Merge PR "[AUTO-CHERRYPICK] [High] Upgrade etcd to 3.5.28 for CVE-2026-33413 and CVE-2026-33343 - branch main" #16375

CBL-Mariner-Bot · AkarshHCL · Kanishk-Bansal · web-flow · commit 1d8c94dd5d14 · 2026-03-30T13:25:09.000-07:00
Co-authored-by: AkarshHCL &lt;v-akarshc@microsoft.com&gt;
Co-authored-by: Kanishk Bansal &lt;103916909+Kanishk-Bansal@users.noreply.github.com&gt;
diff --git a/SPECS/etcd/etcd.signatures.json b/SPECS/etcd/etcd.signatures.json
@@ -1,7 +1,7 @@
 {
   "Signatures": {
     "etcd.service": "4550a4967ba35670051cbfd9b4edf1fc57c0f1d7a07e51f88351ac44c76d8066",
-    "etcd-3.5.21.tar.gz": "76d7fcafe4fcc957fcd45671226b992c16e5f5e724935dea9df0190ac2b13481",
-    "etcd-3.5.21-vendor.tar.gz": "b4c072080f0ca47c1d447b6547165b943206cb5cb71dbd35a9e68079fdeac5a7"
+    "etcd-3.5.28.tar.gz": "c1e873c174c44de5fb148024d3ad741cae11548b5b6d2ac36a003289e55024be",
+    "etcd-3.5.28-vendor.tar.gz": "7decc96250a76e9807d98834d35657d7f5ccdfd2f3d5e507d8e97bddc05cc79c"
   }
 }
diff --git a/SPECS/etcd/etcd.spec b/SPECS/etcd/etcd.spec
@@ -1,7 +1,7 @@
 Summary:        A highly-available key value store for shared configuration
 Name:           etcd
-Version:        3.5.21
-Release:        4%{?dist}
+Version:        3.5.28
+Release:        1%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -14,7 +14,7 @@ Source1:        etcd.service
 #   generate_source_tarball.sh --srcTarball <source_tarball> --pkgVersion %%{version} --outFolder .
 Source2:        %{name}-%{version}-vendor.tar.gz
 
-BuildRequires:  msft-golang
+BuildRequires:  msft-golang > 1.25
 
 %description
 A highly-available key value store for shared configuration and service discovery.
@@ -115,6 +115,9 @@ install -vdm755 %{buildroot}%{_sharedstatedir}/etcd
 /%{_docdir}/%{name}-%{version}-tools/*
 
 %changelog
+* Fri Mar 27 2026 Akarsh Chaudhary <v-akarshc@microsoft.com> - 3.5.28-1
+- Upgrade to version 3.5.28 (fixes CVE-2026-33413 and CVE-2026-33343).
+
 * Tue Oct 14 2025 Kanishk Bansal <kanbansal@microsoft.com> - 3.5.21-4
 - Bump to build with latest golang 1.24.9
 
@@ -149,7 +152,7 @@ install -vdm755 %{buildroot}%{_sharedstatedir}/etcd
 * Fri Feb 02 2024 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 3.5.9-2
 - Bump release to rebuild with go 1.21.6
 
-* Tue Oct 18 2023 Nicolas Guibourge <nicolasg@microsoft.com> - 3.5.9-1
+* Wed Oct 18 2023 Nicolas Guibourge <nicolasg@microsoft.com> - 3.5.9-1
 - Upgrade to 3.5.9 to match version required by kubernetes
 
 * Mon Oct 16 2023 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 3.5.6-12
diff --git a/cgmanifest.json b/cgmanifest.json
@@ -3348,8 +3348,8 @@
         "type": "other",
         "other": {
           "name": "etcd",
-          "version": "3.5.21",
-          "downloadUrl": "https://github.com/etcd-io/etcd/archive/v3.5.21.tar.gz"
+          "version": "3.5.28",
+          "downloadUrl": "https://github.com/etcd-io/etcd/archive/v3.5.28.tar.gz"
         }
       }
     },

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"Signatures": {`
`3`	`3`	`"etcd.service": "4550a4967ba35670051cbfd9b4edf1fc57c0f1d7a07e51f88351ac44c76d8066",`
`4`		`- "etcd-3.5.21.tar.gz": "76d7fcafe4fcc957fcd45671226b992c16e5f5e724935dea9df0190ac2b13481",`
`5`		`- "etcd-3.5.21-vendor.tar.gz": "b4c072080f0ca47c1d447b6547165b943206cb5cb71dbd35a9e68079fdeac5a7"`
	`4`	`+ "etcd-3.5.28.tar.gz": "c1e873c174c44de5fb148024d3ad741cae11548b5b6d2ac36a003289e55024be",`
	`5`	`+ "etcd-3.5.28-vendor.tar.gz": "7decc96250a76e9807d98834d35657d7f5ccdfd2f3d5e507d8e97bddc05cc79c"`
`6`	`6`	`}`
`7`	`7`	`}`
Original file line number	Diff line number	Diff line change
`@@ -3348,8 +3348,8 @@`
`3348`	`3348`	`"type": "other",`
`3349`	`3349`	`"other": {`
`3350`	`3350`	`"name": "etcd",`
`3351`		`- "version": "3.5.21",`
`3352`		`- "downloadUrl": "https://github.com/etcd-io/etcd/archive/v3.5.21.tar.gz"`
	`3351`	`+ "version": "3.5.28",`
	`3352`	`+ "downloadUrl": "https://github.com/etcd-io/etcd/archive/v3.5.28.tar.gz"`
`3353`	`3353`	`}`
`3354`	`3354`	`}`
`3355`	`3355`	`},`