Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Plan to release v3.5.19 #19494

Open
4 tasks
ivanvc opened this issue Feb 26, 2025 · 3 comments
Open
4 tasks

Plan to release v3.5.19 #19494

ivanvc opened this issue Feb 26, 2025 · 3 comments
Assignees
@ivanvc
Labels
area/security priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. type/feature

Comments

@ivanvc
Copy link
Member

ivanvc commented Feb 26, 2025
edited
Loading

What would you like to be added?

The etcd patch release criteria has been met for our release-3.5
stable branch, so we should release v3.5.19.

We have addressed the following CVEs, since the last release:

  • go.mongodb.org/mongo-driver (indirect): CVE-2021-20329: Moderate 1
  • github.com/golang/glog (indirect) CVE-2024-45339: Moderate 1
  • golang.org/x/crypto (direct, but not affected): CVE-2025-22869: Not yet rated.
  • golang stdlib 1.22.11: CVE-2025-22866: Not yet rated (NIST) / High (GitHub).

Work in progress CHANGELOG is: https://github.com/etcd-io/etcd/blob/main/CHANGELOG/CHANGELOG-3.5.md#v3519-tbc

The list of commits included since the previous release is: v3.5.18...release-3.5:

Outstanding tasks before releasing this version:

Release team

GitHub handle Role
@ivanvc TBD

Why is this needed?

Regular patch releases are vital to ensure our users have bug-free and secure software.

Footnotes

  1. from tool dependencies (not included in the released images). 2
@ivanvc ivanvc added area/security priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. type/feature labels Feb 26, 2025
@ivanvc ivanvc self-assigned this Feb 26, 2025
@ivanvc ivanvc mentioned this issue Feb 26, 2025
Open
3 tasks
@ivanvc
Copy link
Member Author

ivanvc commented Feb 27, 2025

Hi, @ahrtr. I was thinking of doing a tandem release again next week. Should either of the outstanding tasks be considered a blocker for v3.5.19?

@ahrtr
Copy link
Member

ahrtr commented Feb 27, 2025

Should either of the outstanding tasks be considered a blocker for v3.5.19?

No blockers.

@ivanvc
Copy link
Member Author

ivanvc commented Feb 28, 2025

Same note from #19489 (comment).

According to the golang mailing list, Go v1.23.7 will be released next Tuesday, March 4th, along with a new golang.org/x/net version to address CVE-2025-22870. It would be great to ship our latest versions with these version bumps. So, tentatively the releases are due on Wednesday, March 5th.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ivanvc ivanvc

Labels
area/security priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. type/feature
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ivanvc @ahrtr