Source: etcd
Version: 3.5.30-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for etcd.

CVE-2026-59818[0]:
| etcd is a distributed key-value store for the data of a distributed
| system. Prior to 3.5.32 and 3.6.13, when etcd is configured with
| --listen-client-http-urls to split HTTP and gRPC client endpoints
| onto separate listeners, the --client-crl-file Certificate
| Revocation List is not enforced on the gRPC listener, allowing a
| client with a revoked certificate to authenticate successfully over
| gRPC. This issue is fixed in versions 3.5.32 and 3.6.13.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-59818
    https://www.cve.org/CVERecord?id=CVE-2026-59818
[1] https://github.com/etcd-io/etcd/security/advisories/GHSA-3wh4-j44w-pg92
[2] https://github.com/etcd-io/etcd/pull/22007
[3] https://github.com/etcd-io/etcd/pull/22021
[4] https://github.com/etcd-io/etcd/pull/22025

Regards,
Salvatore

Reply via email to