Skip to content

[AutoPR- Security] Patch etcd for CVE-2026-33814 [MEDIUM] #17220

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
azurelinux-security wants to merge 1 commit into
base: 3.0-dev
Choose a base branch
from
+47 −1
Draft

[AutoPR- Security] Patch etcd for CVE-2026-33814 [MEDIUM] #17220

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 41 additions & 0 deletions SPECS/etcd/CVE-2026-33814.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
From 7e9e82f8c3033974b16d93835521f6e133a7c9aa Mon Sep 17 00:00:00 2001
From: AllSpark <allspark@microsoft.com>
Date: Thu, 14 May 2026 09:00:37 +0000
Subject: [PATCH] http2: prevent hanging Transport due to bad SETTINGS frame

This CL backports https://go.dev/cl/761581 to x/net.

Fixes golang/go#78476
Fixes CVE-2026-33814

Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
Upstream-reference: AI Backport of https://github.com/golang/net/commit/1e71bd86e4a302b4e731bc06da6eb51679c7bd49.patch
---
client/pkg/transport/transport_test.go | 14 ++++++++++++++
1 file changed, 14 insertions(+)

diff --git a/client/pkg/transport/transport_test.go b/client/pkg/transport/transport_test.go
index afd325d..009bc0d 100644
--- a/client/pkg/transport/transport_test.go
+++ b/client/pkg/transport/transport_test.go
@@ -72,3 +72,17 @@ func TestNewTransportTLSInvalidCipherSuitesTLS12(t *testing.T) {
<-donec
<-donec
}
+
+func TestTransportDoNotHangOnZeroMaxFrameSize(t *testing.T) {
+ synctestTest(t, testTransportDoNotHangOnZeroMaxFrameSize)
+}
+func testTransportDoNotHangOnZeroMaxFrameSize(t testing.TB) {
+ tc := newTestClientConn(t)
+ tc.writeSettings(Setting{ID: SettingMaxFrameSize, Val: 0})
+ tc.wantFrameType(FrameSettings)
+
+ req, _ := http.NewRequest("POST", "https://dummy.tld/", strings.NewReader("body"))
+ tc.roundTrip(req)
+ // Previously, https://go.dev/issue/78476 caused an infinite hang here.
+}
+
--
2.45.4

7 changes: 6 additions & 1 deletion SPECS/etcd/etcd.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
Summary: A highly-available key value store for shared configuration
Name: etcd
Version: 3.5.28
Release: 2%{?dist}
Release: 3%{?dist}
License: ASL 2.0
Vendor: Microsoft Corporation
Distribution: Azure Linux
Expand Down Expand Up @@ -45,6 +45,7 @@ Source1: etcd.service
# -cJf [tarball name] [folder to tar]
Source2: %{name}-%{version}-vendor.tar.gz
Patch0: CVE-2026-29181.patch
Patch1: CVE-2026-33814.patch
BuildRequires: golang >= 1.16

%description
Expand Down Expand Up @@ -72,6 +73,7 @@ mkdir -p %{ETCD_OUT_DIR}
for component in server etcdctl etcdutl; do
pushd $component
tar --no-same-owner -xf %{_builddir}/%{name}-%{version}/vendor-$component.tar.gz
%patch 1 -p1
patch -p1 -s --fuzz=0 --no-backup-if-mismatch -f --input=%{PATCH0}
go build \
-o %{ETCD_OUT_DIR} \
Expand Down Expand Up @@ -147,6 +149,9 @@ install -vdm755 %{buildroot}%{_sharedstatedir}/etcd
/%{_docdir}/%{name}-%{version}-tools/*

%changelog
* Thu May 14 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 3.5.28-3
- Patch for CVE-2026-33814

* Mon May 04 2026 Sumit Jena <v-sumitjena@microsoft.com> - 3.5.28-2
- Patch for CVE-2026-29181

Expand Down
Loading