Bump go 1.21.10 and 1.22.3

[ahrtr]

What would you like to be added?

Both 1.21.10 and 1.22.3 include security fixes

Why is this needed?

fix CVE

[ivanvc]

Completion tracking below:

• [x] main: go v1.22.3 - #17975
• [x] release-3.5: go v1.21.10 - #17980
• [x] release-3.4: go v1.21.10 - #17981
• [x] CHANGELOG - #18019
• [x] etcd-io/bbolt main: go v1.22.3 - etcd-io/bbolt#753
• [x] etcd-io/bbolt release-1.3: v1.21.10 - etcd-io/bbolt#754
• [x] etcd-io/raft main: go v1.22.3 - etcd-io/raft#199

Refer to previous PRs as a reference, i.e., https://github.com/etcd-io/etcd/issues/17269

[ivanvc]

@ahrtr, do we want to update bbolt and raft? Based on recent conversations I'm unsure if that's the intention.

[lavishpal]

@ahrtr could you assign this issue to me ?

[ivanvc]

/assign @lavishpal

[ahrtr]

@ahrtr, do we want to update bbolt and raft? Based on recent conversations I'm unsure if that's the intention.

I think the answer is YES. We follow the same rule as documented in dependency_management.md#golang-versions for all repos, and also https://github.com/etcd-io/etcd/pull/17876

[ahrtr]

Can we submit the PRs of bumping golang version for etcd (including main, release-3.5 and release-3.4) this week? Otherwise we will keep seeing failed workflow checks.

We also need to release new patches for 3.5 and 3.4 soon.

[henrybear327]

Can we submit the PRs of bumping golang version for etcd (including main, release-3.5 and release-3.4) this week? Otherwise we will keep seeing failed workflow checks.

We also need to release new patches for 3.5 and 3.4 soon.

It would be nice to have it done ASAP since this is blocking https://github.com/etcd-io/etcd/pull/17973 as the CI will not pass (and we would not like this to spillover to next week).

@ahrtr Maybe I can take over the etcd main branch update so I can proceed with the dependency update normally, while in the meantime @lavishpal can take his/her time working on the rest of the branches? :)

[ivanvc]

Ping @lavishpal. Would you work on this this week? Otherwise, we may need to reassign to some collaborator who can help with it, as it is making it fail our CI jobs. Thanks.

[lavishpal]

I will complete this within 2 days .

[jmhbnz]

Hey @lavishpal - Do you have capacity to complete the remainder of the pull requests listed in the completion tracker above https://github.com/etcd-io/etcd/issues/17964#issuecomment-2099276868?

[lavishpal]

Hey @lavishpal - Do you have capacity to complete the remainder of the pull requests listed in the completion tracker above https://github.com/etcd-io/etcd/issues/17964#issuecomment-2099276868?

Yeah i will complete it by tomorrow.

[ivanvc]

Wow, that was very quick. Thanks for the PRs, @lavishpal. Please update the ' CHANGELOG ' after closing #17980 and #17981.

Thanks again.

[ivanvc]

Also, as reference 1.21.10/1.22.3 address CVE: CVE-2024-24787.

[ivanvc]

@lavishpal, do you have the capacity to update the CHANGELOGs? As a reference, this is the PR when we updated them to 1.20.13: https://github.com/etcd-io/etcd/pull/17309

Thanks

[lavishpal]

@lavishpal, do you have the capacity to update the CHANGELOGs? As a reference, this is the PR when we updated them to 1.20.13: #17309

Thanks

@ivanvc Sure i will finish it by tomorrow.

[ahrtr]

I think we are ready to release new patches for both 3.4 and 3.5. @jmhbnz @spzala

[jmhbnz]

I think we are ready to release new patches for both 3.4 and 3.5. @jmhbnz @spzala

Agree. I've opened the planning issues:

• https://github.com/etcd-io/etcd/issues/18013
• https://github.com/etcd-io/etcd/issues/18014

I am happy to be release lead for v3.5.14, @spzala do you have availability to lead v3.4.33 release?

[ivanvc]

With all the tasks completed, we can close this issue now. Thanks, @lavishpal, for helping with this.