Skip to content

Update module helm.sh/helm/v3 to v3.20.2 [SECURITY] (main)#1045

Open
red-hat-konflux[bot] wants to merge 1 commit intomainfrom
konflux/mintmaker/main-main/go-helm.sh-helm-v3-vulnerability
Open

Update module helm.sh/helm/v3 to v3.20.2 [SECURITY] (main)#1045
red-hat-konflux[bot] wants to merge 1 commit intomainfrom
konflux/mintmaker/main-main/go-helm.sh-helm-v3-vulnerability

Conversation

@red-hat-konflux
Copy link
Copy Markdown
Contributor

@red-hat-konflux red-hat-konflux Bot commented Apr 24, 2026

This PR contains the following updates:

Package Change Age Confidence
helm.sh/helm/v3 v3.19.5v3.20.2 age confidence

Helm Chart extraction output directory collapse via Chart.yaml name dot-segment

BIT-helm-2026-35206 / CVE-2026-35206 / GHSA-hr2v-4r36-88hr

More information

Details

Helm is a package manager for Charts for Kubernetes. In Helm versions <=3.20.1 and <=4.1.3, a specially crafted Chart will cause helm pull --untar [chart URL | repo/chartname] to write the Chart's contents to the immediate output directory (as defaulted to the current working directory; or as given by the --destination and --untardir flags), rather than the expected output directory suffixed by the chart's name.

Impact

The bug enables writing the Chart's contents (unpackaged/untar'ed) to the output directory <output dir>/, instead of the expected <output dir>/<chart name>/, potentially overwriting the contents of the targeted directory.

Note: a chart name containing POSIX dot-dot, or dot-dot and slashes (as if to refer to parent directories) do not resolve beyond the output directory as designed.

Patches

This issue has been resolved in Helm v3.20.2 and v4.1.3

A Chart with an unexpected name (those specified to be "." or ".."), or a Chart name which results in a non-unique directory will be rejected.

Workarounds

Ensure the the name of the Chart does not comprise/contain POSIX pathname special directory references ie. dot-dot ("..") or dot ("."). In addition, ensuring that the pull --untar flag (or equivalent SDK option) refers to a unique/empty output directory prevents chart extraction from inadvertently overwriting existing files within the specified directory.

Credits

Oleh Konko
@​1seal

Severity

  • CVSS Score: 4.8 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

helm/helm (helm.sh/helm/v3)

v3.20.2: Helm v3.20.2

Compare Source

v3.20.2

Helm v3.20.2 is a security patch release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

  • Join the discussion in Kubernetes Slack:
    • for questions and just to hang out
    • for discussing PRs, code, and bugs
  • Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
  • Test, debug, and contribute charts: ArtifactHub/packages

Security fixes

  • GHSA-hr2v-4r36-88hr Helm Chart extraction output directory collapse via Chart.yaml name dot-segment

Installation and Upgrading

Download Helm v3.20.2. The common platform binaries are here:

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

  • 4.1.5 and 3.20.3 are the next patch (bug fix) releases and will be on April 8, 2026
  • 4.2.0 and 3.21.0 are the next minor (feature) releases and will be on May 13, 2026

Changelog

  • fix: Chart dot-name path bug 8fb76d6 (George Jenkins)
  • fix: pin codeql-action/upload-sarif to commit SHA in scorecards workflow 3a8927e (Terry Howe)

v3.20.1: Helm v3.20.1

Compare Source

Helm v3.20.1 is a patch release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

  • Join the discussion in Kubernetes Slack:
    • for questions and just to hang out
    • for discussing PRs, code, and bugs
  • Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
  • Test, debug, and contribute charts: ArtifactHub/packages

Notable Changes

  • Backport of #​31644: Fixed a bug where user-provided nil value was not preserved when chart has an empty map or no default for a key
  • Backport of #​31601: Fixed a bug where OCI references with tag+digest failed with "invalid byte" error

Installation and Upgrading

Download Helm v3.20.1. The common platform binaries are here:

This release was signed with 208D D36E D5BB 3745 A167 43A4 C7C6 FBB5 B91C 1155 and can be found at @​scottrigby keybase account. Please use the attached signatures for verifying this release using gpg.

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

  • 4.2.0 and 3.21.0 are the next minor releases and will be on May 13, 2026
  • 4.1.4 and 3.20.2 are the next patch releases and will be on April 8, 2026

Changelog

  • chore(deps): bump the k8s-io group with 7 updates a2369ca (dependabot[bot])
  • add image index test 90e1056 (Pedro Tôrres)
  • fix pulling charts from OCI indices 911f2e9 (Pedro Tôrres)
  • Remove refactorring changes from coalesce_test.go 76dad33 (Evans Mungai)
  • Fix import 45c12f7 (Evans Mungai)
  • Update pkg/chart/common/util/coalesce_test.go 26c6f19 (Evans Mungai)
  • Fix lint warning 09f5129 (Evans Mungai)
  • Preserve nil values in chart already 417deb2 (Evans Mungai)
  • fix(values): preserve nil values when chart default is empty map 5417bfa (Evans Mungai)

v3.20.0: Helm v3.20.0

Compare Source

Helm v3.20.0 is a feature release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

  • Join the discussion in Kubernetes Slack:
    • for questions and just to hang out
    • for discussing PRs, code, and bugs
  • Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
  • Test, debug, and contribute charts: ArtifactHub/packages

Notable Changes

  • SDK: bump k8s API versions to v0.35.0
  • v3 backport: Fixed a bug where helm uninstall with --keep-history did not suspend previous deployed releases #​12564
  • v3 backport: Bump Go version to v1.25

Installation and Upgrading

Download Helm v3.20.0. The common platform binaries are here:

This release was signed with 208D D36E D5BB 3745 A167 43A4 C7C6 FBB5 B91C 1155 and can be found at @​scottrigby keybase account. Please use the attached signatures for verifying this release using gpg.

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

  • 4.1.1 and 3.20.1 are the next patch releases, scheduled for March 11, 2026
  • 4.2.0 and 3.21.0 are the next minor releases, scheduled for May 13, 2026

Changelog

  • bump version to v3.20 f6e17f6 (Scott Rigby)
  • chore(deps): bump golang.org/x/text from 0.32.0 to 0.33.0 4f5a655 (dependabot[bot])
  • chore(deps): bump golang.org/x/term from 0.38.0 to 0.39.0 65c504a (dependabot[bot])
  • chore(deps): bump github.com/foxcpp/go-mockdns from 1.1.0 to 1.2.0 f3b8af4 (dependabot[bot])
  • chore(deps): bump the k8s-io group with 7 updates 89c2c61 (dependabot[bot])
  • [dev-v3] Replace deprecated NewSimpleClientset 526076e (George Jenkins)
  • [dev-v3] Bump Go v1.25, golangci-lint v2 0ae8e4f (George Jenkins)
  • chore(deps): bump github.com/BurntSushi/toml from 1.5.0 to 1.6.0 e0d2595 (dependabot[bot])
  • chore(deps): bump github.com/containerd/containerd from 1.7.29 to 1.7.30 858acb1 (dependabot[bot])
  • fix(rollback): errors.Is instead of string comp 0cd9a60 (Hidde Beydals)
  • fix(uninstall): supersede deployed releases 8bb0b37 (Hidde Beydals)
  • Use latest patch release of Go in releases 930ba6f (Matt Farina)
  • chore(deps): bump the k8s-io group with 7 updates 582211c (dependabot[bot])
  • chore(deps): bump golang.org/x/crypto from 0.45.0 to 0.46.0 585c25c (dependabot[bot])
  • chore(deps): bump golang.org/x/text from 0.31.0 to 0.32.0 6f17d46 (dependabot[bot])
  • chore(deps): bump golang.org/x/term from 0.37.0 to 0.38.0 46ff427 (dependabot[bot])
  • chore(deps): bump github.com/spf13/cobra from 1.10.1 to 1.10.2 28b813a (dependabot[bot])
  • chore(deps): bump github.com/rubenv/sql-migrate from 1.8.0 to 1.8.1 5dde5d6 (dependabot[bot])
  • chore(deps): bump golang.org/x/crypto from 0.44.0 to 0.45.0 362900b (dependabot[bot])
  • chore(deps): bump github.com/cyphar/filepath-securejoin ec61de5 (dependabot[bot])
  • chore(deps): bump the k8s-io group with 7 updates a490607 (dependabot[bot])
  • chore(deps): bump golang.org/x/text from 0.30.0 to 0.31.0 8509bcc (dependabot[bot])
  • chore(deps): bump golang.org/x/crypto from 0.43.0 to 0.44.0 d495a94 (dependabot[bot])
  • Remove dev-v3 helm-latest-version publish 01dc6cc (George Jenkins)
  • chore(deps): bump golang.org/x/term from 0.36.0 to 0.37.0 6647f84 (dependabot[bot])
  • chore(deps): bump github.com/containerd/containerd from 1.7.28 to 1.7.29 b548118 (dependabot[bot])
  • Revert "pkg/registry: Login option for passing TLS config in memory" 6a67b55 (Scott Rigby)
  • chore(deps): bump github.com/cyphar/filepath-securejoin 6d4f8c0 (dependabot[bot])
  • jsonschema: warn and ignore unresolved URN $ref to match v3.18.4 3f0da15 (Benoit Tigeot)
  • Fix helm pull untar dir check with repo urls e5e101c (Luna Stadler)
  • chore(deps): bump golang.org/x/crypto from 0.42.0 to 0.43.0 6aae923 (dependabot[bot])
  • chore(deps): bump github.com/gofrs/flock from 0.12.1 to 0.13.0 1900c6a (dependabot[bot])
  • chore(deps): bump golang.org/x/text from 0.29.0 to 0.30.0 43e9297 (dependabot[bot])
  • chore(deps): bump github.com/cyphar/filepath-securejoin d347e2b (dependabot[bot])
  • [backport] fix: get-helm-3 script use helm3-latest-version bd337b4 (George Jenkins)
  • pkg/registry: Login option for passing TLS config in memory b80959f (Matheus Pimenta)
  • chore(deps): bump the k8s-io group with 7 updates 1ac9d34 (dependabot[bot])
  • Fix deprecation warning 9a366b4 (Benoit Tigeot)
  • chore(deps): bump golang.org/x/crypto from 0.41.0 to 0.42.0 0c5a17e (dependabot[bot])
  • chore(deps): bump golang.org/x/term from 0.34.0 to 0.35.0 b999021 (dependabot[bot])
  • Avoid "panic: interface conversion: interface {} is nil" 2fe49f9 (Benoit Tigeot)
  • bump version to v3.19.0 c3610ab (Scott Rigby)
  • chore(deps): bump github.com/spf13/pflag from 1.0.7 to 1.0.10 73b449f (dependabot[bot])
  • fix: set repo authorizer in registry.Client.Resolve() ffbc537 (Eric Stroczynski)
  • fix null merge f0b699e (Ben Foster)
  • Add timeout flag to repo add and update flags 79a9cc5 (Reinhard Nägele)

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Shanghai, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

To execute skipped test pipelines write comment /ok-to-test.

Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

@red-hat-konflux red-hat-konflux Bot added dependencies Pull requests that update a dependency file ok-to-test labels Apr 24, 2026
@red-hat-konflux
Copy link
Copy Markdown
Contributor Author

red-hat-konflux Bot commented Apr 24, 2026

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 1 additional dependency was updated

Details:

Package Change
github.com/BurntSushi/toml v1.5.0 -> v1.6.0

@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented Apr 24, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: red-hat-konflux[bot]
Once this PR has been reviewed and has the lgtm label, please assign zhiweiyin318 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main-main/go-helm.sh-helm-v3-vulnerability branch 7 times, most recently from edda1a2 to e5ef523 Compare April 24, 2026 21:03
@red-hat-konflux red-hat-konflux Bot changed the title Update module helm.sh/helm/v3 to v3.20.2 [SECURITY] (main) Update module helm.sh/helm/v3 to v3.20.2 [SECURITY] (main) - autoclosed Apr 27, 2026
@red-hat-konflux red-hat-konflux Bot closed this Apr 27, 2026
@red-hat-konflux red-hat-konflux Bot deleted the konflux/mintmaker/main-main/go-helm.sh-helm-v3-vulnerability branch April 27, 2026 13:57
@red-hat-konflux red-hat-konflux Bot changed the title Update module helm.sh/helm/v3 to v3.20.2 [SECURITY] (main) - autoclosed Update module helm.sh/helm/v3 to v3.20.2 [SECURITY] (main) Apr 27, 2026
@red-hat-konflux red-hat-konflux Bot reopened this Apr 27, 2026
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main-main/go-helm.sh-helm-v3-vulnerability branch 13 times, most recently from 92300c2 to e5ef523 Compare April 27, 2026 17:12
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main-main/go-helm.sh-helm-v3-vulnerability branch 4 times, most recently from 6222dc1 to 9d55c40 Compare April 27, 2026 17:13
@red-hat-konflux
Update module helm.sh/helm/v3 to v3.20.2 [SECURITY]
c5ef09d 
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
@red-hat-konflux red-hat-konflux Bot force-pushed the konflux/mintmaker/main-main/go-helm.sh-helm-v3-vulnerability branch from 9d55c40 to c5ef09d Compare April 27, 2026 17:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dco-signoff: yes dependencies Pull requests that update a dependency file ok-to-test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants