-
Notifications
You must be signed in to change notification settings - Fork 4.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Ryan Northey <ryan@synca.io>
- Loading branch information
Showing
3 changed files
with
52 additions
and
35 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1 @@ | ||
| 1.25.9 | ||
| 1.25.10-dev |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| date: July 25, 2023 | ||
|
|
||
| minor_behavior_changes: | ||
| - area: http | ||
| change: | | ||
| Envoy will now lower case scheme values by default. This behaviorial change can be temporarily reverted | ||
| by setting runtime guard ``envoy.reloadable_features.lowercase_scheme`` to ``false``. | ||
| bug_fixes: | ||
| - area: cors | ||
| change: | | ||
| Fix a use-after-free bug that occurs in the CORS filter if the ``origin`` header is removed between | ||
| request header decoding and response header encoding. | ||
| Fix `CVE-2023-35943 <https://github.com/envoyproxy/envoy/security/advisories/GHSA-mc6h-6j9x-v3gq>`_. | ||
| - area: http | ||
| change: | | ||
| Switched Envoy internal scheme checks from case sensitive to case insensitive. This behaviorial change can be temporarily | ||
| reverted by setting runtime guard ``envoy.reloadable_features.handle_uppercase_scheme`` to ``false``. | ||
| Fix `CVE-2023-35944 <https://github.com/envoyproxy/envoy/security/advisories/GHSA-pvgm-7jpg-pw5g>`_. | ||
| - area: opentelemetry/grpc/access log | ||
| change: | | ||
| Fixed a bug in the open telemetry access logger. This logger now uses the | ||
| server scope for stats instead of the listener's global scope. This fixes a | ||
| use-after-free that can occur if the listener is drained but the cached | ||
| gRPC access logger uses the listener's global scope for stats. | ||
| Fix `CVE-2023-35942 <https://github.com/envoyproxy/envoy/security/advisories/GHSA-69vr-g55c-v2v4>`_. | ||
| - area: oauth2 | ||
| change: | | ||
| Fixed a cookie validator bug that HMAC calculation could be same for different payloads. | ||
| This prevents malicious clients from constructing credentials with permanent validity in some specific scenarios. | ||
| Fix `CVE-2023-35941 <https://github.com/envoyproxy/envoy/security/advisories/GHSA-7mhv-gr67-hq55>`_. | ||
| new_features: | ||
| - area: tls | ||
| change: | | ||
| Added FIPS compliant build for arm64. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,41 +1,17 @@ | ||
| date: July 25, 2023 | ||
| date: Pending | ||
|
|
||
| behavior_changes: | ||
| # *Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required* | ||
|
|
||
| minor_behavior_changes: | ||
| - area: http | ||
| change: | | ||
| Envoy will now lower case scheme values by default. This behaviorial change can be temporarily reverted | ||
| by setting runtime guard ``envoy.reloadable_features.lowercase_scheme`` to ``false``. | ||
| # *Changes that may cause incompatibilities for some users, but should not for most* | ||
|
|
||
| bug_fixes: | ||
| - area: cors | ||
| change: | | ||
| Fix a use-after-free bug that occurs in the CORS filter if the ``origin`` header is removed between | ||
| request header decoding and response header encoding. | ||
| Fix `CVE-2023-35943 <https://github.com/envoyproxy/envoy/security/advisories/GHSA-mc6h-6j9x-v3gq>`_. | ||
| - area: http | ||
| change: | | ||
| Switched Envoy internal scheme checks from case sensitive to case insensitive. This behaviorial change can be temporarily | ||
| reverted by setting runtime guard ``envoy.reloadable_features.handle_uppercase_scheme`` to ``false``. | ||
| Fix `CVE-2023-35944 <https://github.com/envoyproxy/envoy/security/advisories/GHSA-pvgm-7jpg-pw5g>`_. | ||
| - area: opentelemetry/grpc/access log | ||
| change: | | ||
| Fixed a bug in the open telemetry access logger. This logger now uses the | ||
| server scope for stats instead of the listener's global scope. This fixes a | ||
| use-after-free that can occur if the listener is drained but the cached | ||
| gRPC access logger uses the listener's global scope for stats. | ||
| # *Changes expected to improve the state of the world and are unlikely to have negative effects* | ||
|
|
||
| Fix `CVE-2023-35942 <https://github.com/envoyproxy/envoy/security/advisories/GHSA-69vr-g55c-v2v4>`_. | ||
| - area: oauth2 | ||
| change: | | ||
| Fixed a cookie validator bug that HMAC calculation could be same for different payloads. | ||
| This prevents malicious clients from constructing credentials with permanent validity in some specific scenarios. | ||
| Fix `CVE-2023-35941 <https://github.com/envoyproxy/envoy/security/advisories/GHSA-7mhv-gr67-hq55>`_. | ||
| removed_config_or_runtime: | ||
| # *Normally occurs at the end of the* :ref:`deprecation period <deprecated>` | ||
|
|
||
| new_features: | ||
| - area: tls | ||
| change: | | ||
| Added FIPS compliant build for arm64. | ||
|
|
||
| deprecated: |