 (Evans Mungai)
 - Update pkg/chart/common/util/coalesce_test.go 26c6f19 (Evans Mungai)
 - Fix lint warning 09f5129 (Evans Mungai)
 - Preserve nil values in chart already 417deb2 (Evans Mungai)
 - fix(values): preserve nil values when chart default is empty map 5417bfa (Evans Mungai)
 - Version 3.20.0:
 - SDK: bump k8s API versions to v0.35.0
 - v3 backport: Fixed a bug where helm uninstall with --keep-history did not suspend previous deployed releases #12564
 - v3 backport: Bump Go version to v1.25
 - bump version to v3.20
 - chore(deps): bump golang.org/x/text from 0.32.0 to 0.33.0
 - chore(deps): bump golang.org/x/term from 0.38.0 to 0.39.0
 - chore(deps): bump github.com/foxcpp/go-mockdns from 1.1.0 to 1.2.0
 - chore(deps): bump the k8s-io group with 7 updates
 - [dev-v3] Replace deprecated `NewSimpleClientset`
 - [dev-v3] Bump Go v1.25, `golangci-lint` v2
 - chore(deps): bump github.com/BurntSushi/toml from 1.5.0 to 1.6.0
 - chore(deps): bump github.com/containerd/containerd from 1.7.29 to 1.7.30
 - fix(rollback): `errors.Is` instead of string comp
 - fix(uninstall): supersede deployed releases
 - Use latest patch release of Go in releases
 - chore(deps): bump golang.org/x/crypto from 0.45.0 to 0.46.0
 - chore(deps): bump golang.org/x/text from 0.31.0 to 0.32.0
 - chore(deps): bump golang.org/x/term from 0.37.0 to 0.38.0
 - chore(deps): bump github.com/spf13/cobra from 1.10.1 to 1.10.2
 - chore(deps): bump github.com/rubenv/sql-migrate from 1.8.0 to 1.8.1
 - chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0
 - chore(deps): bump github.com/cyphar/filepath-securejoin
 - chore(deps): bump golang.org/x/text from 0.30.0 to 0.31.0
 - chore(deps): bump golang.org/x/crypto from 0.43.0 to 0.44.0
 - Remove dev-v3 `helm-latest-version` publish
 - chore(deps): bump golang.org/x/term from 0.36.0 to 0.37.0 1.7.28 to 1.7.29
 - Revert pkg/registry: Login option for passing TLS config in memory
 - jsonschema: warn and ignore unresolved URN $ref to match v3.18.4
 - Fix `helm pull` untar dir check with repo urls
 - chore(deps): bump golang.org/x/crypto from 0.42.0 to 0.43.0
 - chore(deps): bump github.com/gofrs/flock from 0.12.1 to 0.13.0
 - chore(deps): bump golang.org/x/text from 0.29.0 to 0.30.0
 - [backport] fix: get-helm-3 script use helm3-latest-version
 - pkg/registry: Login option for passing TLS config in memory
 - Fix deprecation warning
 - chore(deps): bump golang.org/x/crypto from 0.41.0 to 0.42.0
 - chore(deps): bump golang.org/x/term from 0.34.0 to 0.35.0
 - Avoid panic: interface conversion: interface {} is nil
 - bump version to v3.19.0
 - chore(deps): bump github.com/spf13/pflag from 1.0.7 to 1.0.10
 - fix: set repo authorizer in registry.Client.Resolve()
 - fix null merge
 - Add timeout flag to repo add and update flags
 - Version 3.19.5:
 - Fixed bug where removing subchart value via override resulted in warning #31118
 - Fixed bug where helm uninstall with --keep-history did not suspend previous deployed releases #12556
 - fix(rollback): errors.Is instead of string comp 4a19a5b (Hidde Beydals)
 - fix(uninstall): supersede deployed releases 7a00235 (Hidde Beydals)
 - fix null merge 578564e (Ben Foster)
 - Version 3.19.4:
 - Use latest patch release of Go in releases 7cfb6e4 (Matt Farina)
 - chore(deps): bump github.com/gofrs/flock from 0.12.1 to 0.13.0 59c951f (dependabot[bot])
 - chore(deps): bump github.com/cyphar/filepath-securejoin d45f3f1
 - chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0 d459544 (dependabot[bot])
 - chore(deps): bump golang.org/x/term from 0.36.0 to 0.37.0 becd387 (dependabot[bot])
 - chore(deps): bump the k8s-io group with 7 updates edb1579
 - Version 3.19.3:
 - Bump golang.org/x/crypto to v0.45.0
 - Version 3.19.2:
 - [backport] fix: get-helm-3 script use helm3-latest-version 8766e71 (George Jenkins)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected helm, helm-bash-completion, helm-fish-completion and / or helm-zsh-completion packages.

See Also

https://bugzilla.suse.com/1248093

https://bugzilla.suse.com/1261938

https://www.suse.com/security/cve/CVE-2025-55199

https://www.suse.com/security/cve/CVE-2026-35206

Plugin Details

Severity: Medium

ID: 312145

File Name: openSUSE-2026-20655-1.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 5/5/2026

Updated: 5/5/2026

Supported Sensors: Continuous Assessment, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Low

Base Score: 3.6

Temporal Score: 2.7

Vector: CVSS2#AV:L/AC:L/Au:N/C:N/I:P/A:P

CVSS Score Source: CVE-2026-35206

CVSS v3

Risk Factor: Medium

Base Score: 4.4

Temporal Score: 3.9

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 4.8

Threat Score: 1.1

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Vulnerability Information

CPE: cpe:/o:novell:opensuse:16.0, p-cpe:/a:novell:opensuse:helm, p-cpe:/a:novell:opensuse:helm-zsh-completion, p-cpe:/a:novell:opensuse:helm-fish-completion, p-cpe:/a:novell:opensuse:helm-bash-completion

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 4/30/2026

Vulnerability Publication Date: 8/13/2025

Reference Information

CVE: CVE-2025-55199, CVE-2026-35206