[Doc] 3.4.1 RelNotes #4600
[Doc] 3.4.1 RelNotes #4600
Conversation
ademidoff
temporarily deployed
to
docu_3.4.1 - v3-doc-prod PR #4600
Render
Destroyed
There was a problem hiding this comment.
Pull Request Overview
This PR adds release notes for PMM 3.4.1, documenting security fixes and vulnerability assessments for the maintenance release dated October 8th, 2025.
- Adds comprehensive release notes covering security vulnerabilities and their resolutions
- Documents fixes for DoS vulnerabilities in Nomad and Percona Toolkit
- Details vulnerability assessments showing PMM is not affected by certain CVEs
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
Co-authored-by: Alex Demidoff <[email protected]>
Co-authored-by: Nurlan Moldomurov <[email protected]>
| @@ -0,0 +1,62 @@ | |||
| # Percona Monitoring and Management 3.4.1 | |||
|
|
|||
| **Release date**: November 13th 2025 | |||
| ## 🔒 Security updates | ||
|
|
||
| ### Nomad upgraded in response to CVE-2025-8959 | ||
| We've upgraded the integrated scheduling service to Nomad v1.10.5 in response to a high-severity DoS vulnerability in its SSH agent dependency. However, this latest version still contains the vulnerable Go crypto library because the upstream fix has been committed but not yet released with this version. |
There was a problem hiding this comment.
The wording could be more clear here. What's important is not that we upgraded (because it doesn't solve the security issue), but the fact that there's a risk. What about something like:
PMM uses Nomad which is currently impacted by a high-severity DoS vulnerability originated in the Go crypto library. Since Nomad is disabled by default in PMM, the vulnerability has minimal risk for typical deployments. We highly recommend users to keep Nomad switched off.
Nonetheless, we have upgraded Nomatd to v1.10.5 and we will continue monitoring the upstream project. Once a patched version becomes available, we will integrate the fix into an upcoming PMM release.
... or something along those lines...
|
|
||
| The vulnerabilities originated from an older version of Go (1.19.10) used within ClickHouse and affect the `clickhouse-diagnostics utility`, a diagnostic utility that PMM does not use. | ||
|
|
||
| To fully eliminate potential exposure, we have removed the `clickhouse-diagnostics` package from the PMM 3.4.1. As a result, PMM is not affected by these vulnerabilities. |
There was a problem hiding this comment.
"from PMM 3.4.1." instead of "from the PMM 3.4.1."
| ### Not affected: ClickHouse vulnerabilities related to Go 1.19.10 (CVE-2024-24790) | ||
| This release also addresses vulnerabilities discovered in ClickHouse v23.8.2.7, the database engine integrated into PMM for storing performance metrics. | ||
|
|
||
| The vulnerabilities originated from an older version of Go (1.19.10) used within ClickHouse and affect the `clickhouse-diagnostics utility`, a diagnostic utility that PMM does not use. |
There was a problem hiding this comment.
"and affect clickhouse-diagnostics, a diagnostic utility that PMM does not use." instead of "and affect the clickhouse-diagnostics utility, a diagnostic utility that PMM does not use."
| ### Fixed: DoS in Percona Toolkit (Logrus) | ||
| Upgraded Percona Toolkit to v3.7.0-2 to resolve a high-severity DoS vulnerability found in the `github.com/sirupsen/logrus` dependency. This flaw could previously crash Percona Toolkit commands and disrupt PMM data collection. | ||
|
|
||
| ### Not affected: OpenSSL cipher processing vulnerability (CVE-2023-5363) |
There was a problem hiding this comment.
Starting with this one, there are three "Not affected" items. We aren't telling users why we're listing these items if they do not affect PMM. What if we add a "False Positives" or "Reported CVE Issues" subhead along with a simple text that says something like: "Security scan tools are reporting the following CVEs affecting latest PMM 3.4.0. After thorough investigation, we have determined that these issues do not affect PMM."
... and then the list of issues...
ademidoff
temporarily deployed
to
docu_3.4.1 - v3-doc-prod PR #4600
Render
Destroyed
PMM-0
Link to the Feature Build: SUBMODULES-0
If this PR adds or removes or alters one or more API endpoints, please review and add or update the relevant API documents as well:
If this PR is related to some other PRs in this or other repositories, please provide links to those PRs: