From 318a575919a50c9deafe7f72932aa36cdb1f0a34 Mon Sep 17 00:00:00 2001
From: lsviben <sviben.lovro@gmail.com>
Date: Wed, 24 Jun 2026 12:45:05 +0200
Subject: [PATCH 1/2] docs: add UXP release notes for v2.3.3-up.1, v2.2.3-up.1,
 v2.1.7-up.1, v2.0.8-up.3, v1.20.10-up.1

---
 docs/reference/release-notes/uxp.md | 58 +++++++++++++++++++++++++++++
 1 file changed, 58 insertions(+)

diff --git a/docs/reference/release-notes/uxp.md b/docs/reference/release-notes/uxp.md
index 4944e8d6..7da3f69b 100644
--- a/docs/reference/release-notes/uxp.md
+++ b/docs/reference/release-notes/uxp.md
@@ -14,6 +14,64 @@ Any important warnings or necessary information
 - User-facing changes
 -->
 
+## v2.3.3-up.1
+
+### Release Date: 2026-06-24
+
+#### What's Changed
+
+Based on Crossplane [v2.3.3](https://github.com/crossplane/crossplane/releases/tag/v2.3.3).
+
+- **Fixed package signature verification TOCTOU** (GHSA-mf7q-r4rv-jv94): A time-of-check-to-time-of-use flaw could let a malicious OCI registry pass signature verification with a signed image and then serve unsigned content for installation. Fixed via crossplane-runtime v2.3.3.
+- **Fixed `crossplane render` regressions**: Render now honors input XR schema, returns requirements even on fatal errors, and sets the namespace only for cluster-scoped XRs.
+- Security dep bumps: Go 1.25.11, `golang.org/x/net`, `golang.org/x/sys`, `containerd` → v1.7.33
+
+## v2.2.3-up.1
+
+### Release Date: 2026-06-24
+
+#### What's Changed
+
+Based on Crossplane [v2.2.3](https://github.com/crossplane/crossplane/releases/tag/v2.2.3).
+
+- **Fixed package signature verification TOCTOU** (GHSA-wfqx-gjrf-g28r): A time-of-check-to-time-of-use flaw could let a malicious OCI registry pass signature verification with a signed image and then serve unsigned content for installation.
+- Security dep bumps: Go 1.25.11, `golang.org/x/net` → v0.55.0, `crossplane-runtime` → v2.2.3, `containerd` → v1.7.33
+
+## v2.1.7-up.1
+
+### Release Date: 2026-06-24
+
+#### What's Changed
+
+Based on Crossplane [v2.1.7](https://github.com/crossplane/crossplane/releases/tag/v2.1.7).
+
+- Security dep bumps: Go 1.25.11, `golang.org/x/net` → v0.55.0, `quic-go` → v0.59.1, `crossplane-runtime` → v2.1.7, `containerd` → v1.7.33
+- Bumped `uxp-apollo` to v0.2.18 for security fixes in `golang.org/x/crypto`, `x/net`, `x/sys`, `go-chi/chi`
+
+## v2.0.8-up.3
+
+### Release Date: 2026-06-24
+
+#### What's Changed
+
+UXP-only security patch (upstream Crossplane has ended support for the v2.0 line, but UXP continues to support it).
+
+- Bumped Go to 1.25.11 and `golang.org/x/crypto`, `x/net` for CVEs
+- Bumped `crossplane-runtime` to v2.0.9 for security fixes in `golang.org/x/net`, `x/sys`, `go.opentelemetry.io/otel`
+- Bumped `uxp-apollo` to v0.2.18 for security fixes in `golang.org/x/crypto`, `x/net`, `x/sys`, `go-chi/chi`
+- Security: bumped `containerd` → v1.7.33
+
+## v1.20.10-up.1
+
+### Release Date: 2026-06-24
+
+#### What's Changed
+
+Based on Crossplane [v1.20.10](https://github.com/crossplane/crossplane/releases/tag/v1.20.10).
+
+- Security dep bumps: Go 1.25.11, `golang.org/x/net` → v0.55.0, `crossplane-runtime` → v1.20.10, `mongo-driver` → v1.17.7
+- Fixed UXP "-up.N" suffix being treated as semver prerelease in the binary's internal version
+
 ## v2.3.1-up.1
 
 ### Release Date: 2026-06-05

From 3ec05ec592d505d0467aa21b0d9274a516fab3a0 Mon Sep 17 00:00:00 2001
From: lsviben <sviben.lovro@gmail.com>
Date: Wed, 24 Jun 2026 12:55:03 +0200
Subject: [PATCH 2/2] docs: refresh helm chart values reference for v2.3.3-up.1

---
 docs/reference/uxp-helm-reference.md | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/docs/reference/uxp-helm-reference.md b/docs/reference/uxp-helm-reference.md
index 3f2b310f..7d9d5a0c 100644
--- a/docs/reference/uxp-helm-reference.md
+++ b/docs/reference/uxp-helm-reference.md
@@ -153,7 +153,7 @@ This reference provides detailed documentation on the UXP Helm chart. This Helm
 | image.ignoreTag | bool | `false` | Do not use the {{ .image.tag }} value to compute the image uri. |
 | image.pullPolicy | string | `"IfNotPresent"` | The image pull policy used for Crossplane and RBAC Manager pods. |
 | image.repository | string | `"xpkg.upbound.io/upbound/crossplane"` | Repository for the Crossplane pod image. |
-| image.tag | string | `"v2.3.1-up.1"` | The Crossplane image tag. Defaults to the value of `appVersion` in `Chart.yaml`. |
+| image.tag | string | `"v2.3.3-up.1"` | The Crossplane image tag. Defaults to the value of `appVersion` in `Chart.yaml`. |
 | imagePullSecrets | list | `[]` | The imagePullSecret names to add to the Crossplane ServiceAccount. |
 | leaderElection | bool | `true` | Enable [leader election](https://docs.crossplane.io/latest/guides/pods/#leader-election) for the Crossplane pod. |
 | metrics.enabled | bool | `true` | Enable Prometheus path, port and scrape annotations and expose port 8080 for both the Crossplane and RBAC Manager pods. |
@@ -336,10 +336,8 @@ This reference provides detailed documentation on the UXP Helm chart. This Helm
 | webui.topologySpreadConstraints | list | `[]` | Add `topologySpreadConstraints` to the webui pod deployment. |
 
 
-
 </div>
 
 <!-- vale on -->
 
 <!-- end-table-no -->
-