Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
**Summary of changes**: - Patch nghttp2 to resolve [CVE-2024-30255](GHSA-j654-3ccm-vfmm) - Assorted fixes **Docker images**: https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.27.4 **Docs**: https://www.envoyproxy.io/docs/envoy/v1.27.4/ **Release notes**: https://www.envoyproxy.io/docs/envoy/v1.27.4/version_history/v1.27/v1.27.4 **Full changelog**: v1.27.3...v1.27.4 Signed-off-by: Ryan Northey <ryan@synca.io> Signed-off-by: Yan Avlasov <yavlasov@google.com>
- Loading branch information
Showing
7 changed files
with
69 additions
and
14 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1 @@ | ||
| 1.27.4-dev | ||
| 1.27.4 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| date: April 4, 2024 | ||
|
|
||
| bug_fixes: | ||
| - area: http2 | ||
| change: | | ||
| Update nghttp2 to resolve CVE-2024-30255 (https://github.com/envoyproxy/envoy/security/advisories/GHSA-j654-3ccm-vfmm). | ||
| new_features: | ||
| - area: google_grpc | ||
| change: | | ||
| Added an off-by-default runtime flag | ||
| ``envoy.reloadable_features.google_grpc_disable_tls_13`` to disable TLSv1.3 | ||
| usage by gRPC SDK for ``google_grpc`` services. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,52 @@ | ||
| date: February 9, 2024 | ||
|
|
||
| minor_behavior_changes: | ||
| - area: access_log | ||
| change: | | ||
| When emitting grpc logs, only downstream filter state was used. Now, both downstream and upstream filter states will be tried | ||
| to find the keys configured in filter_state_objects_to_log. | ||
| bug_fixes: | ||
| - area: buffer | ||
| change: | | ||
| Fixed a bug (https://github.com/envoyproxy/envoy/issues/28760) that the internal listener causes an undefined | ||
| behavior due to the unintended release of the buffer memory. | ||
| - area: http | ||
| change: | | ||
| Fixed recursion when HTTP connection is disconnected due to a high number of premature resets. | ||
| - area: grpc | ||
| change: | | ||
| Fixed a bug in gRPC async client cache which intermittently causes CPU spikes due to busy loop in timer expiration. | ||
| - area: tracing | ||
| change: | | ||
| Fixed a bug where Datadog spans tagged as errors would not have the appropriate error property set. | ||
| - area: tracing | ||
| change: | | ||
| Fixed a bug where child spans produced by the Datadog tracer would have an incorrect operation name. | ||
| - area: tracing | ||
| change: | | ||
| Fixed a bug that caused the Datadog tracing extension to drop traces that | ||
| should be kept on account of an extracted sampling decision. | ||
| - area: proxy protocol | ||
| change: | | ||
| fixed a crash when Envoy is configured for PROXY protocol on both a listener and cluster, and the listener receives | ||
| a PROXY protocol header with address type LOCAL (typically used for health checks). | ||
| - area: proxy_protocol | ||
| change: | | ||
| Fix crash due to uncaught exception when the operating system does not support an address type (such as IPv6) that is | ||
| received in a proxy protocol header. Connections will instead be dropped/reset. | ||
| - area: proxy_protocol | ||
| change: | | ||
| Fixed a bug where TLVs with non utf8 characters were inserted as protobuf values into filter metadata circumventing | ||
| ext_authz checks when ``failure_mode_allow`` is set to ``true``. | ||
| - area: tls | ||
| change: | | ||
| Fix crash due to uncaught exception when the operating system does not support an address type (such as IPv6) that is | ||
| received in an mTLS client cert IP SAN. These SANs will be ignored. This applies only when using formatter | ||
| ``%DOWNSTREAM_PEER_IP_SAN%``. | ||
| - area: http | ||
| change: | | ||
| Fixed crash when HTTP request idle and per try timeouts occurs within backoff interval. | ||
| - area: url matching | ||
| change: | | ||
| Fixed excessive CPU utilization when using regex URL template matcher. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,30 +1,20 @@ | ||
| date: Pending | ||
| date: April 4, 2024 | ||
|
|
||
| behavior_changes: | ||
| # *Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required* | ||
| - area: http2 | ||
| change: | | ||
| Discard the ``Host`` header if the ``:authority`` header was received to bring Envoy into compliance with | ||
| https://www.rfc-editor.org/rfc/rfc9113#section-8.3.1 This behavioral change can be reverted by setting runtime flag | ||
| ``envoy.reloadable_features.http2_discard_host_header`` to false. | ||
| minor_behavior_changes: | ||
| # *Changes that may cause incompatibilities for some users, but should not for most* | ||
|
|
||
| bug_fixes: | ||
| # *Changes expected to improve the state of the world and are unlikely to have negative effects* | ||
| - area: http2 | ||
| change: | | ||
| Update nghttp2 to resolve CVE-2024-30255 (https://github.com/envoyproxy/envoy/security/advisories/GHSA-j654-3ccm-vfmm). | ||
| removed_config_or_runtime: | ||
| # *Normally occurs at the end of the* :ref:`deprecation period <deprecated>` | ||
|
|
||
| new_features: | ||
| - area: google_grpc | ||
| change: | | ||
| Added an off-by-default runtime flag | ||
| ``envoy.reloadable_features.google_grpc_disable_tls_13`` to disable TLSv1.3 | ||
| usage by gRPC SDK for ``google_grpc`` services. | ||
| deprecated: |
Binary file not shown.
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -19,5 +19,5 @@ | |
| "1.23": 1.23.12 | ||
| "1.24": 1.24.12 | ||
| "1.25": 1.25.11 | ||
| "1.26": 1.26.7 | ||
| "1.27": 1.27.2 | ||
| "1.26": 1.26.8 | ||
| "1.27": 1.27.3 | ||