Skip to content

juju

v3.6.23 Security

This release includes 4 security fixes for security teams reviewing exposed deployments.

Published 14d Containers & Orchestration
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 4 known CVEs

Topics

containers devops go juju kubernetes operations

Affected surfaces

deps

ReleasePort's take

Moderate signal
editorial:auto 14d

Juju 3.6.23 patches security vulnerabilities in dependencies and fixes backup creation failures during controller upgrades. Storage update APIs are renamed for 4.0 compatibility.

Why it matters: Backup creation failures block controller upgrades in v3.6; security vulnerabilities in dependencies fixed (golang.org/x/net 0.52.0→0.53.0). Patch to 3.6.23 immediately. Storage APIs renamed for v4.0—migrate before adoption.

Summary

AI summary

Broad release touches fix, feat, chore, and test.

Changes in this release

Security Medium

Fix security vulnerabilities in dependencies

Fix security vulnerabilities in dependencies

Source: granite4.1:8b-q6_K@2026-05-21

Confidence: low
Feature Medium

Add step to transition guide for storage pools

Add step to transition guide for storage pools

Source: granite4.1:8b-q6_K@2026-05-21

Confidence: high
Feature Medium

Add agent md files

Add agent md files

Source: granite4.1:8b-q6_K@2026-05-21

Confidence: high
Feature Medium

Add api/common/cloudcred package for JIMM

Add api/common/cloudcred package for JIMM

Source: granite4.1:8b-q6_K@2026-05-21

Confidence: high
Feature Medium

Enable storage resize for Kubernetes apps

Enable storage resize for Kubernetes apps

Source: granite4.1:8b-q6_K@2026-05-21

Confidence: high
Feature Medium

Support root disk source in GCE

Support root disk source in GCE

Source: granite4.1:8b-q6_K@2026-05-21

Confidence: high
Feature Medium

Inject default image repo during build

Inject default image repo during build

Source: granite4.1:8b-q6_K@2026-05-21

Confidence: high
Feature Medium

Update dqlite to version 1.18.6

Update dqlite to version 1.18.6

Source: granite4.1:8b-q6_K@2026-05-21

Confidence: high
Feature Medium

Enable K8s storage size update

Enable K8s storage size update

Source: granite4.1:8b-q6_K@2026-05-21

Confidence: high
Feature Medium

Reuse secret access tokens if scope matches

Reuse secret access tokens if scope matches

Source: granite4.1:8b-q6_K@2026-05-21

Confidence: high
Feature Medium

Add script to change the juju-db snap channel

Add script to change the juju-db snap channel

Source: granite4.1:8b-q6_K@2026-05-21

Confidence: low
Dependency Medium

Bump golang.org/x/net from 0.52.0 to 0.53.0

Bump golang.org/x/net from 0.52.0 to 0.53.0

Source: granite4.1:8b-q6_K@2026-05-21

Confidence: high
Bugfix Medium

Improve error message for unsupported controller upgrades

Improve error message for unsupported controller upgrades

Source: granite4.1:8b-q6_K@2026-05-21

Confidence: high
Bugfix Medium

Ensure create backup works after upgrade

Ensure create backup works after upgrade

Source: granite4.1:8b-q6_K@2026-05-21

Confidence: high
Bugfix Medium

Disallow updating storage provider type

Disallow updating storage provider type

Source: granite4.1:8b-q6_K@2026-05-21

Confidence: high
Bugfix Medium

Correct operator status display

Correct operator status display

Source: granite4.1:8b-q6_K@2026-05-21

Confidence: low
Bugfix Medium

Treat integral float values as ints in bundle comparison

Treat integral float values as ints in bundle comparison

Source: granite4.1:8b-q6_K@2026-05-21

Confidence: low
Bugfix Medium

Gracefully handle missing storage backing status

Gracefully handle missing storage backing status

Source: granite4.1:8b-q6_K@2026-05-21

Confidence: low
Bugfix Medium

Exclude empty checksum from backup metadata JSON

Exclude empty checksum from backup metadata JSON

Source: granite4.1:8b-q6_K@2026-05-21

Confidence: low
Bugfix Medium

Send proper WebSocket close codes in logsink/logsender

Send proper WebSocket close codes in logsink/logsender

Source: granite4.1:8b-q6_K@2026-05-21

Confidence: low
Bugfix Medium

Add short model ID to error messages

Add short model ID to error messages

Source: granite4.1:8b-q6_K@2026-05-21

Confidence: low
Bugfix Medium

Use stderr, not tty, in backup shell test

Use stderr, not tty, in backup shell test

Source: granite4.1:8b-q6_K@2026-05-21

Confidence: low
Bugfix Medium

Fix grouping ports issue

Fix grouping ports issue

Source: granite4.1:8b-q6_K@2026-05-21

Confidence: low
Bugfix Medium

Add robust not found error handling in firewallers

Add robust not found error handling in firewallers

Source: granite4.1:8b-q6_K@2026-05-21

Confidence: low
Bugfix Medium

Use humanize size in application-storage tabular output

Use humanize size in application-storage tabular output

Source: granite4.1:8b-q6_K@2026-05-21

Confidence: low
Bugfix Low

Revert PTY allocation disablement when remote command is provided (SSH)

Revert PTY allocation disablement when remote command is provided (SSH)

Source: granite4.1:30b@2026-05-21-audit

Confidence: high
Refactor Medium

Rename storage update APIs for 4.0 compatibility

Rename storage update APIs for 4.0 compatibility

Source: granite4.1:8b-q6_K@2026-05-21

Confidence: high
Refactor Medium

Remove Juju version from generated cloudcred file

Remove Juju version from generated cloudcred file

Source: granite4.1:8b-q6_K@2026-05-21

Confidence: high
Other Medium

Fix CMR shell test failures

Fix CMR shell test failures

Source: granite4.1:8b-q6_K@2026-05-21

Confidence: low
Other Medium

Backport test fixes for model metrics shell tests

Backport test fixes for model metrics shell tests

Source: granite4.1:8b-q6_K@2026-05-21

Confidence: low
Other Medium

Make Kubernetes secrets shell tests more robust

Make Kubernetes secrets shell tests more robust

Source: granite4.1:8b-q6_K@2026-05-21

Confidence: low
Other Low

Increment Juju version to 3.6.23

Increment Juju version to 3.6.23

Source: granite4.1:30b@2026-05-21-audit

Confidence: low
Full changelog

The Juju team is proud to release Juju 3.6.23!

This is a point release to the stable 3.6 series of Juju.

Checkout the Juju 3.6.23 Release Notes

What's Changed

  • chore: increment juju to 3.6.23 by @jujubot in https://github.com/juju/juju/pull/22415
  • feat: add step to transition guide for storage pools by @jack-w-shaw in https://github.com/juju/juju/pull/22404
  • feat: add agent md files by @wallyworld in https://github.com/juju/juju/pull/22431
  • refactor: rename the storage update apis to be compatible with 4.0 by @wallyworld in https://github.com/juju/juju/pull/22434
  • Revert "fix(ssh): disable PTY allocation when remote command is provided" by @SimonRichardson in https://github.com/juju/juju/pull/22035
  • Revert "fix(ssh): disable PTY allocation when remote command is provided"" by @SimonRichardson in https://github.com/juju/juju/pull/22052
  • docs: purge all html comments by @tmihoc in https://github.com/juju/juju/pull/22066
  • feat(api/common/cloudcred): adds the api/common/cloudcred package that will be used by JIMM by @alesstimec in https://github.com/juju/juju/pull/21889
  • refactor(cloudcred): removes the juju version from the generated file by @alesstimec in https://github.com/juju/juju/pull/22100
  • chore: increment juju version to 3.6.21 by @wallyworld in https://github.com/juju/juju/pull/22098
  • fix(upgrade-controller): improve error message for unsupported version upgrades by @iyiguncevik in https://github.com/juju/juju/pull/21986
  • fix: correct operator status by @adisazhar123 in https://github.com/juju/juju/pull/22097
  • feat: storage resize for k8s apps by @adisazhar123 in https://github.com/juju/juju/pull/21309
  • feat: add support for root disk source in gce by @CodingCookieRookie in https://github.com/juju/juju/pull/22041
  • chore: merge cve fix branch by @wallyworld in https://github.com/juju/juju/pull/22132
  • feat: migration precheck to abort for unstabilized applications by @adisazhar123 in https://github.com/juju/juju/pull/22108
  • fix(bundle): treat compare integral float values as ints by @raineszm in https://github.com/juju/juju/pull/22061
  • test: fix cmr shell test failures by @wallyworld in https://github.com/juju/juju/pull/22177
  • chore(deps): bump golang.org/x/net from 0.52.0 to 0.53.0 by @dependabot[bot] in https://github.com/juju/juju/pull/22204
  • chore: merge private branch with CVE fixes by @wallyworld in https://github.com/juju/juju/pull/22205
  • chore: merge private branch with CVE fixes by @wallyworld in https://github.com/juju/juju/pull/22206
  • docs: fix typo in 2.9 release notes by @wallyworld in https://github.com/juju/juju/pull/22209
  • 2.9 release notes typo by @wallyworld in https://github.com/juju/juju/pull/22210
  • feat: handle proxy in retrieveCACert function by @kian99 in https://github.com/juju/juju/pull/22165
  • chore(deps): security vulnerabilities by @iyiguncevik in https://github.com/juju/juju/pull/22211
  • fix: add recent introduced azure fallback cloud regions by @CodingCookieRookie in https://github.com/juju/juju/pull/22216
  • fix: migrate machine hostname by @adisazhar123 in https://github.com/juju/juju/pull/22207
  • fix: k8s deployment issue with rootfs and tmpfs by @CodingCookieRookie in https://github.com/juju/juju/pull/22163
  • chore: merge 2.9 into 3.6 + security vulnerabilities by @iyiguncevik in https://github.com/juju/juju/pull/22232
  • feat: display and update application storage cmd interface by @CodingCookieRookie in https://github.com/juju/juju/pull/21241
  • docs: update sphinx-llm to v0.4.0 with absolute URLs by @tmihoc in https://github.com/juju/juju/pull/22256
  • feat: add support of '--file' for update-cloud by @Tony-WLB in https://github.com/juju/juju/pull/22191
  • chore(deps): bump golang.org/x/mod from 0.34.0 to 0.35.0 by @dependabot[bot] in https://github.com/juju/juju/pull/22215
  • fix: gracefully handle missing storage backing status by @adisazhar123 in https://github.com/juju/juju/pull/22159
  • fix: exclude empty checksum from backup metadata json by @wallyworld in https://github.com/juju/juju/pull/22261
  • fix: ensure create backup works after upgrade by @wallyworld in https://github.com/juju/juju/pull/22271
  • fix(logsink,logsender): send proper WebSocket close codes and treat them as io.EOF by @xtrusia in https://github.com/juju/juju/pull/22065
  • feat: inject default image repo during build by @jack-w-shaw in https://github.com/juju/juju/pull/22255
  • fix: add a short model id to error messages by @jameinel in https://github.com/juju/juju/pull/22269
  • fix: use stderr not tty in backup shell test by @wallyworld in https://github.com/juju/juju/pull/22286
  • fix: grouping ports issue by @Deadinside101 in https://github.com/juju/juju/pull/22278
  • test: backport test fixes for model metrics shell tests by @wallyworld in https://github.com/juju/juju/pull/22292
  • feat(dqlite): update dqlite 1.18.6 by @SimonRichardson in https://github.com/juju/juju/pull/22289
  • feat(dqlite): update dqlite 1.18.6 by @SimonRichardson in https://github.com/juju/juju/pull/22297
  • 3.6 update release notes structure by @tmihoc in https://github.com/juju/juju/pull/22302
  • Update 2.9 release notes support statement by @tmihoc in https://github.com/juju/juju/pull/22301
  • docs: update landing pages by @tmihoc in https://github.com/juju/juju/pull/22173
  • feat: mongo-client script by @nicolasbock in https://github.com/juju/juju/pull/22312
  • fix: snap linker for JujudOCINamespace by @jack-w-shaw in https://github.com/juju/juju/pull/22320
  • docs: set up multi-version sitemaps by @tmihoc in https://github.com/juju/juju/pull/22299
  • fix: ensure controller app is exposed on upgrade by @wallyworld in https://github.com/juju/juju/pull/22313
  • 2.9 into 3.6 by @jack-w-shaw in https://github.com/juju/juju/pull/22325
  • docs: small fixes to hooks reference documentation by @astrojuanlu in https://github.com/juju/juju/pull/22318
  • fix: disallow updating storage provider type by @adisazhar123 in https://github.com/juju/juju/pull/22287
  • fix: add robust not found error handling in firewallers by @wallyworld in https://github.com/juju/juju/pull/22339
  • Add script to change the juju-db snap channel by @nicolasbock in https://github.com/juju/juju/pull/21868
  • fix: application-storage tabular output to use humanize size by @adisazhar123 in https://github.com/juju/juju/pull/22371
  • test: make k8s secrets shell tests more robust by @wallyworld in https://github.com/juju/juju/pull/22378
  • feat: k8s storage size update by @wallyworld in https://github.com/juju/juju/pull/22388
  • feat: reuse secret access tokens if scope matches by @wallyworld in https://github.com/juju/juju/pull/22399

New Contributors

  • @Tony-WLB made their first contribution in https://github.com/juju/juju/pull/22191
  • @Deadinside101 made their first contribution in https://github.com/juju/juju/pull/22278
  • @astrojuanlu made their first contribution in https://github.com/juju/juju/pull/22318

Full Changelog: https://github.com/juju/juju/compare/v3.6.21...v3.6.23

Breaking Changes

  • Refactor: rename the storage update APIs to be compatible with Juju 4.0

Security Fixes

  • chore: merge cve fix branch
  • chore(deps): security vulnerabilities
  • chore: merge private branch with CVE fixes (appears twice)
  • chore: merge 2.9 into 3.6 + security vulnerabilities
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track juju

Get notified when new releases ship.

Sign up free

About juju

Orchestration engine that enables the deployment, integration and lifecycle management of applications at any scale, on any infrastructure (Kubernetes or otherwise).

All releases →

Related context

Beta — feedback welcome: [email protected]