Skip to content

[bp/1.36] Security patches 25q4 #42374

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
botengyao merged 4 commits into from
Dec 4, 2025
Merged

[bp/1.36] Security patches 25q4 #42374

botengyao merged 4 commits into from
Dec 4, 2025

Conversation

@phlax
Copy link
Member

@phlax phlax commented Dec 3, 2025
edited
Loading

  • Security fixes:
    • CVE-2025-64527: Envoy crashes when JWT authentication is configured with the remote JWKS fetching
    • CVE-2025-66220: TLS certificate matcher for match_typed_subject_alt_names may incorrectly treat certificates containing an embedded null byte
    • CVE-2025-64763: Potential request smuggling from early data after the CONNECT up|grade

@repokitteh-read-only
Copy link

repokitteh-read-only bot commented Dec 3, 2025

CC @envoyproxy/runtime-guard-changes: FYI only for changes made to (source/common/runtime/runtime_features.cc).

🐱

Caused by: #42374 was opened by phlax.

see: more, trace.

botengyao
botengyao previously approved these changes Dec 3, 2025
View reviewed changes
yanavlasov and others added 4 commits December 3, 2025 19:43
@yanavlasov @phlax
tls: fix SAN validation for OTHERNAME types with embedded nulls
3f6856a 
Certificates with an OTHERNAME SAN using type `V_ASN1_UNIVERSALSTRING`
or `V_ASN1_BMPSTRING` with an embedded null would have the name
truncated at the first null, resulting in an incorrect check.

Signed-off-by: Greg Greenway <ggreenway@apple.com>
Signed-off-by: Yan Avlasov <yavlasov@google.com>
@botengyao @phlax
fix jwt_auth crash with two or more auth header
e02485a 
Signed-off-by: Boteng Yao <boteng@google.com>
@yanavlasov @phlax
Add option to reject early CONNECT data
dbfb697 
Signed-off-by: Yan Avlasov <yavlasov@google.com>
@phlax
changelogs/1.36.3: Add summary
45c32e1 
Signed-off-by: Ryan Northey <ryan@synca.io>
@phlax
Copy link
Member Author

phlax commented Dec 3, 2025

/retest

2 similar comments
@phlax
Copy link
Member Author

phlax commented Dec 3, 2025

/retest

@botengyao
Copy link
Member

botengyao commented Dec 4, 2025

/retest

@botengyao botengyao merged commit daefd2f into envoyproxy:release/v1.36 Dec 4, 2025
11 checks passed
@phlax
Copy link
Member Author

phlax commented Dec 4, 2025

PLEASE DO NOT MERGE PATCHES TO RELEASE BRANCHES

@botengyao
Copy link
Member

botengyao commented Dec 4, 2025

My bad, and it should be a stack ..

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@agrawroh agrawroh agrawroh approved these changes

@botengyao botengyao botengyao approved these changes

@tyxia tyxia Awaiting requested review from tyxia tyxia is a code owner

@yanavlasov yanavlasov Awaiting requested review from yanavlasov yanavlasov is a code owner

Assignees

@botengyao botengyao

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@phlax @botengyao @agrawroh @yanavlasov