diff --git a/SPECS/etcd/CVE-2026-33814.patch b/SPECS/etcd/CVE-2026-33814.patch new file mode 100644 index 00000000000..330ef2c75ca --- /dev/null +++ b/SPECS/etcd/CVE-2026-33814.patch @@ -0,0 +1,42 @@ +From 7e9e82f8c3033974b16d93835521f6e133a7c9aa Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Thu, 14 May 2026 09:00:37 +0000 +Subject: [PATCH] http2: prevent hanging Transport due to bad SETTINGS frame + +This CL backports https://go.dev/cl/761581 to x/net. + +Fixes golang/go#78476 +Fixes CVE-2026-33814 + +Upstream-reference: https://github.com/golang/net/commit/1e71bd86e4a302b4e731bc06da6eb51679c7bd49.patch +--- + vendor/golang.org/x/net/http2/transport.go | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/vendor/golang.org/x/net/http2/transport.go b/vendor/golang.org/x/net/http2/transport.go +index 8cf64b7..3b514a3 100644 +--- a/vendor/golang.org/x/net/http2/transport.go ++++ b/vendor/golang.org/x/net/http2/transport.go +@@ -2865,6 +2865,9 @@ func (rl *clientConnReadLoop) processSettingsNoWrite(f *SettingsFrame) error { + + var seenMaxConcurrentStreams bool + err := f.ForeachSetting(func(s Setting) error { ++ if err := s.Valid(); err != nil { ++ return err ++ } + switch s.ID { + case SettingMaxFrameSize: + cc.maxFrameSize = s.Val +@@ -2896,9 +2899,6 @@ func (rl *clientConnReadLoop) processSettingsNoWrite(f *SettingsFrame) error { + cc.henc.SetMaxDynamicTableSize(s.Val) + cc.peerMaxHeaderTableSize = s.Val + case SettingEnableConnectProtocol: +- if err := s.Valid(); err != nil { +- return err +- } + // If the peer wants to send us SETTINGS_ENABLE_CONNECT_PROTOCOL, + // we require that it do so in the first SETTINGS frame. + // +-- +2.45.4 + diff --git a/SPECS/etcd/etcd.spec b/SPECS/etcd/etcd.spec index aab5ace71d9..dd2f5cac7aa 100644 --- a/SPECS/etcd/etcd.spec +++ b/SPECS/etcd/etcd.spec @@ -3,7 +3,7 @@ Summary: A highly-available key value store for shared configuration Name: etcd Version: 3.5.30 -Release: 1%{?dist} +Release: 2%{?dist} License: ASL 2.0 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -45,6 +45,7 @@ Source1: etcd.service # -cJf [tarball name] [folder to tar] Source2: %{name}-%{version}-vendor.tar.gz Patch0: CVE-2026-29181.patch +Patch1: CVE-2026-33814.patch BuildRequires: golang >= 1.16 %description @@ -73,6 +74,7 @@ for component in server etcdctl etcdutl; do pushd $component tar --no-same-owner -xf %{_builddir}/%{name}-%{version}/vendor-$component.tar.gz patch -p1 -s --fuzz=0 --no-backup-if-mismatch -f --input=%{PATCH0} + patch -p1 -s --fuzz=0 --no-backup-if-mismatch -f --input=%{PATCH1} go build \ -o %{ETCD_OUT_DIR} \ -ldflags=-X=go.etcd.io/etcd/api/v3/version.GitSHA=v%{version} @@ -86,6 +88,7 @@ mkdir -p %{ETCD_TOOLS_OUT_DIR} for component in etcd-dump-db etcd-dump-logs; do pushd tools/$component tar --no-same-owner -xf %{_builddir}/%{name}-%{version}/vendor-$component.tar.gz + patch -p1 -s --fuzz=0 --no-backup-if-mismatch -f --input=%{PATCH1} go build \ -o %{ETCD_TOOLS_OUT_DIR} popd @@ -147,6 +150,9 @@ install -vdm755 %{buildroot}%{_sharedstatedir}/etcd /%{_docdir}/%{name}-%{version}-tools/* %changelog +* Wed May 27 2026 Ratiranjan Behera - 3.5.30-2 +- Patch CVE-2026-33814 + * Tue May 19 2026 Akarsh Chaudhary - 3.5.30-1 - Upgrade to version 3.5.30 (fixes CVE-2026-44283).