Merge remote-tracking branch 'origin/release/v1.29' into release/v1.2…

…9-backportedfork
solo-io · Apr 10, 2024 · e2dab93 · e2dab93
2 parents 07d43f2 + 10e1e42
commit e2dab93
Show file tree

Hide file tree

Showing 37 changed files with 1,107 additions and 544 deletions.
diff --git a/.github/config.yml b/.github/config.yml
@@ -80,27 +80,8 @@ checks:
     - publish
     - verify
     required: true
-  windows:
-    name: Envoy/Windows
-    required: true
-    on-run:
-    - build-windows
 
 run:
-  build-windows:
-    paths:
-    - .bazelrc
-    - .bazelversion
-    - .github/config.yml
-    - api/**/*
-    - bazel/**/*
-    - ci/**/*
-    - configs/**/*
-    - contrib/**/*
-    - envoy/**/*
-    - source/**/*
-    - test/**/*
-    - VERSION.txt
   build-macos:
     paths:
     - .bazelrc

diff --git a/.github/workflows/envoy-windows.yml b/.github/workflows/envoy-windows.yml
diff --git a/VERSION.txt b/VERSION.txt
@@ -1 +1 @@
-1.29.2
+1.29.3
diff --git a/bazel/BUILD b/bazel/BUILD
@@ -481,6 +481,14 @@ config_setting(
     values = {"define": "boringssl=disabled"},
 )
 
+selects.config_setting_group(
+    name = "boringssl_fips_x86",
+    match_all = [
+        ":boringssl_fips",
+        "@platforms//cpu:x86_64",
+    ],
+)
+
 config_setting(
     name = "zlib_ng",
     constraint_values = [

diff --git a/bazel/envoy_library.bzl b/bazel/envoy_library.bzl
@@ -107,6 +107,7 @@ def envoy_cc_library(
         textual_hdrs = None,
         alwayslink = None,
         defines = [],
+        local_defines = [],
         linkopts = []):
     if tcmalloc_dep:
         deps += tcmalloc_external_deps(repository)
@@ -135,6 +136,7 @@ def envoy_cc_library(
         strip_include_prefix = strip_include_prefix,
         include_prefix = include_prefix,
         defines = envoy_mobile_defines(repository) + defines,
+        local_defines = local_defines,
     )
 
     # Intended for usage by external consumers. This allows them to disambiguate

diff --git a/bazel/external/quiche.BUILD b/bazel/external/quiche.BUILD
@@ -44,7 +44,6 @@ src_files = glob([
 test_suite(
     name = "ci_tests",
     tests = [
-        "http2_adapter_callback_visitor_test",
         "http2_adapter_event_forwarder_test",
         "http2_adapter_header_validator_test",
         "http2_adapter_impl_comparison_test",
@@ -81,6 +80,7 @@ envoy_cc_library(
     srcs = ["quiche/http2/adapter/callback_visitor.cc"],
     hdrs = ["quiche/http2/adapter/callback_visitor.h"],
     copts = quiche_copts,
+    local_defines = ["NGHTTP2_16"],
     repository = "@envoy",
     deps = [
         ":http2_adapter_http2_util",
@@ -92,22 +92,6 @@ envoy_cc_library(
     ],
 )
 
-envoy_cc_test(
-    name = "http2_adapter_callback_visitor_test",
-    srcs = ["quiche/http2/adapter/callback_visitor_test.cc"],
-    copts = quiche_copts,
-    repository = "@envoy",
-    deps = [
-        ":http2_adapter_callback_visitor",
-        ":http2_adapter_mock_nghttp2_callbacks",
-        ":http2_adapter_nghttp2_adapter",
-        ":http2_adapter_nghttp2_test_utils",
-        ":http2_adapter_test_frame_sequence",
-        ":http2_adapter_test_utils",
-        ":quiche_common_platform_test",
-    ],
-)
-
 envoy_cc_library(
     name = "http2_adapter_data_source",
     hdrs = ["quiche/http2/adapter/data_source.h"],

diff --git a/bazel/foreign_cc/BUILD b/bazel/foreign_cc/BUILD
@@ -480,8 +480,8 @@ envoy_cmake(
     name = "nghttp2",
     cache_entries = {
         "ENABLE_LIB_ONLY": "on",
-        "ENABLE_SHARED_LIB": "off",
-        "ENABLE_STATIC_LIB": "on",
+        "BUILD_SHARED_LIBS": "off",
+        "BUILD_STATIC_LIBS": "on",
         "CMAKE_INSTALL_LIBDIR": "lib",
         "CMAKE_CXX_COMPILER_FORCED": "on",
     },

diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl
@@ -489,12 +489,12 @@ REPOSITORY_LOCATIONS_SPEC = dict(
         project_name = "Nghttp2",
         project_desc = "Implementation of HTTP/2 and its header compression algorithm HPACK in C",
         project_url = "https://nghttp2.org",
-        version = "1.58.0",
-        sha256 = "9ebdfbfbca164ef72bdf5fd2a94a4e6dfb54ec39d2ef249aeb750a91ae361dfb",
+        version = "1.61.0",
+        sha256 = "aa7594c846e56a22fbf3d6e260e472268808d3b49d5e0ed339f589e9cc9d484c",
         strip_prefix = "nghttp2-{version}",
         urls = ["https://github.com/nghttp2/nghttp2/releases/download/v{version}/nghttp2-{version}.tar.gz"],
         use_category = ["controlplane", "dataplane_core"],
-        release_date = "2023-10-27",
+        release_date = "2024-04-04",
         cpe = "cpe:2.3:a:nghttp2:nghttp2:*",
         license = "MIT",
         license_url = "https://github.com/nghttp2/nghttp2/blob/v{version}/LICENSE",

diff --git a/changelogs/1.26.8.yaml b/changelogs/1.26.8.yaml
@@ -0,0 +1,13 @@
+date: April 4, 2024
+
+bug_fixes:
+- area: http2
+  change: |
+    Update nghttp2 to resolve CVE-2024-30255 (https://github.com/envoyproxy/envoy/security/advisories/GHSA-j654-3ccm-vfmm).
+
+new_features:
+- area: google_grpc
+  change: |
+    Added an off-by-default runtime flag
+    ``envoy.reloadable_features.google_grpc_disable_tls_13`` to disable TLSv1.3
+    usage by gRPC SDK for ``google_grpc`` services.
diff --git a/changelogs/1.27.4.yaml b/changelogs/1.27.4.yaml
@@ -0,0 +1,20 @@
+date: April 4, 2024
+
+behavior_changes:
+- area: http2
+  change: |
+    Discard the ``Host`` header if the ``:authority`` header was received to bring Envoy into compliance with
+    https://www.rfc-editor.org/rfc/rfc9113#section-8.3.1 This behavioral change can be reverted by setting runtime flag
+    ``envoy.reloadable_features.http2_discard_host_header`` to false.
+
+bug_fixes:
+- area: http2
+  change: |
+    Update nghttp2 to resolve CVE-2024-30255 (https://github.com/envoyproxy/envoy/security/advisories/GHSA-j654-3ccm-vfmm).
+
+new_features:
+- area: google_grpc
+  change: |
+    Added an off-by-default runtime flag
+    ``envoy.reloadable_features.google_grpc_disable_tls_13`` to disable TLSv1.3
+    usage by gRPC SDK for ``google_grpc`` services.
diff --git a/changelogs/1.28.2.yaml b/changelogs/1.28.2.yaml
@@ -0,0 +1,29 @@
+date: April 4, 2024
+
+behavior_changes:
+- area: http2
+  change: |
+    Discard the ``Host`` header if the ``:authority`` header was received to bring Envoy into compliance with
+    https://www.rfc-editor.org/rfc/rfc9113#section-8.3.1 This behavioral change can be reverted by setting runtime flag
+    ``envoy.reloadable_features.http2_discard_host_header`` to false.
+
+minor_behavior_changes:
+- area: http
+  change: |
+    Enable obsolete line folding in BalsaParser (for behavior parity with http-parser, the
+    previously used HTTP/1 parser).
+
+bug_fixes:
+- area: jwt_authn
+  change: |
+    Fixed JWT extractor, which concatenated headers with a comma, resultig in invalid tokens.
+- area: http2
+  change: |
+    Update nghttp2 to resolve CVE-2024-30255 (https://github.com/envoyproxy/envoy/security/advisories/GHSA-j654-3ccm-vfmm).
+
+new_features:
+- area: google_grpc
+  change: |
+    Added an off-by-default runtime flag
+    ``envoy.reloadable_features.google_grpc_disable_tls_13`` to disable TLSv1.3
+    usage by gRPC SDK for ``google_grpc`` services.
diff --git a/changelogs/1.29.2.yaml b/changelogs/1.29.2.yaml
@@ -0,0 +1,20 @@
+date: March 7, 2024
+
+behavior_changes:
+- area: http2
+  change: |
+    Changes the default value of ``envoy.reloadable_features.http2_use_oghttp2`` to ``false``. This changes the codec used for HTTP/2
+    requests and responses. A number of users have reported issues with oghttp2 including issue 32611 and issue 32401 This behavior
+    can be reverted by setting the feature to ``true``.
+
+bug_fixes:
+- area: jwt_authn
+  change: |
+    Fixed JWT extractor, which concatenated headers with a comma, resultig in invalid tokens.
+
+new_features:
+- area: google_grpc
+  change: |
+    Added an off-by-default runtime flag
+    ``envoy.reloadable_features.google_grpc_disable_tls_13`` to disable TLSv1.3
+    usage by gRPC SDK for ``google_grpc`` services.