Source: etcd Version: 3.5.30-2 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for etcd. CVE-2026-59818[0]: | etcd is a distributed key-value store for the data of a distributed | system. Prior to 3.5.32 and 3.6.13, when etcd is configured with | --listen-client-http-urls to split HTTP and gRPC client endpoints | onto separate listeners, the --client-crl-file Certificate | Revocation List is not enforced on the gRPC listener, allowing a | client with a revoked certificate to authenticate successfully over | gRPC. This issue is fixed in versions 3.5.32 and 3.6.13. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-59818 https://www.cve.org/CVERecord?id=CVE-2026-59818 [1] https://github.com/etcd-io/etcd/security/advisories/GHSA-3wh4-j44w-pg92 [2] https://github.com/etcd-io/etcd/pull/22007 [3] https://github.com/etcd-io/etcd/pull/22021 [4] https://github.com/etcd-io/etcd/pull/22025 Regards, Salvatore

