From e66a1d3877ecac9ef8030802c3f99bcdb4fb4d27 Mon Sep 17 00:00:00 2001 From: Catalina A Date: Wed, 1 Oct 2025 17:13:03 +0300 Subject: [PATCH 01/18] [Doc] 3.4.1 RelNotes --- documentation/docs/release-notes/3.4.1.md | 108 ++++++++++++++++++++++ 1 file changed, 108 insertions(+) create mode 100644 documentation/docs/release-notes/3.4.1.md diff --git a/documentation/docs/release-notes/3.4.1.md b/documentation/docs/release-notes/3.4.1.md new file mode 100644 index 0000000000..3f55dd4b64 --- /dev/null +++ b/documentation/docs/release-notes/3.4.1.md @@ -0,0 +1,108 @@ +# Percona Monitoring and Management 3.4.1 + +**Release date**: October 8th 2025 + +Percona Monitoring and Management (PMM) is an open source database monitoring, management, and observability solution for MySQL, PostgreSQL, and MongoDB. PMM empowers you to: + +- monitor the health and performance of your database systems +- identify patterns and trends in database behavior +- diagnose and resolve issues faster with actionable insights +- manage databases across on-premises, cloud, and hybrid environments + +## Release summary + +PMM 3.4.1 is a maintenance release that addresses several security vulnerabilities and updates Docker images and package dependencies. + +### Fixed denial of service (DoS) in Nomad (CVE-2025-8959) +We've upgraded the integrated scheduling service to Nomad v1.10.5 to address a high-severity vulnerability (CVE-2025-8959). + +This issue existed in a Nomad SSH agent dependency and could be exploited to cause a Nomad client crash (DoS) when processing unexpected data types. + +### Fixed denial of service (DoS) in Percona Toolkit (Logrus) +Upgraded Percona Toolkit to v3.7.0-2 to resolve a high-severity DoS vulnerability found in the dependency `github.com/sirupsen/logrus`. This flaw could cause Percona Toolkit commands to crash, disrupting PMM's data collection. + +### Not affected: Remote code execution (RCE) in pypa/setuptools (CVE-2024-6345) + +PMM is not affected by this RCE vulnerability. The PMM image's base OS, Oracle Linux 9, ships with `python3-setuptools 53.0.0-13.el9_6.1`, which already contains the necessary security patch, as verified against the [Oracle Linux 9 changelog](https://linux.oracle.com/errata/ELSA-2024-5534.html). + +### Not affected: OpenSSL cipher processing vulnerability (CVE-2023-5363) +PMM is not affected by this OpenSSL cipher processing vulnerability. The `openssl-libs` package in the Oracle Linux 9 base OS already contains the security patch, as verified against the [Oracle Linux 9 changelog](https://linux.oracle.com/errata/ELSA-2024-0627.html). + +### Accepted risk: Buffer overflow vulnerabilities in OpenSSL (CVE-2022-3786 and CVE-2022-3602) + +These vulnerabilities affect the `openssl-libs` package included in our Oracle Linux 9 base image. + +Oracle has released patches for these vulnerabilities, but they are distributed only through Oracle Ksplice, their live patching service that requires a Premier Support subscription. +Since PMM relies solely on public repositories, Ksplice-only updates cannot be included. + +The risk is currently assessed as low because PMM is usually deployed in controlled environments. These issues will be remediated once public Oracle Linux updates are available. + +## 🚀 Ready to upgrade to PMM 3.4.1? + +- **New installation:** [Install PMM with our quickstart guide](../quickstart/quickstart.md) +- **Upgrading from PMM 2:** [Migrate from PMM 2 to PMM 3](../pmm-upgrade/migrating_from_pmm_2.md) +- **Upgrading PMM 3:** [Upgrade your existing PMM 3 installation](../pmm-upgrade/index.md) (edited) + +linux.oracle.comlinux.oracle.com +linux.oracle.com | ELSA-2024-5534 +Oracle Linux Errata Details: ELSA-2024-5534 + +linux.oracle.comlinux.oracle.com +linux.oracle.com | ELSA-2024-0627 +Oracle Linux Errata Details: ELSA-2024-0627 + + + + + + + + +catalina.adam +:no_entry: 12:16 PM +to merge: https://github.com/percona/pmm/pull/3936/files + + +catalina.adam +:no_entry: 11:54 AM +https://github.com/percona/pmm/pull/3511 + + +catalina.adam +:no_entry: 11:50 AM +https://github.com/percona/pmm/pull/4488 + + +catalina.adam +:no_entry: 6:44 AM +https://github.com/percona/pmm/pull/4443 + + +catalina.adam +:no_entry: 4:32 PM +# Percona Monitoring and Management 3.4.1 +**Release date**: October 8th 2025 +Percona Monitoring and Management (PMM) is an open source database monitoring, management, and observability solution for MySQL, PostgreSQL, and MongoDB. PMM empowers you to: +- monitor the health and performance of your database systems +- identify patterns and trends in database behavior +- diagnose and resolve issues faster with actionable insights +- manage databases across on-premises, cloud, and hybrid environments +## Release summary +PMM 3.4.1 is a maintenance release that addresses several security vulnerabilities and updates Docker images and package dependencies. +### Fixed denial of service (DoS) in Nomad (CVE-2025-8959) +We've upgraded the integrated scheduling service to Nomad v1.10.5 to address a high-severity vulnerability (CVE-2025-8959). This issue existed in a Nomad SSH agent dependency and could be exploited to cause a Nomad client crash (DoS) when processing unexpected data types. +### Fixed denial of service (DoS) in Percona Toolkit (Logrus) +Upgraded Percona Toolkit to v3.7.0-2 to resolve a high-severity DoS vulnerability found in the dependency `github.com/sirupsen/logrus`. This flaw could cause Percona Toolkit commands to crash, disrupting PMM's data collection. +### Not affected: Remote code execution (RCE) in pypa/setuptools (CVE-2024-6345) +PMM is not affected by this RCE vulnerability. The PMM image's base OS, Oracle Linux 9, ships with `python3-setuptools 53.0.0-13.el9_6.1`, which already contains the necessary security patch, as verified against the [Oracle Linux 9 changelog](https://linux.oracle.com/errata/ELSA-2024-5534.html). +### Not affected: OpenSSL cipher processing vulnerability (CVE-2023-5363) +PMM is **not affected** by this OpenSSL cipher processing vulnerability. The `openssl-libs` package in the Oracle Linux 9 base OS already contains the security patch, as verified against the [Oracle Linux 9 changelog](https://linux.oracle.com/errata/ELSA-2024-0627.html). +### Accepted risk: Buffer overflow vulnerabilities in OpenSSL (CVE-2022-3786 and CVE-2022-3602) +These vulnerabilities affect the `openssl-libs` package included in our Oracle Linux 9 base image. +Oracle has released patches for these vulnerabilities, but they are distributed only through Oracle Ksplice, their live patching service that requires a Premier Support subscription. Since PMM relies solely on public repositories, Ksplice-only updates cannot be included. +The risk is currently assessed as low because PMM is usually deployed in controlled environments. These issues will be remediated once public Oracle Linux updates are available. +## :rocket: Ready to upgrade to PMM 3.4.1? +- **New installation:** [Install PMM with our quickstart guide](../quickstart/quickstart.md) +- **Upgrading from PMM 2:** [Migrate from PMM 2 to PMM 3](../pmm-upgrade/migrating_from_pmm_2.md) +- **Upgrading PMM 3:** [Upgrade your existing PMM 3 installation](../pmm-upgrade/index.md) + From 578f25492bdd7c66dc1c77c832a6d93b5ba803f8 Mon Sep 17 00:00:00 2001 From: Catalina A <94133018+catalinaadam@users.noreply.github.com> Date: Wed, 1 Oct 2025 17:15:15 +0300 Subject: [PATCH 02/18] Update 3.4.1.md --- documentation/docs/release-notes/3.4.1.md | 67 +---------------------- 1 file changed, 2 insertions(+), 65 deletions(-) diff --git a/documentation/docs/release-notes/3.4.1.md b/documentation/docs/release-notes/3.4.1.md index 3f55dd4b64..21db02b068 100644 --- a/documentation/docs/release-notes/3.4.1.md +++ b/documentation/docs/release-notes/3.4.1.md @@ -19,7 +19,7 @@ We've upgraded the integrated scheduling service to Nomad v1.10.5 to address a h This issue existed in a Nomad SSH agent dependency and could be exploited to cause a Nomad client crash (DoS) when processing unexpected data types. ### Fixed denial of service (DoS) in Percona Toolkit (Logrus) -Upgraded Percona Toolkit to v3.7.0-2 to resolve a high-severity DoS vulnerability found in the dependency `github.com/sirupsen/logrus`. This flaw could cause Percona Toolkit commands to crash, disrupting PMM's data collection. +Upgraded Percona Toolkit to v3.7.0-2 to resolve a high-severity DoS vulnerability found in the dependency `github.com/sirupsen/logrus`. This flaw could crash Percona Toolkit commands and disrupt PMM data collection. ### Not affected: Remote code execution (RCE) in pypa/setuptools (CVE-2024-6345) @@ -41,68 +41,5 @@ The risk is currently assessed as low because PMM is usually deployed in control - **New installation:** [Install PMM with our quickstart guide](../quickstart/quickstart.md) - **Upgrading from PMM 2:** [Migrate from PMM 2 to PMM 3](../pmm-upgrade/migrating_from_pmm_2.md) -- **Upgrading PMM 3:** [Upgrade your existing PMM 3 installation](../pmm-upgrade/index.md) (edited) - -linux.oracle.comlinux.oracle.com -linux.oracle.com | ELSA-2024-5534 -Oracle Linux Errata Details: ELSA-2024-5534 - -linux.oracle.comlinux.oracle.com -linux.oracle.com | ELSA-2024-0627 -Oracle Linux Errata Details: ELSA-2024-0627 - - - - - - - - -catalina.adam -:no_entry: 12:16 PM -to merge: https://github.com/percona/pmm/pull/3936/files - - -catalina.adam -:no_entry: 11:54 AM -https://github.com/percona/pmm/pull/3511 - - -catalina.adam -:no_entry: 11:50 AM -https://github.com/percona/pmm/pull/4488 - - -catalina.adam -:no_entry: 6:44 AM -https://github.com/percona/pmm/pull/4443 - - -catalina.adam -:no_entry: 4:32 PM -# Percona Monitoring and Management 3.4.1 -**Release date**: October 8th 2025 -Percona Monitoring and Management (PMM) is an open source database monitoring, management, and observability solution for MySQL, PostgreSQL, and MongoDB. PMM empowers you to: -- monitor the health and performance of your database systems -- identify patterns and trends in database behavior -- diagnose and resolve issues faster with actionable insights -- manage databases across on-premises, cloud, and hybrid environments -## Release summary -PMM 3.4.1 is a maintenance release that addresses several security vulnerabilities and updates Docker images and package dependencies. -### Fixed denial of service (DoS) in Nomad (CVE-2025-8959) -We've upgraded the integrated scheduling service to Nomad v1.10.5 to address a high-severity vulnerability (CVE-2025-8959). This issue existed in a Nomad SSH agent dependency and could be exploited to cause a Nomad client crash (DoS) when processing unexpected data types. -### Fixed denial of service (DoS) in Percona Toolkit (Logrus) -Upgraded Percona Toolkit to v3.7.0-2 to resolve a high-severity DoS vulnerability found in the dependency `github.com/sirupsen/logrus`. This flaw could cause Percona Toolkit commands to crash, disrupting PMM's data collection. -### Not affected: Remote code execution (RCE) in pypa/setuptools (CVE-2024-6345) -PMM is not affected by this RCE vulnerability. The PMM image's base OS, Oracle Linux 9, ships with `python3-setuptools 53.0.0-13.el9_6.1`, which already contains the necessary security patch, as verified against the [Oracle Linux 9 changelog](https://linux.oracle.com/errata/ELSA-2024-5534.html). -### Not affected: OpenSSL cipher processing vulnerability (CVE-2023-5363) -PMM is **not affected** by this OpenSSL cipher processing vulnerability. The `openssl-libs` package in the Oracle Linux 9 base OS already contains the security patch, as verified against the [Oracle Linux 9 changelog](https://linux.oracle.com/errata/ELSA-2024-0627.html). -### Accepted risk: Buffer overflow vulnerabilities in OpenSSL (CVE-2022-3786 and CVE-2022-3602) -These vulnerabilities affect the `openssl-libs` package included in our Oracle Linux 9 base image. -Oracle has released patches for these vulnerabilities, but they are distributed only through Oracle Ksplice, their live patching service that requires a Premier Support subscription. Since PMM relies solely on public repositories, Ksplice-only updates cannot be included. -The risk is currently assessed as low because PMM is usually deployed in controlled environments. These issues will be remediated once public Oracle Linux updates are available. -## :rocket: Ready to upgrade to PMM 3.4.1? -- **New installation:** [Install PMM with our quickstart guide](../quickstart/quickstart.md) -- **Upgrading from PMM 2:** [Migrate from PMM 2 to PMM 3](../pmm-upgrade/migrating_from_pmm_2.md) -- **Upgrading PMM 3:** [Upgrade your existing PMM 3 installation](../pmm-upgrade/index.md) +- **Upgrading PMM 3:** [Upgrade your existing PMM 3 installation](../pmm-upgrade/index.md) From 00301d2eebac254c3061ef45227d85ad4bdb8220 Mon Sep 17 00:00:00 2001 From: Catalina A Date: Thu, 2 Oct 2025 11:58:05 +0300 Subject: [PATCH 03/18] updated variable files --- documentation/docs/release-notes/3.4.1.md | 23 ++++++++++++++--------- documentation/docs/release-notes/index.md | 2 +- documentation/mkdocs-base.yml | 1 + documentation/mkdocs-pdf.yml | 4 ++-- documentation/variables.yml | 6 +++--- 5 files changed, 21 insertions(+), 15 deletions(-) diff --git a/documentation/docs/release-notes/3.4.1.md b/documentation/docs/release-notes/3.4.1.md index 21db02b068..573a9dcfb3 100644 --- a/documentation/docs/release-notes/3.4.1.md +++ b/documentation/docs/release-notes/3.4.1.md @@ -11,31 +11,36 @@ Percona Monitoring and Management (PMM) is an open source database monitoring, m ## Release summary -PMM 3.4.1 is a maintenance release that addresses several security vulnerabilities and updates Docker images and package dependencies. +PMM 3.4.1 is a maintenance release that addresses several security vulnerabilities through updates Docker images. + +## What's new ### Fixed denial of service (DoS) in Nomad (CVE-2025-8959) -We've upgraded the integrated scheduling service to Nomad v1.10.5 to address a high-severity vulnerability (CVE-2025-8959). +We've upgraded the integrated scheduling service to Nomad v1.10.5 to address a high-severity vulnerability that existed in a Nomad SSH agent dependency. -This issue existed in a Nomad SSH agent dependency and could be exploited to cause a Nomad client crash (DoS) when processing unexpected data types. +This vulnerability could be exploited to cause a Nomad DoS when processing unexpected data types. -### Fixed denial of service (DoS) in Percona Toolkit (Logrus) +### Fixed DoS in Percona Toolkit (Logrus) Upgraded Percona Toolkit to v3.7.0-2 to resolve a high-severity DoS vulnerability found in the dependency `github.com/sirupsen/logrus`. This flaw could crash Percona Toolkit commands and disrupt PMM data collection. ### Not affected: Remote code execution (RCE) in pypa/setuptools (CVE-2024-6345) -PMM is not affected by this RCE vulnerability. The PMM image's base OS, Oracle Linux 9, ships with `python3-setuptools 53.0.0-13.el9_6.1`, which already contains the necessary security patch, as verified against the [Oracle Linux 9 changelog](https://linux.oracle.com/errata/ELSA-2024-5534.html). +PMM is not affected by this RCE vulnerability. + +The PMM image's base OS, Oracle Linux 9, ships with `python3-setuptools 53.0.0-13.el9_6.1`, which already contains the necessary security patch, as verified against the [Oracle Linux 9 changelog](https://linux.oracle.com/errata/ELSA-2024-5534.html). ### Not affected: OpenSSL cipher processing vulnerability (CVE-2023-5363) -PMM is not affected by this OpenSSL cipher processing vulnerability. The `openssl-libs` package in the Oracle Linux 9 base OS already contains the security patch, as verified against the [Oracle Linux 9 changelog](https://linux.oracle.com/errata/ELSA-2024-0627.html). +PMM is not affected by this OpenSSL cipher processing vulnerability. + +The `openssl-libs` package in the Oracle Linux 9 base OS already contains the security patch, as verified against the [Oracle Linux 9 changelog](https://linux.oracle.com/errata/ELSA-2024-0627.html). ### Accepted risk: Buffer overflow vulnerabilities in OpenSSL (CVE-2022-3786 and CVE-2022-3602) These vulnerabilities affect the `openssl-libs` package included in our Oracle Linux 9 base image. -Oracle has released patches for these vulnerabilities, but they are distributed only through Oracle Ksplice, their live patching service that requires a Premier Support subscription. -Since PMM relies solely on public repositories, Ksplice-only updates cannot be included. +Oracle has released patches for these vulnerabilities, but they are distributed only through Oracle Ksplice, their live patching service for Premier Support subscriptions. Since PMM relies solely of public repositories, Ksplice-only updates cannot be included. -The risk is currently assessed as low because PMM is usually deployed in controlled environments. These issues will be remediated once public Oracle Linux updates are available. +We consider this risk low, as PMM is usually deployed in controlled environments. We will address these issues as soon as public Oracle Linux updates become available. ## 🚀 Ready to upgrade to PMM 3.4.1? diff --git a/documentation/docs/release-notes/index.md b/documentation/docs/release-notes/index.md index 0ee2992a43..9e24bd5801 100644 --- a/documentation/docs/release-notes/index.md +++ b/documentation/docs/release-notes/index.md @@ -1,5 +1,5 @@ # Release notes - +- [Percona Monitoring and Management 3.4.1](3.4.1.md) - [Percona Monitoring and Management 3.4.0](3.4.0.md) - [Percona Monitoring and Management 3.3.1](3.3.1.md) - [Percona Monitoring and Management 3.3.0](3.3.0.md) diff --git a/documentation/mkdocs-base.yml b/documentation/mkdocs-base.yml index 57746ad570..08e75603e7 100644 --- a/documentation/mkdocs-base.yml +++ b/documentation/mkdocs-base.yml @@ -331,6 +331,7 @@ nav: - Release notes: - Release notes index: release-notes/index.md + - "PMM 3.4.1 (2025-10-08)": release-notes/3.4.1.md - "PMM 3.4.0 (2025-09-15)": release-notes/3.4.0.md - "PMM 3.3.1 (2025-07-30)": release-notes/3.3.1.md - "PMM 3.3.0 (2025-07-09)": release-notes/3.3.0.md diff --git a/documentation/mkdocs-pdf.yml b/documentation/mkdocs-pdf.yml index 63cca54f51..e63319ebe3 100644 --- a/documentation/mkdocs-pdf.yml +++ b/documentation/mkdocs-pdf.yml @@ -7,9 +7,9 @@ plugins: version_selector: false # https://github.com/orzih/mkdocs-with-pdf with-pdf: - output_path: "pdf/PerconaMonitoringAndManagement-3.4.0.pdf" + output_path: "pdf/PerconaMonitoringAndManagement-3.4.1.pdf" cover_title: "Percona Monitoring and Management Documentation" - cover_subtitle: 3.4.0 (September 15, 2025) + cover_subtitle: 3.4.1 (October 8, 2025) author: "Percona Technical Documentation Team" cover_logo: docs/images/Percona_Logo_Color.png custom_template_path: resources/templates diff --git a/documentation/variables.yml b/documentation/variables.yml index 7aaba373a6..185fa72e4e 100644 --- a/documentation/variables.yml +++ b/documentation/variables.yml @@ -1,6 +1,6 @@ # PMM Version for HTML # See also mkdocs.yml plugins.with-pdf.cover_subtitle and output_path -release: '3.4.0' -version: '3.4.0' -release_date: 2025-09-15 +release: '3.4.1' +version: '3.4.1' +release_date: 2025-10-08 From 2139f2735ec18125ec2fabd9cd8dd0fa1afdf29c Mon Sep 17 00:00:00 2001 From: Catalina A Date: Thu, 2 Oct 2025 12:53:48 +0300 Subject: [PATCH 04/18] updated liks --- documentation/docs/release-notes/3.4.1.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/documentation/docs/release-notes/3.4.1.md b/documentation/docs/release-notes/3.4.1.md index 573a9dcfb3..2b2b2a9fd9 100644 --- a/documentation/docs/release-notes/3.4.1.md +++ b/documentation/docs/release-notes/3.4.1.md @@ -24,15 +24,14 @@ This vulnerability could be exploited to cause a Nomad DoS when processing unexp Upgraded Percona Toolkit to v3.7.0-2 to resolve a high-severity DoS vulnerability found in the dependency `github.com/sirupsen/logrus`. This flaw could crash Percona Toolkit commands and disrupt PMM data collection. ### Not affected: Remote code execution (RCE) in pypa/setuptools (CVE-2024-6345) - PMM is not affected by this RCE vulnerability. -The PMM image's base OS, Oracle Linux 9, ships with `python3-setuptools 53.0.0-13.el9_6.1`, which already contains the necessary security patch, as verified against the [Oracle Linux 9 changelog](https://linux.oracle.com/errata/ELSA-2024-5534.html). +The PMM image's base OS, Oracle Linux 9, ships with `python3-setuptools 53.0.0-13.el9_6.1`, which already contains the necessary security patch, as verified against the [Oracle Linux security advisory ELSA-2024-5534](https://linux.oracle.com/errata/ELSA-2024-5534.html). ### Not affected: OpenSSL cipher processing vulnerability (CVE-2023-5363) PMM is not affected by this OpenSSL cipher processing vulnerability. -The `openssl-libs` package in the Oracle Linux 9 base OS already contains the security patch, as verified against the [Oracle Linux 9 changelog](https://linux.oracle.com/errata/ELSA-2024-0627.html). +The `openssl-libs` package in the Oracle Linux 9 base OS already contains the security patch, as verified against the [Oracle Linux security advisory ELSA-2024-0627](https://linux.oracle.com/errata/ELSA-2024-0627.html). ### Accepted risk: Buffer overflow vulnerabilities in OpenSSL (CVE-2022-3786 and CVE-2022-3602) From 1f956818a99b9c77dd343578bac5095917ad0217 Mon Sep 17 00:00:00 2001 From: Catalina A <94133018+catalinaadam@users.noreply.github.com> Date: Thu, 2 Oct 2025 13:28:57 +0300 Subject: [PATCH 05/18] Update documentation/docs/release-notes/3.4.1.md Co-authored-by: Alex Demidoff --- documentation/docs/release-notes/3.4.1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/docs/release-notes/3.4.1.md b/documentation/docs/release-notes/3.4.1.md index 2b2b2a9fd9..b495c262aa 100644 --- a/documentation/docs/release-notes/3.4.1.md +++ b/documentation/docs/release-notes/3.4.1.md @@ -11,7 +11,7 @@ Percona Monitoring and Management (PMM) is an open source database monitoring, m ## Release summary -PMM 3.4.1 is a maintenance release that addresses several security vulnerabilities through updates Docker images. +PMM 3.4.1 is a maintenance release that addresses several security vulnerabilities. ## What's new From 897b9c0d133aabded8b35187935dafeffeb33252 Mon Sep 17 00:00:00 2001 From: Catalina A Date: Thu, 2 Oct 2025 13:38:47 +0300 Subject: [PATCH 06/18] typo --- documentation/docs/release-notes/3.4.1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/docs/release-notes/3.4.1.md b/documentation/docs/release-notes/3.4.1.md index 2b2b2a9fd9..f88bded2fb 100644 --- a/documentation/docs/release-notes/3.4.1.md +++ b/documentation/docs/release-notes/3.4.1.md @@ -41,7 +41,7 @@ Oracle has released patches for these vulnerabilities, but they are distributed We consider this risk low, as PMM is usually deployed in controlled environments. We will address these issues as soon as public Oracle Linux updates become available. -## 🚀 Ready to upgrade to PMM 3.4.1? +## 🚀 Ready to upgrade to PMM 3.4.1? - **New installation:** [Install PMM with our quickstart guide](../quickstart/quickstart.md) - **Upgrading from PMM 2:** [Migrate from PMM 2 to PMM 3](../pmm-upgrade/migrating_from_pmm_2.md) From d816b6bb2b5674a71ed0f2e08d6167fd4c13d5c1 Mon Sep 17 00:00:00 2001 From: Catalina A Date: Mon, 6 Oct 2025 12:47:20 +0300 Subject: [PATCH 07/18] feedback from Alex --- documentation/docs/release-notes/3.4.1.md | 28 ++++++++++++++--------- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/documentation/docs/release-notes/3.4.1.md b/documentation/docs/release-notes/3.4.1.md index 1693568c82..f5401cb5bd 100644 --- a/documentation/docs/release-notes/3.4.1.md +++ b/documentation/docs/release-notes/3.4.1.md @@ -14,32 +14,38 @@ Percona Monitoring and Management (PMM) is an open source database monitoring, m PMM 3.4.1 is a maintenance release that addresses several security vulnerabilities. ## What's new +## Nomad upgraded in response to CVE-2025-8959 -### Fixed denial of service (DoS) in Nomad (CVE-2025-8959) -We've upgraded the integrated scheduling service to Nomad v1.10.5 to address a high-severity vulnerability that existed in a Nomad SSH agent dependency. +We've upgraded the integrated scheduling service to Nomad v1.10.5 in response to a high-severity DoS vulnerability in its SSH agent dependency. -This vulnerability could be exploited to cause a Nomad DoS when processing unexpected data types. +However, this latest version still contains the vulnerable Go crypto library because the upstream fix has been committed but not yet released with this version. -### Fixed DoS in Percona Toolkit (Logrus) -Upgraded Percona Toolkit to v3.7.0-2 to resolve a high-severity DoS vulnerability found in the dependency `github.com/sirupsen/logrus`. This flaw could crash Percona Toolkit commands and disrupt PMM data collection. +Since Nomad is disabled by default in PMM, the vulnerability has minimal risk for typical deployments. + +We are monitoring the upstream project and will upgrade once a patched version becomes available. + +### Fixed: DoS in Percona Toolkit (Logrus) +Upgraded Percona Toolkit to v3.7.0-2 to resolve a high-severity DoS vulnerability found in the `github.com/sirupsen/logrus` dependency. This flaw could previously crash Percona Toolkit commands and disrupt PMM data collection. ### Not affected: Remote code execution (RCE) in pypa/setuptools (CVE-2024-6345) PMM is not affected by this RCE vulnerability. -The PMM image's base OS, Oracle Linux 9, ships with `python3-setuptools 53.0.0-13.el9_6.1`, which already contains the necessary security patch, as verified against the [Oracle Linux security advisory ELSA-2024-5534](https://linux.oracle.com/errata/ELSA-2024-5534.html). +The PMM image's base OS, Oracle Linux 9, ships with `python3-setuptools 53.0.0-13.el9_6.1`, which already contains the necessary security patch, verified against the [Oracle Linux security advisory ELSA-2024-5534](https://linux.oracle.com/errata/ELSA-2024-5534.html). ### Not affected: OpenSSL cipher processing vulnerability (CVE-2023-5363) PMM is not affected by this OpenSSL cipher processing vulnerability. -The `openssl-libs` package in the Oracle Linux 9 base OS already contains the security patch, as verified against the [Oracle Linux security advisory ELSA-2024-0627](https://linux.oracle.com/errata/ELSA-2024-0627.html). +The `openssl-libs` package in the Oracle Linux 9 base OS already includes the security fix, confirmed in the [Oracle Linux security advisory ELSA-2024-0627](https://linux.oracle.com/errata/ELSA-2024-0627.html). + +### Accepted risk: OpenSSL buffer overflow vulnerabilities (CVE-2022-3786 and CVE-2022-3602) -### Accepted risk: Buffer overflow vulnerabilities in OpenSSL (CVE-2022-3786 and CVE-2022-3602) +These vulnerabilities affect the `openssl-libs` package that comes with PMM's Oracle Linux 9 base image. -These vulnerabilities affect the `openssl-libs` package included in our Oracle Linux 9 base image. +Oracle has released patches for these vulnerabilities, but they are distributed only through Oracle Ksplice, their live patching service for Premier Support subscriptions. -Oracle has released patches for these vulnerabilities, but they are distributed only through Oracle Ksplice, their live patching service for Premier Support subscriptions. Since PMM relies solely of public repositories, Ksplice-only updates cannot be included. +Because PMM uses only publicly available repositories, these Ksplice-only updates cannot be included. -We consider this risk low, as PMM is usually deployed in controlled environments. We will address these issues as soon as public Oracle Linux updates become available. +We assess this risk low, as PMM is usually deployed in controlled environments. We will apply the updates as soon as Oracle releases them publicly for Oracle Linux. ## 🚀 Ready to upgrade to PMM 3.4.1? From 3200ec2880d325cfbc5b1ce4763409041befaf32 Mon Sep 17 00:00:00 2001 From: Catalina A Date: Mon, 6 Oct 2025 12:59:35 +0300 Subject: [PATCH 08/18] typo --- documentation/docs/release-notes/3.4.1.md | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/documentation/docs/release-notes/3.4.1.md b/documentation/docs/release-notes/3.4.1.md index f5401cb5bd..d7a18457ae 100644 --- a/documentation/docs/release-notes/3.4.1.md +++ b/documentation/docs/release-notes/3.4.1.md @@ -11,14 +11,12 @@ Percona Monitoring and Management (PMM) is an open source database monitoring, m ## Release summary -PMM 3.4.1 is a maintenance release that addresses several security vulnerabilities. +PMM 3.4.1 is a maintenance release that addresses several security vulnerabilities and dependency upgrades. ## What's new -## Nomad upgraded in response to CVE-2025-8959 - -We've upgraded the integrated scheduling service to Nomad v1.10.5 in response to a high-severity DoS vulnerability in its SSH agent dependency. -However, this latest version still contains the vulnerable Go crypto library because the upstream fix has been committed but not yet released with this version. +## Nomad upgraded in response to CVE-2025-8959 +We've upgraded the integrated scheduling service to Nomad v1.10.5 in response to a high-severity DoS vulnerability in its SSH agent dependency. However, this latest version still contains the vulnerable Go crypto library because the upstream fix has been committed but not yet released with this version. Since Nomad is disabled by default in PMM, the vulnerability has minimal risk for typical deployments. @@ -38,7 +36,6 @@ PMM is not affected by this OpenSSL cipher processing vulnerability. The `openssl-libs` package in the Oracle Linux 9 base OS already includes the security fix, confirmed in the [Oracle Linux security advisory ELSA-2024-0627](https://linux.oracle.com/errata/ELSA-2024-0627.html). ### Accepted risk: OpenSSL buffer overflow vulnerabilities (CVE-2022-3786 and CVE-2022-3602) - These vulnerabilities affect the `openssl-libs` package that comes with PMM's Oracle Linux 9 base image. Oracle has released patches for these vulnerabilities, but they are distributed only through Oracle Ksplice, their live patching service for Premier Support subscriptions. From 76307532af2ffb0dc341815c1092d80a84b1f260 Mon Sep 17 00:00:00 2001 From: Catalina A Date: Mon, 6 Oct 2025 13:05:39 +0300 Subject: [PATCH 09/18] formatting --- documentation/docs/release-notes/3.4.1.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/documentation/docs/release-notes/3.4.1.md b/documentation/docs/release-notes/3.4.1.md index d7a18457ae..b3ce911892 100644 --- a/documentation/docs/release-notes/3.4.1.md +++ b/documentation/docs/release-notes/3.4.1.md @@ -38,11 +38,9 @@ The `openssl-libs` package in the Oracle Linux 9 base OS already includes the se ### Accepted risk: OpenSSL buffer overflow vulnerabilities (CVE-2022-3786 and CVE-2022-3602) These vulnerabilities affect the `openssl-libs` package that comes with PMM's Oracle Linux 9 base image. -Oracle has released patches for these vulnerabilities, but they are distributed only through Oracle Ksplice, their live patching service for Premier Support subscriptions. +Oracle has released patches for these vulnerabilities, but they are distributed only through Oracle Ksplice, their live patching service for Premier Support subscriptions. Because PMM uses only publicly available repositories, these Ksplice-only updates cannot be included. -Because PMM uses only publicly available repositories, these Ksplice-only updates cannot be included. - -We assess this risk low, as PMM is usually deployed in controlled environments. We will apply the updates as soon as Oracle releases them publicly for Oracle Linux. +We assess this risk as low, as PMM is usually deployed in controlled environments. We will apply the updates as soon as Oracle releases them publicly for Oracle Linux. ## 🚀 Ready to upgrade to PMM 3.4.1? From fcc4dbf97c4ad86f9d81129d152b4aa0ec38f4f7 Mon Sep 17 00:00:00 2001 From: Catalina A Date: Mon, 6 Oct 2025 13:13:36 +0300 Subject: [PATCH 10/18] formatting --- documentation/docs/release-notes/3.4.1.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/documentation/docs/release-notes/3.4.1.md b/documentation/docs/release-notes/3.4.1.md index b3ce911892..fb25ceb6e5 100644 --- a/documentation/docs/release-notes/3.4.1.md +++ b/documentation/docs/release-notes/3.4.1.md @@ -28,12 +28,12 @@ Upgraded Percona Toolkit to v3.7.0-2 to resolve a high-severity DoS vulnerabilit ### Not affected: Remote code execution (RCE) in pypa/setuptools (CVE-2024-6345) PMM is not affected by this RCE vulnerability. -The PMM image's base OS, Oracle Linux 9, ships with `python3-setuptools 53.0.0-13.el9_6.1`, which already contains the necessary security patch, verified against the [Oracle Linux security advisory ELSA-2024-5534](https://linux.oracle.com/errata/ELSA-2024-5534.html). +The PMM image's base OS, Oracle Linux 9, ships with `python3-setuptools 53.0.0-13.el9_6.1`, which already contains the necessary security patch, confirmed in the [Oracle Linux security advisory ELSA-2024-5534](https://linux.oracle.com/errata/ELSA-2024-5534.html). ### Not affected: OpenSSL cipher processing vulnerability (CVE-2023-5363) -PMM is not affected by this OpenSSL cipher processing vulnerability. +PMM is not affected by this OpenSSL cipher processing vulnerability because `openssl-libs` package in the Oracle Linux 9 base OS already includes the security fix. -The `openssl-libs` package in the Oracle Linux 9 base OS already includes the security fix, confirmed in the [Oracle Linux security advisory ELSA-2024-0627](https://linux.oracle.com/errata/ELSA-2024-0627.html). +Verified against the [Oracle Linux security advisory ELSA-2024-0627](https://linux.oracle.com/errata/ELSA-2024-0627.html). ### Accepted risk: OpenSSL buffer overflow vulnerabilities (CVE-2022-3786 and CVE-2022-3602) These vulnerabilities affect the `openssl-libs` package that comes with PMM's Oracle Linux 9 base image. From f19e7fac1a1650253b455ef8fee982f935294df8 Mon Sep 17 00:00:00 2001 From: Catalina A Date: Tue, 7 Oct 2025 16:44:49 +0300 Subject: [PATCH 11/18] icons --- documentation/docs/release-notes/3.4.1.md | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/documentation/docs/release-notes/3.4.1.md b/documentation/docs/release-notes/3.4.1.md index fb25ceb6e5..e388419c3c 100644 --- a/documentation/docs/release-notes/3.4.1.md +++ b/documentation/docs/release-notes/3.4.1.md @@ -9,11 +9,11 @@ Percona Monitoring and Management (PMM) is an open source database monitoring, m - diagnose and resolve issues faster with actionable insights - manage databases across on-premises, cloud, and hybrid environments -## Release summary +## 🆕 Release summary -PMM 3.4.1 is a maintenance release that addresses several security vulnerabilities and dependency upgrades. +PMM 3.4.1 is a maintenance release that addresses several security vulnerabilities and dependency upgrades to enhance stability and safety. -## What's new +## 🔒 Security updates ## Nomad upgraded in response to CVE-2025-8959 We've upgraded the integrated scheduling service to Nomad v1.10.5 in response to a high-severity DoS vulnerability in its SSH agent dependency. However, this latest version still contains the vulnerable Go crypto library because the upstream fix has been committed but not yet released with this version. @@ -23,7 +23,7 @@ Since Nomad is disabled by default in PMM, the vulnerability has minimal risk fo We are monitoring the upstream project and will upgrade once a patched version becomes available. ### Fixed: DoS in Percona Toolkit (Logrus) -Upgraded Percona Toolkit to v3.7.0-2 to resolve a high-severity DoS vulnerability found in the `github.com/sirupsen/logrus` dependency. This flaw could previously crash Percona Toolkit commands and disrupt PMM data collection. +Upgraded Percona Toolkit to v3.7.0-2 to resolve a high-severity DoS vulnerability found in the `github.com/sirupsen/logrus` dependency. This flaw could previo usly crash Percona Toolkit commands and disrupt PMM data collection. ### Not affected: Remote code execution (RCE) in pypa/setuptools (CVE-2024-6345) PMM is not affected by this RCE vulnerability. @@ -48,3 +48,6 @@ We assess this risk as low, as PMM is usually deployed in controlled environment - **Upgrading from PMM 2:** [Migrate from PMM 2 to PMM 3](../pmm-upgrade/migrating_from_pmm_2.md) - **Upgrading PMM 3:** [Upgrade your existing PMM 3 installation](../pmm-upgrade/index.md) +## ❓ Questions or issues? + +Visit our [community forum](https://forums.percona.com/c/percona-monitoring-and-management-pmm/pmm-3/84) or [open an issue](https://github.com/percona/pmm/issues) on GitHub. \ No newline at end of file From d5e0d7c497a4e2c53480adee1c7a8e9e2b39c414 Mon Sep 17 00:00:00 2001 From: Catalina A Date: Tue, 7 Oct 2025 16:57:16 +0300 Subject: [PATCH 12/18] formatting --- documentation/docs/release-notes/3.4.1.md | 1 - 1 file changed, 1 deletion(-) diff --git a/documentation/docs/release-notes/3.4.1.md b/documentation/docs/release-notes/3.4.1.md index e388419c3c..baa9c2d31b 100644 --- a/documentation/docs/release-notes/3.4.1.md +++ b/documentation/docs/release-notes/3.4.1.md @@ -32,7 +32,6 @@ The PMM image's base OS, Oracle Linux 9, ships with `python3-setuptools 53.0.0-1 ### Not affected: OpenSSL cipher processing vulnerability (CVE-2023-5363) PMM is not affected by this OpenSSL cipher processing vulnerability because `openssl-libs` package in the Oracle Linux 9 base OS already includes the security fix. - Verified against the [Oracle Linux security advisory ELSA-2024-0627](https://linux.oracle.com/errata/ELSA-2024-0627.html). ### Accepted risk: OpenSSL buffer overflow vulnerabilities (CVE-2022-3786 and CVE-2022-3602) From 362493f92ca5fd2fc67fbbc154cba15b80979f40 Mon Sep 17 00:00:00 2001 From: Catalina A Date: Tue, 7 Oct 2025 18:37:28 +0300 Subject: [PATCH 13/18] icons --- documentation/docs/release-notes/3.4.1.md | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/documentation/docs/release-notes/3.4.1.md b/documentation/docs/release-notes/3.4.1.md index baa9c2d31b..bf1248725a 100644 --- a/documentation/docs/release-notes/3.4.1.md +++ b/documentation/docs/release-notes/3.4.1.md @@ -15,26 +15,27 @@ PMM 3.4.1 is a maintenance release that addresses several security vulnerabiliti ## 🔒 Security updates -## Nomad upgraded in response to CVE-2025-8959 +### âŦ†ī¸ Nomad upgraded in response to CVE-2025-8959 We've upgraded the integrated scheduling service to Nomad v1.10.5 in response to a high-severity DoS vulnerability in its SSH agent dependency. However, this latest version still contains the vulnerable Go crypto library because the upstream fix has been committed but not yet released with this version. Since Nomad is disabled by default in PMM, the vulnerability has minimal risk for typical deployments. We are monitoring the upstream project and will upgrade once a patched version becomes available. -### Fixed: DoS in Percona Toolkit (Logrus) +### 🔧 Fixed: DoS in Percona Toolkit (Logrus) Upgraded Percona Toolkit to v3.7.0-2 to resolve a high-severity DoS vulnerability found in the `github.com/sirupsen/logrus` dependency. This flaw could previo usly crash Percona Toolkit commands and disrupt PMM data collection. -### Not affected: Remote code execution (RCE) in pypa/setuptools (CVE-2024-6345) +### ℹī¸ Not affected: OpenSSL cipher processing vulnerability (CVE-2023-5363) +PMM is not affected by this OpenSSL cipher processing vulnerability because `openssl-libs` package in the Oracle Linux 9 base OS already includes the security fix. + +Verified against the [Oracle Linux security advisory ELSA-2024-0627](https://linux.oracle.com/errata/ELSA-2024-0627.html). + +### ℹī¸ Not affected: Remote code execution (RCE) in pypa/setuptools (CVE-2024-6345) PMM is not affected by this RCE vulnerability. The PMM image's base OS, Oracle Linux 9, ships with `python3-setuptools 53.0.0-13.el9_6.1`, which already contains the necessary security patch, confirmed in the [Oracle Linux security advisory ELSA-2024-5534](https://linux.oracle.com/errata/ELSA-2024-5534.html). -### Not affected: OpenSSL cipher processing vulnerability (CVE-2023-5363) -PMM is not affected by this OpenSSL cipher processing vulnerability because `openssl-libs` package in the Oracle Linux 9 base OS already includes the security fix. -Verified against the [Oracle Linux security advisory ELSA-2024-0627](https://linux.oracle.com/errata/ELSA-2024-0627.html). - -### Accepted risk: OpenSSL buffer overflow vulnerabilities (CVE-2022-3786 and CVE-2022-3602) +### ⚠ī¸ Accepted risk: OpenSSL buffer overflow vulnerabilities (CVE-2022-3786 and CVE-2022-3602) These vulnerabilities affect the `openssl-libs` package that comes with PMM's Oracle Linux 9 base image. Oracle has released patches for these vulnerabilities, but they are distributed only through Oracle Ksplice, their live patching service for Premier Support subscriptions. Because PMM uses only publicly available repositories, these Ksplice-only updates cannot be included. From f78d3d7270fcbbc1851489eabeb814ea04fd74be Mon Sep 17 00:00:00 2001 From: Catalina A Date: Thu, 9 Oct 2025 11:09:56 +0300 Subject: [PATCH 14/18] ClickHouse entry --- documentation/docs/release-notes/3.4.1.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/documentation/docs/release-notes/3.4.1.md b/documentation/docs/release-notes/3.4.1.md index bf1248725a..331c019065 100644 --- a/documentation/docs/release-notes/3.4.1.md +++ b/documentation/docs/release-notes/3.4.1.md @@ -35,6 +35,16 @@ PMM is not affected by this RCE vulnerability. The PMM image's base OS, Oracle Linux 9, ships with `python3-setuptools 53.0.0-13.el9_6.1`, which already contains the necessary security patch, confirmed in the [Oracle Linux security advisory ELSA-2024-5534](https://linux.oracle.com/errata/ELSA-2024-5534.html). +### ℹī¸ Not affected: ClickHouse vulnerabilities related to Go 1.19.10 + +This release also resolves vulnerabilities discovered in ClickHouse, the database engine integrated into PMM for storing performance metrics. + +The reported issues stem from an older version of Go (1.19.10) used within ClickHouse and affect the `clickhouse-diagnostics utility`, which is not used by PMM. + +To fully eliminate potential exposure, we have removed the `clickhouse-diagnostics package`from the PMM 3.4.1. As a result, PMM is not affected by these vulnerabilities. + +We plan a full ClickHouse version upgrade in PMM 3.5.0, which will include the updated Go runtime. + ### ⚠ī¸ Accepted risk: OpenSSL buffer overflow vulnerabilities (CVE-2022-3786 and CVE-2022-3602) These vulnerabilities affect the `openssl-libs` package that comes with PMM's Oracle Linux 9 base image. From db797bd3f214edf4ec1531b7dcc7ef56a603bc4d Mon Sep 17 00:00:00 2001 From: Catalina A Date: Thu, 9 Oct 2025 11:19:06 +0300 Subject: [PATCH 15/18] CVE number --- documentation/docs/release-notes/3.4.1.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/documentation/docs/release-notes/3.4.1.md b/documentation/docs/release-notes/3.4.1.md index 331c019065..82992303ef 100644 --- a/documentation/docs/release-notes/3.4.1.md +++ b/documentation/docs/release-notes/3.4.1.md @@ -35,15 +35,16 @@ PMM is not affected by this RCE vulnerability. The PMM image's base OS, Oracle Linux 9, ships with `python3-setuptools 53.0.0-13.el9_6.1`, which already contains the necessary security patch, confirmed in the [Oracle Linux security advisory ELSA-2024-5534](https://linux.oracle.com/errata/ELSA-2024-5534.html). -### ℹī¸ Not affected: ClickHouse vulnerabilities related to Go 1.19.10 +### ℹī¸ Not affected: ClickHouse vulnerabilities related to Go 1.19.10 (CVE-2024-24790) -This release also resolves vulnerabilities discovered in ClickHouse, the database engine integrated into PMM for storing performance metrics. -The reported issues stem from an older version of Go (1.19.10) used within ClickHouse and affect the `clickhouse-diagnostics utility`, which is not used by PMM. +This release also addresses vulnerabilities discovered in ClickHouse v23.8.2.7, the database engine integrated into PMM for storing performance metrics. -To fully eliminate potential exposure, we have removed the `clickhouse-diagnostics package`from the PMM 3.4.1. As a result, PMM is not affected by these vulnerabilities. +The vulnerabilities originated from an older version of Go (1.19.10) used within ClickHouse and affect the `clickhouse-diagnostics utility`, a diagnostic utility that PMM does not use. -We plan a full ClickHouse version upgrade in PMM 3.5.0, which will include the updated Go runtime. +To fully eliminate potential exposure, we have removed the `clickhouse-diagnostics` package from the PMM 3.4.1. As a result, PMM is not affected by these vulnerabilities. + +We plan a full ClickHouse version upgrade in PMM 3.5.0, which will include an updated Go runtime. ### ⚠ī¸ Accepted risk: OpenSSL buffer overflow vulnerabilities (CVE-2022-3786 and CVE-2022-3602) These vulnerabilities affect the `openssl-libs` package that comes with PMM's Oracle Linux 9 base image. From 73ddccf8cfd2d6f9f350341f5b2801eb8d863a33 Mon Sep 17 00:00:00 2001 From: Catalina A Date: Thu, 9 Oct 2025 12:22:24 +0300 Subject: [PATCH 16/18] removed extra icon --- documentation/docs/release-notes/3.4.1.md | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/documentation/docs/release-notes/3.4.1.md b/documentation/docs/release-notes/3.4.1.md index 82992303ef..646c1dbde1 100644 --- a/documentation/docs/release-notes/3.4.1.md +++ b/documentation/docs/release-notes/3.4.1.md @@ -15,29 +15,27 @@ PMM 3.4.1 is a maintenance release that addresses several security vulnerabiliti ## 🔒 Security updates -### âŦ†ī¸ Nomad upgraded in response to CVE-2025-8959 +### Nomad upgraded in response to CVE-2025-8959 We've upgraded the integrated scheduling service to Nomad v1.10.5 in response to a high-severity DoS vulnerability in its SSH agent dependency. However, this latest version still contains the vulnerable Go crypto library because the upstream fix has been committed but not yet released with this version. Since Nomad is disabled by default in PMM, the vulnerability has minimal risk for typical deployments. We are monitoring the upstream project and will upgrade once a patched version becomes available. -### 🔧 Fixed: DoS in Percona Toolkit (Logrus) +### Fixed: DoS in Percona Toolkit (Logrus) Upgraded Percona Toolkit to v3.7.0-2 to resolve a high-severity DoS vulnerability found in the `github.com/sirupsen/logrus` dependency. This flaw could previo usly crash Percona Toolkit commands and disrupt PMM data collection. -### ℹī¸ Not affected: OpenSSL cipher processing vulnerability (CVE-2023-5363) +### Not affected: OpenSSL cipher processing vulnerability (CVE-2023-5363) PMM is not affected by this OpenSSL cipher processing vulnerability because `openssl-libs` package in the Oracle Linux 9 base OS already includes the security fix. Verified against the [Oracle Linux security advisory ELSA-2024-0627](https://linux.oracle.com/errata/ELSA-2024-0627.html). -### ℹī¸ Not affected: Remote code execution (RCE) in pypa/setuptools (CVE-2024-6345) +### Not affected: Remote code execution (RCE) in pypa/setuptools (CVE-2024-6345) PMM is not affected by this RCE vulnerability. The PMM image's base OS, Oracle Linux 9, ships with `python3-setuptools 53.0.0-13.el9_6.1`, which already contains the necessary security patch, confirmed in the [Oracle Linux security advisory ELSA-2024-5534](https://linux.oracle.com/errata/ELSA-2024-5534.html). -### ℹī¸ Not affected: ClickHouse vulnerabilities related to Go 1.19.10 (CVE-2024-24790) - - +### Not affected: ClickHouse vulnerabilities related to Go 1.19.10 (CVE-2024-24790) This release also addresses vulnerabilities discovered in ClickHouse v23.8.2.7, the database engine integrated into PMM for storing performance metrics. The vulnerabilities originated from an older version of Go (1.19.10) used within ClickHouse and affect the `clickhouse-diagnostics utility`, a diagnostic utility that PMM does not use. @@ -46,7 +44,7 @@ To fully eliminate potential exposure, we have removed the `clickhouse-diagnosti We plan a full ClickHouse version upgrade in PMM 3.5.0, which will include an updated Go runtime. -### ⚠ī¸ Accepted risk: OpenSSL buffer overflow vulnerabilities (CVE-2022-3786 and CVE-2022-3602) +### Accepted risk: OpenSSL buffer overflow vulnerabilities (CVE-2022-3786 and CVE-2022-3602) These vulnerabilities affect the `openssl-libs` package that comes with PMM's Oracle Linux 9 base image. Oracle has released patches for these vulnerabilities, but they are distributed only through Oracle Ksplice, their live patching service for Premier Support subscriptions. Because PMM uses only publicly available repositories, these Ksplice-only updates cannot be included. From 6c264e9877b64260cc362d185d892632c35802fc Mon Sep 17 00:00:00 2001 From: Catalina A <94133018+catalinaadam@users.noreply.github.com> Date: Thu, 9 Oct 2025 15:05:16 +0300 Subject: [PATCH 17/18] Update documentation/docs/release-notes/3.4.1.md Co-authored-by: Nurlan Moldomurov --- documentation/docs/release-notes/3.4.1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/docs/release-notes/3.4.1.md b/documentation/docs/release-notes/3.4.1.md index 646c1dbde1..d41059fa7e 100644 --- a/documentation/docs/release-notes/3.4.1.md +++ b/documentation/docs/release-notes/3.4.1.md @@ -23,7 +23,7 @@ Since Nomad is disabled by default in PMM, the vulnerability has minimal risk fo We are monitoring the upstream project and will upgrade once a patched version becomes available. ### Fixed: DoS in Percona Toolkit (Logrus) -Upgraded Percona Toolkit to v3.7.0-2 to resolve a high-severity DoS vulnerability found in the `github.com/sirupsen/logrus` dependency. This flaw could previo usly crash Percona Toolkit commands and disrupt PMM data collection. +Upgraded Percona Toolkit to v3.7.0-2 to resolve a high-severity DoS vulnerability found in the `github.com/sirupsen/logrus` dependency. This flaw could previously crash Percona Toolkit commands and disrupt PMM data collection. ### Not affected: OpenSSL cipher processing vulnerability (CVE-2023-5363) PMM is not affected by this OpenSSL cipher processing vulnerability because `openssl-libs` package in the Oracle Linux 9 base OS already includes the security fix. From 9ff3269d0e1b4e6d7d5c65a154af61a806e3da69 Mon Sep 17 00:00:00 2001 From: Catalina A Date: Thu, 9 Oct 2025 15:09:01 +0300 Subject: [PATCH 18/18] updated date --- documentation/docs/release-notes/3.4.1.md | 2 +- documentation/mkdocs-pdf.yml | 2 +- documentation/variables.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/documentation/docs/release-notes/3.4.1.md b/documentation/docs/release-notes/3.4.1.md index 646c1dbde1..1c13d92d13 100644 --- a/documentation/docs/release-notes/3.4.1.md +++ b/documentation/docs/release-notes/3.4.1.md @@ -1,6 +1,6 @@ # Percona Monitoring and Management 3.4.1 -**Release date**: October 8th 2025 +**Release date**: November 13th 2025 Percona Monitoring and Management (PMM) is an open source database monitoring, management, and observability solution for MySQL, PostgreSQL, and MongoDB. PMM empowers you to: diff --git a/documentation/mkdocs-pdf.yml b/documentation/mkdocs-pdf.yml index e63319ebe3..a7cdc03d4c 100644 --- a/documentation/mkdocs-pdf.yml +++ b/documentation/mkdocs-pdf.yml @@ -9,7 +9,7 @@ plugins: with-pdf: output_path: "pdf/PerconaMonitoringAndManagement-3.4.1.pdf" cover_title: "Percona Monitoring and Management Documentation" - cover_subtitle: 3.4.1 (October 8, 2025) + cover_subtitle: 3.4.1 (November 13, 2025) author: "Percona Technical Documentation Team" cover_logo: docs/images/Percona_Logo_Color.png custom_template_path: resources/templates diff --git a/documentation/variables.yml b/documentation/variables.yml index 185fa72e4e..9009ebca3c 100644 --- a/documentation/variables.yml +++ b/documentation/variables.yml @@ -3,4 +3,4 @@ release: '3.4.1' version: '3.4.1' -release_date: 2025-10-08 +release_date: 2025-11-13