From 96e8cff2865380346a195ccb8eafeb708c32909e Mon Sep 17 00:00:00 2001 From: Gyuho Lee Date: Tue, 5 Jun 2018 13:23:55 -0700 Subject: [PATCH] CHANGELOG: highlight custom cipher suite feature Signed-off-by: Gyuho Lee --- CHANGELOG-3.2.md | 17 +++++++++++++++++ CHANGELOG-3.3.md | 17 +++++++++++++++++ CHANGELOG-3.4.md | 16 +++++++++++++++- 3 files changed, 49 insertions(+), 1 deletion(-) diff --git a/CHANGELOG-3.2.md b/CHANGELOG-3.2.md index 42196323a..367b11240 100644 --- a/CHANGELOG-3.2.md +++ b/CHANGELOG-3.2.md @@ -3,6 +3,23 @@ Previous change logs can be found at [CHANGELOG-3.1](https://github.com/coreos/etcd/blob/master/CHANGELOG-3.1.md). +## [v3.2.22](https://github.com/coreos/etcd/releases/tag/v3.2.22) (TBD 2018-06) + +See [code changes](https://github.com/coreos/etcd/compare/v3.2.21...v3.2.22) and [v3.2 upgrade guide](https://github.com/coreos/etcd/blob/master/Documentation/upgrades/upgrade_3_2.md) for any breaking changes. **Again, before running upgrades from any previous release, please make sure to read change logs below and [v3.2 upgrade guide](https://github.com/coreos/etcd/blob/master/Documentation/upgrades/upgrade_3_2.md).** + +### etcd server + +- Support TLS cipher suite whitelisting. + - To block [weak cipher suites](https://github.com/coreos/etcd/issues/8320). + - TLS handshake fails when client hello is requested with invalid cipher suites. + - Add [`etcd --cipher-suites`](https://github.com/coreos/etcd/pull/9801) flag. + - If empty, Go auto-populates the list. + +### Go + +- Compile with [*Go 1.8.7*](https://golang.org/doc/devel/release.html#go1.8). + + ## [v3.2.21](https://github.com/coreos/etcd/releases/tag/v3.2.21) (2018-05-31) See [code changes](https://github.com/coreos/etcd/compare/v3.2.20...v3.2.21) and [v3.2 upgrade guide](https://github.com/coreos/etcd/blob/master/Documentation/upgrades/upgrade_3_2.md) for any breaking changes. **Again, before running upgrades from any previous release, please make sure to read change logs below and [v3.2 upgrade guide](https://github.com/coreos/etcd/blob/master/Documentation/upgrades/upgrade_3_2.md).** diff --git a/CHANGELOG-3.3.md b/CHANGELOG-3.3.md index 9f300d03d..4618863bd 100644 --- a/CHANGELOG-3.3.md +++ b/CHANGELOG-3.3.md @@ -3,6 +3,23 @@ Previous change logs can be found at [CHANGELOG-3.2](https://github.com/coreos/etcd/blob/master/CHANGELOG-3.2.md). +## [v3.3.7](https://github.com/coreos/etcd/releases/tag/v3.3.7) (TBD 2018-06) + +See [code changes](https://github.com/coreos/etcd/compare/v3.3.6...v3.3.7) and [v3.3 upgrade guide](https://github.com/coreos/etcd/blob/master/Documentation/upgrades/upgrade_3_3.md) for any breaking changes. **Again, before running upgrades from any previous release, please make sure to read change logs below and [v3.3 upgrade guide](https://github.com/coreos/etcd/blob/master/Documentation/upgrades/upgrade_3_3.md).** + +### etcd server + +- Support TLS cipher suite whitelisting. + - To block [weak cipher suites](https://github.com/coreos/etcd/issues/8320). + - TLS handshake fails when client hello is requested with invalid cipher suites. + - Add [`etcd --cipher-suites`](https://github.com/coreos/etcd/pull/9801) flag. + - If empty, Go auto-populates the list. + +### Go + +- Compile with [*Go 1.9.6*](https://golang.org/doc/devel/release.html#go1.9). + + ## [v3.3.6](https://github.com/coreos/etcd/releases/tag/v3.3.6) (2018-05-31) See [code changes](https://github.com/coreos/etcd/compare/v3.3.5...v3.3.6) and [v3.3 upgrade guide](https://github.com/coreos/etcd/blob/master/Documentation/upgrades/upgrade_3_3.md) for any breaking changes. **Again, before running upgrades from any previous release, please make sure to read change logs below and [v3.3 upgrade guide](https://github.com/coreos/etcd/blob/master/Documentation/upgrades/upgrade_3_3.md).** diff --git a/CHANGELOG-3.4.md b/CHANGELOG-3.4.md index d3c826bb1..45a9b7e81 100644 --- a/CHANGELOG-3.4.md +++ b/CHANGELOG-3.4.md @@ -156,6 +156,12 @@ See [code changes](https://github.com/coreos/etcd/compare/v3.3.0...v3.4.0) and [ See [security doc](https://github.com/coreos/etcd/blob/master/Documentation/op-guide/security.md) for more details. +- Support TLS cipher suite whitelisting. + - To block [weak cipher suites](https://github.com/coreos/etcd/issues/8320). + - TLS handshake fails when client hello is requested with invalid cipher suites. + - Add [`etcd --client-cipher-suites`](https://github.com/coreos/etcd/pull/9801) flag. + - Add [`etcd --peer-cipher-suites`](https://github.com/coreos/etcd/pull/9801) flag. + - If empty, Go auto-populates the list. - Add [`etcd --host-whitelist`](https://github.com/coreos/etcd/pull/9372) flag, [`etcdserver.Config.HostWhitelist`](https://github.com/coreos/etcd/pull/9372), and [`embed.Config.HostWhitelist`](https://github.com/coreos/etcd/pull/9372), to prevent ["DNS Rebinding"](https://en.wikipedia.org/wiki/DNS_rebinding) attack. - Any website can simply create an authorized DNS name, and direct DNS to `"localhost"` (or any other address). Then, all HTTP endpoints of etcd server listening on `"localhost"` becomes accessible, thus vulnerable to [DNS rebinding attacks (CVE-2018-5702)](https://bugs.chromium.org/p/project-zero/issues/detail?id=1447#c2). - Client origin enforce policy works as follow: @@ -166,7 +172,6 @@ See [security doc](https://github.com/coreos/etcd/blob/master/Documentation/op-g - When specifying hostnames, loopback addresses are not added automatically. To allow loopback interfaces, add them to whitelist manually (e.g. `"localhost"`, `"127.0.0.1"`, etc.). - e.g. `etcd --host-whitelist example.com`, then the server will reject all HTTP requests whose Host field is not `example.com` (also rejects requests to `"localhost"`). - Support [`etcd --cors`](https://github.com/coreos/etcd/pull/9490) in v3 HTTP requests (gRPC gateway). -- Support [TLS cipher suite lists](TODO). - Support [`ttl` field for `etcd` Authentication JWT token](https://github.com/coreos/etcd/pull/8302). - e.g. `etcd --auth-token jwt,pub-key=,priv-key=,sign-method=,ttl=5m`. - Allow empty token provider in [`etcdserver.ServerConfig.AuthToken`](https://github.com/coreos/etcd/pull/9369). @@ -207,6 +212,11 @@ See [security doc](https://github.com/coreos/etcd/blob/master/Documentation/op-g - If not given, etcd queries `_etcd-server-ssl._tcp.[YOUR_HOST]` and `_etcd-server._tcp.[YOUR_HOST]`. - If `--discovery-srv-name="foo"`, then query `_etcd-server-ssl-foo._tcp.[YOUR_HOST]` and `_etcd-server-foo._tcp.[YOUR_HOST]`. - Useful for operating multiple etcd clusters under the same domain. +- Support TLS cipher suite whitelisting. + - To block [weak cipher suites](https://github.com/coreos/etcd/issues/8320). + - TLS handshake fails when client hello is requested with invalid cipher suites. + - Add [`etcd --cipher-suites`](https://github.com/coreos/etcd/pull/9801) flag. + - If empty, Go auto-populates the list. - Support [`etcd --cors`](https://github.com/coreos/etcd/pull/9490) in v3 HTTP requests (gRPC gateway). - Rename [`etcd --log-output` to `--log-outputs`](https://github.com/coreos/etcd/pull/9624) to support multiple log outputs. - **`etcd --log-output` will be deprecated in v3.5**. @@ -271,6 +281,10 @@ Note: **v3.5 will deprecate `etcd --log-package-levels` flag for `capnslog`**; ` ### Package `embed` +- Add [`embed.Config.CipherSuites`](https://github.com/coreos/etcd/pull/9801) to specify a list of supported cipher suites for TLS handshake between client/server and peers. + - If empty, Go auto-populates the list. + - Both `embed.Config.ClientTLSInfo.CipherSuites` and `embed.Config.CipherSuites` cannot be non-empty at the same time. + - If not empty, specify either `embed.Config.ClientTLSInfo.CipherSuites` or `embed.Config.CipherSuites`. - Add [`embed.Config.InitialElectionTickAdvance`](https://github.com/coreos/etcd/pull/9591) to enable/disable initial election tick fast-forward. - `embed.NewConfig()` would return `*embed.Config` with `InitialElectionTickAdvance` as true by default. - Define [`embed.CompactorModePeriodic`](https://godoc.org/github.com/coreos/etcd/embed#pkg-variables) for `compactor.ModePeriodic`.