v1.35.13
repo: Release v1.35.13
Summary of changes:
-
Security fixes:
- CVE-2026-47207: ext_proc response in one gRPC message
- CVE-2026-47221: router internal redirects crash
- CVE-2026-47775: OAuth2 code verifier padding oracle
- CVE-2026-48044: zstd RLE zip bomb
- CVE-2026-47204: grpc_stats filter segfault on Connect protocol requests to direct_response routes
- CVE-2026-47692: PROXY Protocol v2 header generator emits "skipped" TLVs, causing 65 KB attacker-controlled
spillover into the upstream application stream - CVE-2026-47778: Embedded NUL in TLS SAN Truncation, Auth Bypass
- CVE-2026-48042: Stack overflow in destructor of highly nested JSON
- CVE-2026-48090: OAuth2 filter late async token completion after stream teardown results in UAF/crash risk
- CVE-2026-48497: DNS filter abnormal process termination on long query name
- CVE-2026-48743: HTTP/3 headers-only request/response content-length not validated
- CVE-2026-48706: TcpStatsdSync buffer overflow with large stats name
- GHSA-p7c7-7c47-pwch: Denial-of-Service Attack Against the HTTP/3 Stack via QPACK Blocked Decoding
-
Upstream security fixes:
- CVE-2026-47261: wasm: bumped
com_github_wasmtimeto resolve CVE-2026-47261.
- CVE-2026-47261: wasm: bumped
-
Behavior changes:
- build: disabled the contrib extension
envoy.network.connection_balance.dlb(Intel DLB connection balancer) at the Bazel layer for all builds and platforms due to a breakage at the source archive. See #45491 for local workarounds.
- build: disabled the contrib extension
Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.35.13
Docs:
https://www.envoyproxy.io/docs/envoy/v1.35.13/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.35.13/version_history/v1.35/v1.35.13
Full changelog:
v1.35.12...v1.35.13
Signed-off-by: Ryan Northey ryan@synca.io