Skip to content

Commit fe34ea4

Browse files
jslobodzianjslobodzian
committed
Upgrade etcd to 3.5.21 for CVE-2025-30204 [High] (#13197)
(cherry picked from commit 459c8b5)
1 parent f425ed6 commit fe34ea4

5 files changed

Lines changed: 12 additions & 139 deletions

File tree

SPECS/etcd/CVE-2023-45288.patch

Lines changed: 0 additions & 86 deletions
This file was deleted.

SPECS/etcd/CVE-2024-24786.patch

Lines changed: 0 additions & 41 deletions
This file was deleted.

SPECS/etcd/etcd.signatures.json

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{
22
"Signatures": {
33
"etcd.service": "4550a4967ba35670051cbfd9b4edf1fc57c0f1d7a07e51f88351ac44c76d8066",
4-
"etcd-3.5.12-vendor.tar.gz": "2427523101fa0c5ec75f8c65224cddac89de86ae2f5d6b07f14ae7ea1b195064",
5-
"etcd-3.5.12.tar.gz": "90b56a7f2f43a993d420954322e607a6e6a0ca5549f1f7c7dc3567d2f56678d9"
4+
"etcd-3.5.21.tar.gz": "76d7fcafe4fcc957fcd45671226b992c16e5f5e724935dea9df0190ac2b13481",
5+
"etcd-3.5.21-vendor.tar.gz": "b4c072080f0ca47c1d447b6547165b943206cb5cb71dbd35a9e68079fdeac5a7"
66
}
77
}

SPECS/etcd/etcd.spec

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
Summary: A highly-available key value store for shared configuration
22
Name: etcd
3-
Version: 3.5.12
4-
Release: 6%{?dist}
3+
Version: 3.5.21
4+
Release: 1%{?dist}
55
License: ASL 2.0
66
Vendor: Microsoft Corporation
77
Distribution: Mariner
@@ -13,10 +13,8 @@ Source1: etcd.service
1313
# In order to regenerate this tarball, download the source tarball and run:
1414
# generate_source_tarball.sh --srcTarball <source_tarball> --pkgVersion %%{version} --outFolder .
1515
Source2: %{name}-%{version}-vendor.tar.gz
16-
Patch0: CVE-2023-45288.patch
17-
Patch1: CVE-2024-24786.patch
1816

19-
BuildRequires: golang
17+
BuildRequires: msft-golang
2018

2119
%description
2220
A highly-available key value store for shared configuration and service discovery.
@@ -32,7 +30,7 @@ The etcd-tools package contains the etcd-dump-db and etcd-dump-logs diagnostic
3230
tools.
3331

3432
%prep
35-
%autosetup -N -p1
33+
%autosetup -N
3634
tar --no-same-owner -xf %{SOURCE2}
3735

3836
%build
@@ -43,7 +41,6 @@ mkdir -p %{ETCD_OUT_DIR}
4341
for component in server etcdctl etcdutl; do
4442
pushd $component
4543
tar --no-same-owner -xf %{_builddir}/%{name}-%{version}/vendor-$component.tar.gz
46-
patch -p1 -s --fuzz=0 --no-backup-if-mismatch -f --input %{PATCH0}
4744
go build \
4845
-o %{ETCD_OUT_DIR} \
4946
-ldflags=-X=go.etcd.io/etcd/api/v3/version.GitSHA=v%{version}
@@ -57,7 +54,6 @@ mkdir -p %{ETCD_TOOLS_OUT_DIR}
5754
for component in etcd-dump-db etcd-dump-logs; do
5855
pushd tools/$component
5956
tar --no-same-owner -xf %{_builddir}/%{name}-%{version}/vendor-$component.tar.gz
60-
patch -p1 -s --fuzz=0 --no-backup-if-mismatch -f --input %{PATCH0}
6157
go build \
6258
-o %{ETCD_TOOLS_OUT_DIR}
6359
popd
@@ -119,6 +115,10 @@ install -vdm755 %{buildroot}%{_sharedstatedir}/etcd
119115
/%{_docdir}/%{name}-%{version}-tools/*
120116

121117
%changelog
118+
* Sun Mar 30 2025 Kanishk Bansal <kanbansal@microsoft.com> - 3.5.21-1
119+
- Upgrade to 3.5.21 for CVE-2025-30204
120+
- Remove previously applied patches
121+
122122
* Mon Dec 09 2024 Kavya Sree Kaitepalli <kkaitepalli@microsoft.com> - 3.5.12-6
123123
- Patch for CVE-2024-24786
124124

cgmanifest.json

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3358,8 +3358,8 @@
33583358
"type": "other",
33593359
"other": {
33603360
"name": "etcd",
3361-
"version": "3.5.12",
3362-
"downloadUrl": "https://github.com/etcd-io/etcd/archive/v3.5.12.tar.gz"
3361+
"version": "3.5.21",
3362+
"downloadUrl": "https://github.com/etcd-io/etcd/archive/v3.5.21.tar.gz"
33633363
}
33643364
}
33653365
},

0 commit comments

Comments
 (0)