Your message dated Sun, 31 May 2026 00:18:51 +0000
with message-id <[email protected]>
and subject line Bug#1132038: fixed in etcd 3.5.16-11
has caused the Debian Bug report #1132038,
regarding etcd: CVE-2026-33413
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1132038: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132038
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: etcd
Version: 3.5.16-10
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for etcd.
CVE-2026-33413[0]:
| etcd is a distributed key-value store for the data of a distributed
| system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, unauthorized
| users may bypass authentication or authorization checks and call
| certain etcd functions in clusters that expose the gRPC API to
| untrusted or partially trusted clients. In unpatched etcd clusters
| with etcd auth enabled, unauthorized users are able to call MemberList
| and learn cluster topology, including member IDs and advertised
| endpoints; call Alarm, which can be abused for operational disruption
| or denial of service; use Lease APIs, interfering with TTL-based keys
| and lease ownership; and/or trigger compaction, permanently removing
| historical revisions and disrupting watch, audit, and recovery
| workflows. Kubernetes does not rely on etcd’s built-in
| authentication and authorization. Instead, the API server handles
| authentication and authorization itself, so typical Kubernetes
| deployments are not affected. Versions 3.4.42, 3.5.28, and 3.6.9
| contain a patch. If upgrading is not immediately possible, reduce
| exposure by treating the affected RPCs as unauthenticated in practice.
| Restrict network access to etcd server ports so only trusted
| components can connect and/or require strong client identity at the
| transport layer, such as mTLS with tightly scoped client certificate
| distribution.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-33413
https://www.cve.org/CVERecord?id=CVE-2026-33413
[1] https://github.com/etcd-io/etcd/security/advisories/GHSA-q8m4-xhhv-38mg
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: etcd
Source-Version: 3.5.16-11
Done: Reinhard Tartler <[email protected]>
We believe that the bug you reported is fixed in the latest version of
etcd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Reinhard Tartler <[email protected]> (supplier of updated etcd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 30 May 2026 18:01:06 -0400
Source: etcd
Architecture: source
Version: 3.5.16-11
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <[email protected]>
Changed-By: Reinhard Tartler <[email protected]>
Closes: 1132037 1132038 1136829 1137394
Changes:
etcd (3.5.16-11) unstable; urgency=medium
.
* Fix FTBFS with OpenTelemetry 0.60+ (Closes: #1137394)
* Backport security fixes:
- CVE-2026-33413: guard unauthenticated endpoints with auth checks
(Closes: #1132038)
- CVE-2026-33343: enforce auth checks for nested txn ops
(Closes: #1132037)
- CVE-2026-44283: fix PrevKv and Lease auth bypass in Txn
(Closes: #1136829)
Checksums-Sha1:
15f0d222a021a737a709b4a741a39e837b2c8020 3996 etcd_3.5.16-11.dsc
c16608a6525ee31102bba0cdcfdef7fb90513c4f 55108 etcd_3.5.16-11.debian.tar.xz
Checksums-Sha256:
8bc7d49fd2744d84876f8260367e0b41235b25578c9eebaa5927a725a6950dcb 3996
etcd_3.5.16-11.dsc
cde8f1f61e8324cfb1afb9a64079c9a23b732d60f03fbcb4cd1b1f44ce4e17b4 55108
etcd_3.5.16-11.debian.tar.xz
Files:
1695d6e703705e001d5f6ddebd148d26 3996 net optional etcd_3.5.16-11.dsc
7f18965d9db85b4f108b4c0d5a017512 55108 net optional
etcd_3.5.16-11.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEEMN59F2OrlFLH4IJQSadpd5QoJssFAmobeGQUHHNpcmV0YXJ0
QHRhdXdhcmUuZGUACgkQSadpd5QoJsuGcg//YRhfHDShJDr9aBBnxOy+Yx7zSZU8
7tDJ1LmlCtwq1uYY/jKDW9tbWR4Fq/x5HrYAWFe9M7dqSJveu4jb/kX5tmX9LyT4
qUlN20cNV/gFFaemTBRS3VL/84v3MyaHECS/DHebam/7P04fBVs74wbZcqKnPqP/
Fk4ynyZnShKFc9KsT0eplyAUKyyuakmqN0jdb8q1saKINMI2zDhJ+cmdsGo0U0WX
VNlfoj+ieSX8WpXCvGRzgA6pcpBTuMl8Zb1BlIZBmo2SCINDWG4e0PSyNUMblBbv
7fSZDTiEb+2KKBNP94oV5mw9myPlYLCjJLyTjYvn47zORewwgGBhv07p8T7k92fV
namXkk4QKRpOWW7aJ0FeZQzrkrCvl4YY3gh5ZMUL8feBvxfob3IHoFV8xRRuO8oU
+UXwkBnrflNXOunTbLknVP9S9Rk82XF30D4DSSaC7e52FgFRzMIXY0su+VcsYceZ
nn9tajWmNTyMBQKo8iqaW8pESveSkBMsziB5rFZxk/emvDQIrsEHh66k1nlCnG3J
kueZgyy2UwextXNHVOTinS6kbxhaJ5Xx+zz6SV5sGl8vcLmvTqdSEOdnITVF9Qzt
1vQlUbnC24kPOfxIln1iug56WrnOxJO3zIA1NyEPybc5fnSDTgQnA9gX004Ary7x
ceDFu+LMvz64GTk=
=HSfa
-----END PGP SIGNATURE-----
pgpPFW24tuGOy.pgp
Description: PGP signature
--- End Message ---
