Upgrade etcd to 3.5.32 for CVE-2026-59818 #18002
Conversation
|
Azure Pipelines: There may be pipelines that require an authorized user to comment /azp run to run. |
|
Drop CVE-2026-29181, CVE-2026-39821, and CVE-2026-33814 patches; these fixes are already included in v3.5.32.
|
|
etcd 3.5.30 → 3.5.32 — Change Breakdown & Compatibility Analysis (Azure Linux) 1. Azure Linux packaging changes (spec) Version 3.5.30 → 3.5.32, Release 2 → 1. Compatibility assessment
Dimension | Impact
-- | --
Cluster protocol / rolling upgrade | ✅ Safe — MinClusterVersion stays 3.0.0; standard in-place 3.5.x rolling upgrade
On-disk storage / WAL / snapshot | ✅ No format changes
CLI flags / etcd-default-conf.yml | ✅ Backward compatible (only additive --v2-deprecation value)
gRPC/HTTP API | ✅ No breaking changes
Build (Azure Linux) | ✅ Builds offline; Watch-outs (intended, not regressions): CRL now enforced on the gRPC path with --listen-client-http-urls — clients using revoked certs that previously slipped through will now be rejected. Recommendations |
Kanishk-Bansal
left a comment
There was a problem hiding this comment.
we are performing this upgrade for CVE-2026-59818 which you should mention in PR, title, and changelog
Kanishk-Bansal
left a comment
There was a problem hiding this comment.
LGTM, Micro version bump to fix the CVE.
dropped patches are covered in this version.
- Buddy Build
- Tarball uploaded
- Changelog entry
- CG Manifest
- PR has
security&CVE-fixed-by-upgradetag
| set -e | ||
|
|
||
| # etcd's go.mod files pin a newer Go release via the 'toolchain' directive than | ||
| # the base system Go. Default to automatic toolchain selection so 'go' fetches |
kgodara912
left a comment
There was a problem hiding this comment.
Minor version bump to fix CVE. The dropped cves are already included in the upgraded version. Though prep section autosetup can be replaced without tar extracation by swapping SOURCE1 and SOURCE2 but it is fine to keep them separate as well. Tarball generation can be further verified in next release. Buddy build is successful. LGTM.

Merge Checklist
All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)
*-staticsubpackages, etc.) have had theirReleasetag incremented../cgmanifest.json,./toolkit/scripts/toolchain/cgmanifest.json,.github/workflows/cgmanifest.json)./LICENSES-AND-NOTICES/SPECS/data/licenses.json,./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md,./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)*.signatures.jsonfilessudo make go-tidy-allandsudo make go-test-coveragepassSummary
Change Log
Does this affect the toolchain?
NO
Associated issues
Links to CVEs
Test Methodology