diff --git a/MAINTAINERS.md b/MAINTAINERS.md
index 54e77d831c3..2bbf7a9fdd7 100644
--- a/MAINTAINERS.md
+++ b/MAINTAINERS.md
@@ -59,6 +59,9 @@ derekperkins, mattlord
### High Availability
mattlord, timvaillancourt
+### Security
+timvaillancourt
+
## Past Maintainers
We thank the following past maintainers for their contributions.
diff --git a/changelog/24.0/24.0.0/summary.md b/changelog/24.0/24.0.0/summary.md
index eac97e3d200..301fced4c5d 100644
--- a/changelog/24.0/24.0.0/summary.md
+++ b/changelog/24.0/24.0.0/summary.md
@@ -8,6 +8,8 @@
- [Window function pushdown for sharded keyspaces](#window-function-pushdown)
- [View Routing Rules](#view-routing-rules)
- [Tablet targeting via USE statement](#tablet-targeting)
+ - **[Breaking Changes](#breaking-changes)**
+ - [External Decompressor No Longer Read from Backup MANIFEST by Default](#vttablet-external-decompressor-manifest)
- **[Minor Changes](#minor-changes)**
- **[Logging](#minor-changes-logging)**
- [Structured logging](#structured-logging)
@@ -28,6 +30,7 @@
- **[VTOrc](#minor-changes-vtorc)**
- [New `--cell` Flag](#vtorc-cell-flag)
- [Improved VTOrc Discovery Logging](#vtorc-improved-discovery-logging)
+ - [Ordered Recovery Execution and Semi-Sync Rollout](#vtorc-ordered-recovery-semi-sync)
- [Deprecated VTOrc Metric Removed](#vtorc-deprecated-metric-removed)
- [Deprecation of Snapshot Topology feature](#vtorc-snapshot-topology-deprecation)
- [Deprecated `/api/replication-analysis` Endpoint Removed](#vtorc-replication-analysis-api-removed)
@@ -91,6 +94,16 @@ Once set, all subsequent queries in the session route to the specified tablet un
Note: A shard must be specified when using tablet targeting. Like shard targeting, this bypasses vindex-based routing, so use with care.
+### Breaking Changes
+
+#### External Decompressor No Longer Read from Backup MANIFEST by Default
+
+The external decompressor command stored in a backup's `MANIFEST` file is no longer used at restore time by default. Previously, when no `--external-decompressor` flag was provided, VTTablet would fall back to the command specified in the `MANIFEST`. This posed a security risk: an attacker with write access to backup storage could modify the `MANIFEST` to execute arbitrary commands on the tablet.
+
+Starting in v24, the `MANIFEST`-based decompressor is ignored unless you explicitly opt in with the new `--external-decompressor-use-manifest` flag. If you rely on this behavior, add the flag to your VTTablet configuration, but be aware of the security implications.
+
+See [#19460](https://github.com/vitessio/vitess/pull/19460) for details.
+
## Minor Changes
### Logging
@@ -220,6 +233,14 @@ VTOrc's `DiscoverInstance` function now includes the tablet alias in all log mes
This improvement makes it easier to identify and debug issues with specific tablets when discovery operations fail.
+#### Ordered Recovery Execution and Semi-Sync Rollout
+
+VTOrc now executes recoveries per-shard with defined ordering, rather than per-tablet in isolation. Problems that have ordering dependencies (e.g., semi-sync configuration) are executed serially first, while independent problems are executed concurrently. This ensures that dependent recoveries happen in the correct sequence within a shard.
+
+The main user-facing improvement is to semi-sync rollouts: VTOrc now ensures replicas have semi-sync enabled before updating the primary. Previously, enabling semi-sync on the primary before enough replicas were ready could stall writes while the primary waited for semi-sync acknowledgements that no replica was prepared to send.
+
+See [#19427](https://github.com/vitessio/vitess/pull/19427) for details.
+
#### Deprecated VTOrc Metric Removed
The `DiscoverInstanceTimings` metric has been removed from VTOrc in v24. This metric was deprecated in v23.