Merge pull request #21511 from ivanvc/changelog-20260320-releases

Changelog: Add entries for 3.4.42, 3.5.28, 3.6.9 releases

Author: ahrtr

CHANGELOG/CHANGELOG-3.4.md

@@ -4,17 +4,24 @@ Previous change logs can be found at [CHANGELOG-3.3](https://github.com/etcd-io/
 
 ---
 
-## v3.4.42 (TBC)
+## v3.4.43 (TBC)
+
+---
+
+## v3.4.42 (2026-03-20)
 
 ### etcd server
 
 - Fix [Race between read index and leader change](https://github.com/etcd-io/etcd/pull/21385)
 - Fix [Stale reads caused by process pausing](https://github.com/etcd-io/etcd/pull/21423)
+- Guard unauthenticated endpoints with auth checks to fix [Authorization bypasses in multiple APIs (CVE-2026-33413)](https://github.com/etcd-io/etcd/security/advisories/GHSA-q8m4-xhhv-38mg)
+- Enforce auth checks for nested txn ops to fix [Nested etcd transactions bypass RBAC authorization checks (CVE-2026-33343)](https://github.com/etcd-io/etcd/security/advisories/GHSA-rfx7-8w68-q57q)
 
 ### Dependencies
 
-- Compile binaries using [go 1.25.7](https://github.com/etcd-io/etcd/pull/21406)
+- Compile binaries using [go 1.25.8](https://github.com/etcd-io/etcd/pull/21461)
 - [Bump golang.org/x/net to v0.51.0 to resolve GO-2026-4559](https://github.com/etcd-io/etcd/pull/21444)
+- [Bump google.golang.org/grpc to 1.79.3 to resolve CVE-2026-33186](https://github.com/etcd-io/etcd/pull/21502)
 
 ---
 

CHANGELOG/CHANGELOG-3.5.md

@@ -4,13 +4,20 @@ Previous change logs can be found at [CHANGELOG-3.4](https://github.com/etcd-io/
 
 ---
 
-## v3.5.28 (TBC)
+## v3.5.29 (TBC)
+
+---
+
+## v3.5.28 (2026-03-20)
 
 ### etcd server
 
 - [Ensure the metrics interceptor runs before other interceptors so that metrics remain up to date](https://github.com/etcd-io/etcd/pull/21336)
 - Fix [Race between read index and leader change](https://github.com/etcd-io/etcd/pull/21387)
 - Fix [Stale reads caused by process pausing](https://github.com/etcd-io/etcd/pull/21421)
+- Fix [cannot promote member from follower when auth is enabled](https://github.com/etcd-io/etcd/pull/21494)
+- Guard unauthenticated endpoints with auth checks to fix [Authorization bypasses in multiple APIs (CVE-2026-33413)](https://github.com/etcd-io/etcd/security/advisories/GHSA-q8m4-xhhv-38mg)
+- Enforce auth checks for nested txn ops to fix [Nested etcd transactions bypass RBAC authorization checks (CVE-2026-33343)](https://github.com/etcd-io/etcd/security/advisories/GHSA-rfx7-8w68-q57q)
 
 ### Package `clientv3`
 
@@ -27,8 +34,9 @@ Previous change logs can be found at [CHANGELOG-3.4](https://github.com/etcd-io/
 ### Dependencies
 
 - [Bump go.opentelemetry.io/otel/sdk to v1.40.0 to resolve https://pkg.go.dev/vuln/GO-2026-4394](https://github.com/etcd-io/etcd/pull/21338)
-- Compile binaries using [go 1.25.7](https://github.com/etcd-io/etcd/pull/21405)
+- Compile binaries using [go 1.25.8](https://github.com/etcd-io/etcd/pull/21462)
 - [Bump golang.org/x/net to v0.51.0 to resolve GO-2026-4559](https://github.com/etcd-io/etcd/pull/21441)
+- [Bump google.golang.org/grpc to 1.79.3 to resolve CVE-2026-33186](https://github.com/etcd-io/etcd/pull/21500)
 
 ---
 

CHANGELOG/CHANGELOG-3.6.md

@@ -4,14 +4,20 @@ Previous change logs can be found at [CHANGELOG-3.5](https://github.com/etcd-io/
 
 ---
 
-## v3.6.9 (TBC)
+## v3.6.10 (TBC)
+
+---
+
+## v3.6.9 (2026-03-20)
 
 ### etcd server
 
 - [Ensure the metrics interceptor runs before other interceptors so that metrics remain up to date](https://github.com/etcd-io/etcd/pull/21329)
 - Fix [Race between read index and leader change](https://github.com/etcd-io/etcd/pull/21378)
 - Fix [Stale reads caused by process pausing](https://github.com/etcd-io/etcd/pull/21417)
 - Revert [Reuse events between sync loops](https://github.com/etcd-io/etcd/pull/21443)
+- Guard unauthenticated endpoints with auth checks to fix [Authorization bypasses in multiple APIs (CVE-2026-33413)](https://github.com/etcd-io/etcd/security/advisories/GHSA-q8m4-xhhv-38mg)
+- Enforce auth checks for nested txn ops to fix [Nested etcd transactions bypass RBAC authorization checks (CVE-2026-33343)](https://github.com/etcd-io/etcd/security/advisories/GHSA-rfx7-8w68-q57q)
 
 ### Package `clientv3`
 
@@ -28,8 +34,9 @@ Previous change logs can be found at [CHANGELOG-3.5](https://github.com/etcd-io/
 ### Dependencies
 
 - [Bump go.opentelemetry.io/otel/sdk to v1.40.0 to resolve https://pkg.go.dev/vuln/GO-2026-4394](https://github.com/etcd-io/etcd/pull/21340)
-- Compile binaries using [go 1.25.7](https://github.com/etcd-io/etcd/pull/21393)
+- Compile binaries using [go 1.25.8](https://github.com/etcd-io/etcd/pull/21463)
 - [Bump golang.org/x/net to v0.51.0 to resolve GO-2026-4559](https://github.com/etcd-io/etcd/pull/21440)
+- [Bump google.golang.org/grpc to 1.79.3 to resolve CVE-2026-33186](https://github.com/etcd-io/etcd/pull/21501)
 
 ---
 
@@ -72,6 +79,7 @@ Previous change logs can be found at [CHANGELOG-3.5](https://github.com/etcd-io/
 - Fix [endpoint status not retuning the correct storage quota](https://github.com/etcd-io/etcd/pull/20790)
 - Fix [`--force-new-cluster can't clean up learners after creating snapshot`](https://github.com/etcd-io/etcd/pull/20896)
 - Fix [duplicate metrics collector registration that caused warning messages](https://github.com/etcd-io/etcd/pull/20905)
+- Fix [cannot promote member from follower when auth is enabled](https://github.com/etcd-io/etcd/pull/20874)
 
 ### Dependencies