Merge pull request #12202 from spzala/auditchangelog

CHANGELOG: update with added audit report
2024-09-27 06:25:44 +00:00 · 2020-08-05 08:56:16 -07:00 · 2020-08-05 08:56:16 -07:00 · f395f82a75
commit f395f82a75
parent d29af0f22b eafd374309
2 changed files with 5 additions and 0 deletions
--- a/CHANGELOG-3.5.md
+++ b/CHANGELOG-3.5.md
@ -71,6 +71,7 @@ See [code changes](https://github.com/etcd-io/etcd/compare/v3.4.0...v3.5.0) and

 - Add [`TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256` and `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256` to `etcd --cipher-suites`](https://github.com/etcd-io/etcd/pull/11864).
 - Changed [the format of WAL entries related to auth for not keeping password as a plain text](https://github.com/etcd-io/etcd/pull/11943).
+- Add third party [Security Audit Report](https://github.com/etcd-io/etcd/pull/12201).

 ### Metrics, Monitoring

--- a/security/README.md
+++ b/security/README.md
@ -31,3 +31,7 @@ As the security issue moves from triage, to identified fix, to release planning
 ## Public Disclosure Timing

 A public disclosure date is negotiated by the etcd Product Security Committee and the bug reporter. We prefer to fully disclose the bug as soon as possible once user mitigation is available. It is reasonable to delay disclosure when the bug or the fix is not yet fully understood, the solution is not well-tested, or for vendor coordination. The timeframe for disclosure is from immediate (especially if it's already publicly known) to a few weeks. As a basic default, we expect report date to disclosure date to be on the order of 7 days. The etcd Product Security Committee holds the final say when setting a disclosure date.
+
+## Security Audit
+
+A third party security audit was performed by Trail of Bits, find the full report [here](SECURITY_AUDIT.pdf).