etcd icon indicating copy to clipboard operation
etcd copied to clipboard
Published 3 weeks ago verified publisher icon etcd-io

Bump golang.org/x/crypto v0.45.0 to address CVEs on crypto v0.36.0

Open dtma007 opened this issue 1 month ago • 4 comments

What would you like to be added?

These 2 CVEs are reported on versions of golang.org/x/crypto before 0.45.0

  • CVE-2025-47914
  • CVE-2025-58181

Could we get a released version of etcd with golang.org/x/crypto 0.45.0 ? (I noticed main branch already has it:https://github.com/etcd-io/etcd/blob/main/go.mod#L99 , but the released versions will have crypto 0.36.0)

Thanks.

Why is this needed?

To address security vulnerabilities:

  • CVE-2025-47914
  • CVE-2025-58181

dtma007 avatar Nov 22 '25 01:11 dtma007

Hi @dtma007, thanks for opening this issue. According to our documentation we don't bump dependencies for our stable branches. We only do a release if the severity is >= 7.5

https://github.com/etcd-io/etcd/blob/584c7cce627d6d15165b9905d028a19a06ea4aa6/Documentation/contributor-guide/release.md?plain=1#L43-L47

That being said, I don't oppose to bump the dependencies before our next release. What do you think, @ahrtr?

ivanvc avatar Dec 04 '25 00:12 ivanvc

It should be fine to bump for both main and stable releases.

ahrtr avatar Dec 04 '25 09:12 ahrtr

Closing: the stable release branches now use 0.45.0. This will get released with 3.4.40, 3.5.26, and 3.6.7.

ivanvc avatar Dec 16 '25 17:12 ivanvc

Re-openning. In #21024, I bumped x/net, rather than x/crypto.

ivanvc avatar Dec 18 '25 22:12 ivanvc