Your message dated Sun, 31 May 2026 00:18:51 +0000
with message-id <[email protected]>
and subject line Bug#1136829: fixed in etcd 3.5.16-11
has caused the Debian Bug report #1136829,
regarding etcd: CVE-2026-44283
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1136829: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136829
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: etcd
Version: 3.5.16-10
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for etcd.
CVE-2026-44283[0]:
| etcd is a distributed key-value store for the data of a distributed
| system. Prior to 3.4.44, 3.5.30, and 3.6.11, a vulnerability in etcd
| allows read access via PrevKv, or lease attachment in Put requests
| within transaction operations, to bypass RBAC authorization checks.
| An authenticated user without sufficient read or lease-related
| permissions may be able to access unauthorized data or attach leases
| by invoking transaction operations with these features enabled. This
| vulnerability is fixed in 3.4.44, 3.5.30, and 3.6.11.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-44283
https://www.cve.org/CVERecord?id=CVE-2026-44283
[1] https://github.com/etcd-io/etcd/security/advisories/GHSA-x35m-3gp4-4fh5
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: etcd
Source-Version: 3.5.16-11
Done: Reinhard Tartler <[email protected]>
We believe that the bug you reported is fixed in the latest version of
etcd, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Reinhard Tartler <[email protected]> (supplier of updated etcd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 30 May 2026 18:01:06 -0400
Source: etcd
Architecture: source
Version: 3.5.16-11
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <[email protected]>
Changed-By: Reinhard Tartler <[email protected]>
Closes: 1132037 1132038 1136829 1137394
Changes:
etcd (3.5.16-11) unstable; urgency=medium
.
* Fix FTBFS with OpenTelemetry 0.60+ (Closes: #1137394)
* Backport security fixes:
- CVE-2026-33413: guard unauthenticated endpoints with auth checks
(Closes: #1132038)
- CVE-2026-33343: enforce auth checks for nested txn ops
(Closes: #1132037)
- CVE-2026-44283: fix PrevKv and Lease auth bypass in Txn
(Closes: #1136829)
Checksums-Sha1:
15f0d222a021a737a709b4a741a39e837b2c8020 3996 etcd_3.5.16-11.dsc
c16608a6525ee31102bba0cdcfdef7fb90513c4f 55108 etcd_3.5.16-11.debian.tar.xz
Checksums-Sha256:
8bc7d49fd2744d84876f8260367e0b41235b25578c9eebaa5927a725a6950dcb 3996
etcd_3.5.16-11.dsc
cde8f1f61e8324cfb1afb9a64079c9a23b732d60f03fbcb4cd1b1f44ce4e17b4 55108
etcd_3.5.16-11.debian.tar.xz
Files:
1695d6e703705e001d5f6ddebd148d26 3996 net optional etcd_3.5.16-11.dsc
7f18965d9db85b4f108b4c0d5a017512 55108 net optional
etcd_3.5.16-11.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCgAyFiEEMN59F2OrlFLH4IJQSadpd5QoJssFAmobeGQUHHNpcmV0YXJ0
QHRhdXdhcmUuZGUACgkQSadpd5QoJsuGcg//YRhfHDShJDr9aBBnxOy+Yx7zSZU8
7tDJ1LmlCtwq1uYY/jKDW9tbWR4Fq/x5HrYAWFe9M7dqSJveu4jb/kX5tmX9LyT4
qUlN20cNV/gFFaemTBRS3VL/84v3MyaHECS/DHebam/7P04fBVs74wbZcqKnPqP/
Fk4ynyZnShKFc9KsT0eplyAUKyyuakmqN0jdb8q1saKINMI2zDhJ+cmdsGo0U0WX
VNlfoj+ieSX8WpXCvGRzgA6pcpBTuMl8Zb1BlIZBmo2SCINDWG4e0PSyNUMblBbv
7fSZDTiEb+2KKBNP94oV5mw9myPlYLCjJLyTjYvn47zORewwgGBhv07p8T7k92fV
namXkk4QKRpOWW7aJ0FeZQzrkrCvl4YY3gh5ZMUL8feBvxfob3IHoFV8xRRuO8oU
+UXwkBnrflNXOunTbLknVP9S9Rk82XF30D4DSSaC7e52FgFRzMIXY0su+VcsYceZ
nn9tajWmNTyMBQKo8iqaW8pESveSkBMsziB5rFZxk/emvDQIrsEHh66k1nlCnG3J
kueZgyy2UwextXNHVOTinS6kbxhaJ5Xx+zz6SV5sGl8vcLmvTqdSEOdnITVF9Qzt
1vQlUbnC24kPOfxIln1iug56WrnOxJO3zIA1NyEPybc5fnSDTgQnA9gX004Ary7x
ceDFu+LMvz64GTk=
=HSfa
-----END PGP SIGNATURE-----
pgpzyURMq9yL_.pgp
Description: PGP signature
--- End Message ---
