Topics
Affected surfaces
ReleasePort's take
Moderate signalGrafana Loki v3.6.11 patches CVEs via AWS S3 SDK v1.97.3 and OpenTelemetry SDK v1.43.0 updates. S3 Object Lock buckets gain SHA-256 checksum verification.
Why it matters: Security dependency updates to v1.97.3 (AWS S3) and v1.43.0 (OpenTelemetry) address CVEs. Patch to v3.6.11 for environments using these integrations.
Summary
AI summaryFixed CVEs by updating AWS SDK and OpenTelemetry dependencies.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Medium |
CVEs fixed in 3.6.x release branch CVEs fixed in 3.6.x release branch Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Security | Medium |
AWS S3 SDK updated to v1.97.3 for security AWS S3 SDK updated to v1.97.3 for security Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Security | Medium |
OpenTelemetry SDK updated to v1.43.0 for security OpenTelemetry SDK updated to v1.43.0 for security Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
SHA-256 checksum attached for S3 Object Lock buckets SHA-256 checksum attached for S3 Object Lock buckets Source: llm_adapter@2026-05-21 Confidence: low |
— |
Full changelog
3.6.11 (2026-05-13)
Bug Fixes
- CVEs in release 3.6.x (#21773) (1fe3b6d)
- deps: update module github.com/aws/aws-sdk-go-v2/service/s3 to v1.97.3 [security] (release-3.6.x) (#21459) (11c1d07)
- deps: update module go.opentelemetry.io/otel/sdk to v1.43.0 [security] (release-3.6.x) (#21480) (47fb29e)
- storage: attach SHA-256 checksum on PutObject for Object Lock buckets (#21848) (2a7c34c)
Security Fixes
- dep: Updated github.com/aws/aws-sdk-go-v2/service/s3 to v1.97.3 (CVE addressed)
- dep: Updated go.opentelemetry.io/otel/sdk to v1.43.0 (CVE addressed)
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
Related context
Related tools
Beta — feedback welcome: [email protected]