Hi,

The following vulnerability was published for etcd.

CVE-2026-44283[0]:
| etcd is a distributed key-value store for the data of a distributed
| system. Prior to 3.4.44, 3.5.30, and 3.6.11, a vulnerability in etcd
| allows read access via PrevKv, or lease attachment in Put requests
| within transaction operations, to bypass RBAC authorization checks.
| An authenticated user without sufficient read or lease-related
| permissions may be able to access unauthorized data or attach leases
| by invoking transaction operations with these features enabled. This
| vulnerability is fixed in 3.4.44, 3.5.30, and 3.6.11.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-44283
https://www.cve.org/CVERecord?id=CVE-2026-44283
[1] https://github.com/etcd-io/etcd/security/advisories/GHSA-x35m-3gp4-4fh5

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

We believe that the bug you reported is fixed in the latest version of
etcd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1136829@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Reinhard Tartler <siretart@tauware.de> (supplier of updated etcd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sat, 30 May 2026 18:01:06 -0400
Source: etcd
Architecture: source
Version: 3.5.16-11
Distribution: unstable
Urgency: medium
Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org>
Changed-By: Reinhard Tartler <siretart@tauware.de>
Closes: 1132037 1132038 1136829 1137394
Changes:
 etcd (3.5.16-11) unstable; urgency=medium
 .
   * Fix FTBFS with OpenTelemetry 0.60+ (Closes: #1137394)
   * Backport security fixes:
     - CVE-2026-33413: guard unauthenticated endpoints with auth checks
       (Closes: #1132038)
     - CVE-2026-33343: enforce auth checks for nested txn ops
       (Closes: #1132037)
     - CVE-2026-44283: fix PrevKv and Lease auth bypass in Txn
       (Closes: #1136829)
Checksums-Sha1:
 15f0d222a021a737a709b4a741a39e837b2c8020 3996 etcd_3.5.16-11.dsc
 c16608a6525ee31102bba0cdcfdef7fb90513c4f 55108 etcd_3.5.16-11.debian.tar.xz
Checksums-Sha256:
 8bc7d49fd2744d84876f8260367e0b41235b25578c9eebaa5927a725a6950dcb 3996 etcd_3.5.16-11.dsc
 cde8f1f61e8324cfb1afb9a64079c9a23b732d60f03fbcb4cd1b1f44ce4e17b4 55108 etcd_3.5.16-11.debian.tar.xz
Files:
 1695d6e703705e001d5f6ddebd148d26 3996 net optional etcd_3.5.16-11.dsc
 7f18965d9db85b4f108b4c0d5a017512 55108 net optional etcd_3.5.16-11.debian.tar.xz
-----BEGIN PGP SIGNATURE-----

iQJIBAEBCgAyFiEEMN59F2OrlFLH4IJQSadpd5QoJssFAmobeGQUHHNpcmV0YXJ0
QHRhdXdhcmUuZGUACgkQSadpd5QoJsuGcg//YRhfHDShJDr9aBBnxOy+Yx7zSZU8
7tDJ1LmlCtwq1uYY/jKDW9tbWR4Fq/x5HrYAWFe9M7dqSJveu4jb/kX5tmX9LyT4
qUlN20cNV/gFFaemTBRS3VL/84v3MyaHECS/DHebam/7P04fBVs74wbZcqKnPqP/
Fk4ynyZnShKFc9KsT0eplyAUKyyuakmqN0jdb8q1saKINMI2zDhJ+cmdsGo0U0WX
VNlfoj+ieSX8WpXCvGRzgA6pcpBTuMl8Zb1BlIZBmo2SCINDWG4e0PSyNUMblBbv
7fSZDTiEb+2KKBNP94oV5mw9myPlYLCjJLyTjYvn47zORewwgGBhv07p8T7k92fV
namXkk4QKRpOWW7aJ0FeZQzrkrCvl4YY3gh5ZMUL8feBvxfob3IHoFV8xRRuO8oU
+UXwkBnrflNXOunTbLknVP9S9Rk82XF30D4DSSaC7e52FgFRzMIXY0su+VcsYceZ
nn9tajWmNTyMBQKo8iqaW8pESveSkBMsziB5rFZxk/emvDQIrsEHh66k1nlCnG3J
kueZgyy2UwextXNHVOTinS6kbxhaJ5Xx+zz6SV5sGl8vcLmvTqdSEOdnITVF9Qzt
1vQlUbnC24kPOfxIln1iug56WrnOxJO3zIA1NyEPybc5fnSDTgQnA9gX004Ary7x
ceDFu+LMvz64GTk=
=HSfa
-----END PGP SIGNATURE-----