Skip to content

Commit

Permalink
repo: Dev v1.25.10
Browse files Browse the repository at this point in the history
Signed-off-by: Ryan Northey <ryan@synca.io>
  • Loading branch information
phlax committed Jul 26, 2023
1 parent 7b2609e commit 6a7bd59
Show file tree
Hide file tree
Showing 3 changed files with 52 additions and 35 deletions.
2 changes: 1 addition & 1 deletion VERSION.txt
Original file line number Diff line number Diff line change
@@ -1 +1 @@
1.25.9
1.25.10-dev
41 changes: 41 additions & 0 deletions changelogs/1.25.9.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
date: July 25, 2023

minor_behavior_changes:
- area: http
change: |
Envoy will now lower case scheme values by default. This behaviorial change can be temporarily reverted
by setting runtime guard ``envoy.reloadable_features.lowercase_scheme`` to ``false``.
bug_fixes:
- area: cors
change: |
Fix a use-after-free bug that occurs in the CORS filter if the ``origin`` header is removed between
request header decoding and response header encoding.
Fix `CVE-2023-35943 <https://github.com/envoyproxy/envoy/security/advisories/GHSA-mc6h-6j9x-v3gq>`_.
- area: http
change: |
Switched Envoy internal scheme checks from case sensitive to case insensitive. This behaviorial change can be temporarily
reverted by setting runtime guard ``envoy.reloadable_features.handle_uppercase_scheme`` to ``false``.
Fix `CVE-2023-35944 <https://github.com/envoyproxy/envoy/security/advisories/GHSA-pvgm-7jpg-pw5g>`_.
- area: opentelemetry/grpc/access log
change: |
Fixed a bug in the open telemetry access logger. This logger now uses the
server scope for stats instead of the listener's global scope. This fixes a
use-after-free that can occur if the listener is drained but the cached
gRPC access logger uses the listener's global scope for stats.
Fix `CVE-2023-35942 <https://github.com/envoyproxy/envoy/security/advisories/GHSA-69vr-g55c-v2v4>`_.
- area: oauth2
change: |
Fixed a cookie validator bug that HMAC calculation could be same for different payloads.
This prevents malicious clients from constructing credentials with permanent validity in some specific scenarios.
Fix `CVE-2023-35941 <https://github.com/envoyproxy/envoy/security/advisories/GHSA-7mhv-gr67-hq55>`_.
new_features:
- area: tls
change: |
Added FIPS compliant build for arm64.
44 changes: 10 additions & 34 deletions changelogs/current.yaml
Original file line number Diff line number Diff line change
@@ -1,41 +1,17 @@
date: July 25, 2023
date: Pending

behavior_changes:
# *Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required*

minor_behavior_changes:
- area: http
change: |
Envoy will now lower case scheme values by default. This behaviorial change can be temporarily reverted
by setting runtime guard ``envoy.reloadable_features.lowercase_scheme`` to ``false``.
# *Changes that may cause incompatibilities for some users, but should not for most*

bug_fixes:
- area: cors
change: |
Fix a use-after-free bug that occurs in the CORS filter if the ``origin`` header is removed between
request header decoding and response header encoding.
Fix `CVE-2023-35943 <https://github.com/envoyproxy/envoy/security/advisories/GHSA-mc6h-6j9x-v3gq>`_.
- area: http
change: |
Switched Envoy internal scheme checks from case sensitive to case insensitive. This behaviorial change can be temporarily
reverted by setting runtime guard ``envoy.reloadable_features.handle_uppercase_scheme`` to ``false``.
Fix `CVE-2023-35944 <https://github.com/envoyproxy/envoy/security/advisories/GHSA-pvgm-7jpg-pw5g>`_.
- area: opentelemetry/grpc/access log
change: |
Fixed a bug in the open telemetry access logger. This logger now uses the
server scope for stats instead of the listener's global scope. This fixes a
use-after-free that can occur if the listener is drained but the cached
gRPC access logger uses the listener's global scope for stats.
# *Changes expected to improve the state of the world and are unlikely to have negative effects*

Fix `CVE-2023-35942 <https://github.com/envoyproxy/envoy/security/advisories/GHSA-69vr-g55c-v2v4>`_.
- area: oauth2
change: |
Fixed a cookie validator bug that HMAC calculation could be same for different payloads.
This prevents malicious clients from constructing credentials with permanent validity in some specific scenarios.
Fix `CVE-2023-35941 <https://github.com/envoyproxy/envoy/security/advisories/GHSA-7mhv-gr67-hq55>`_.
removed_config_or_runtime:
# *Normally occurs at the end of the* :ref:`deprecation period <deprecated>`

new_features:
- area: tls
change: |
Added FIPS compliant build for arm64.

deprecated:

0 comments on commit 6a7bd59

Please sign in to comment.