From 83c051b701d33261eef91a719e4421c81b000ba4 Mon Sep 17 00:00:00 2001
From: Sam Batschelet <sbatsche@redhat.com>
Date: Mon, 7 Jan 2019 13:55:09 -0500
Subject: [PATCH] CHANGELOG: add "disable CommonName authentication for
 gRPC-gateway" PR

Signed-off-by: Sam Batschelet <sbatsche@redhat.com>
---
 CHANGELOG-3.3.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGELOG-3.3.md b/CHANGELOG-3.3.md
index 88d19f02a..a5dd1ed47 100644
--- a/CHANGELOG-3.3.md
+++ b/CHANGELOG-3.3.md
@@ -26,6 +26,10 @@ See [code changes](https://github.com/etcd-io/etcd/compare/v3.3.10...v3.3.11) an
 
 - Add [`etcd gateway --discovery-srv-name`](https://github.com/etcd-io/etcd/pull/10250) flag.
 
+### Security, Authentication
+
+- Disable [CommonName authentication for gRPC-gateway](https://github.com/etcd-io/etcd/pull/10366) gRPC-gateway proxy requests to etcd server use the etcd client server TLS certificate. If that certificate contains CommonName we do not want to use that for authentication as it could lead to permission escalation.
+
 ### Go
 
 - Compile with [*Go 1.10.7*](https://golang.org/doc/devel/release.html#go1.10).