Skip to content

vitess 23.0.3#269694

Merged
BrewTestBot merged 2 commits intomainfrom
bump-vitess-23.0.3
Feb 27, 2026
Merged

vitess 23.0.3#269694
BrewTestBot merged 2 commits intomainfrom
bump-vitess-23.0.3

Conversation

@BrewTestBot
Copy link
Contributor

@BrewTestBot BrewTestBot commented Feb 27, 2026

Created by brew bump

Created with brew bump-formula-pr.

Details

release notes 
# Release of Vitess v23.0.3

Summary


This is a security focused release. It contains fixes for two recently reported CVEs along with a number of other security related fixes.


External Decompressor No Longer Read from Backup MANIFEST by Default


This is a fix for the following security advisory and associated CVE



The external decompressor command stored in a backup's MANIFEST file is no longer used at restore time by default. Previously, when no --external-decompressor flag was provided, VTTablet would fall back to the command specified in the MANIFEST. This posed a security risk: an attacker with write access to backup storage could modify the MANIFEST to execute arbitrary commands on the tablet.


Please note that this is a breaking change. Starting in v23.0.3, the MANIFEST-based decompressor is ignored unless you explicitly opt in with the new --external-decompressor-use-manifest flag. If you rely on this behavior, add the flag to your VTTablet configuration, but be aware of the security implications.


See #19460 for details.


Prevent Path Traversals Via Backup MANIFEST Files On restore


This is a fix for the following security advisory and associated CVE



We now prevent a common Path Traversal attack that someone with write access to backup storage could use to escape the target restore directory and write files to arbitrary filesystem paths via modifications to the MANIFEST.


See #19470 for details.




The entire changelog for this release can be found here.


The release includes 22 merged Pull Requests.


Thanks to all our contributors: @app/vitess-bot, @bcremer, @mattlord

View the full release notes at https://github.com/vitessio/vitess/releases/tag/v23.0.3.

@github-actions github-actions bot added go Go use is a significant feature of the PR or issue bump-formula-pr PR was created using `brew bump-formula-pr` labels Feb 27, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Feb 27, 2026

🤖 An automated task has requested bottles to be published to this PR.

Caution

Please do not push to this PR branch before the bottle commits have been pushed, as this results in a state that is difficult to recover from. If you need to resolve a merge conflict, please use a merge commit. Do not force-push to this PR branch.

@github-actions github-actions bot added the CI-published-bottle-commits The commits for the built bottles have been pushed to the PR branch. label Feb 27, 2026
@BrewTestBot BrewTestBot added this pull request to the merge queue Feb 27, 2026
@stefanb
Copy link
Member

stefanb commented Feb 27, 2026

#258912

@stefanb stefanb mentioned this pull request Feb 27, 2026
Merged
72 tasks
Merged via the queue into main with commit 3d2c687 Feb 27, 2026
22 checks passed
@BrewTestBot BrewTestBot deleted the bump-vitess-23.0.3 branch February 27, 2026 06:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@iMichka iMichka iMichka approved these changes

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

No one assigned

Labels

bump-formula-pr PR was created using `brew bump-formula-pr` CI-published-bottle-commits The commits for the built bottles have been pushed to the PR branch. go Go use is a significant feature of the PR or issue

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@BrewTestBot @stefanb @iMichka