Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release/1.25] repo: Release v1.25.9 #28499

Merged
merged 4 commits into from
Jul 26, 2023
Merged

[release/1.25] repo: Release v1.25.9 #28499

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
bb22e0a
changelogs: Add CVE info to changelogs (#28618)
phlax Jul 25, 2023
81edae1
changelogs: Add arm64 FIPS build (#28590)
phlax Jul 24, 2023
769b3b9
repo: Sync version histories
phlax Jul 25, 2023
da47e29
repo: Release v1.25.9
phlax Jul 25, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion VERSION.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1 @@
1.25.9-dev
1.25.9
36 changes: 36 additions & 0 deletions changelogs/1.23.12.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
date: July 25, 2023

minor_behavior_changes:
- area: http
change: |
Envoy will now lower case scheme values by default. This behaviorial change can be temporarily reverted
by setting runtime guard ``envoy.reloadable_features.lowercase_scheme`` to ``false``.

bug_fixes:
- area: cors
change: |
Fix a use-after-free bug that occurs in the CORS filter if the ``origin`` header is removed between
request header decoding and response header encoding.

Fix `CVE-2023-35943 <https://github.com/envoyproxy/envoy/security/advisories/GHSA-mc6h-6j9x-v3gq>`_.
- area: opentelemetry/grpc/access log
change: |
Fixed a bug in the open telemetry access logger. This logger now uses the
server scope for stats instead of the listener's global scope. This fixes a
use-after-free that can occur if the listener is drained but the cached
gRPC access logger uses the listener's global scope for stats.

Fix `CVE-2023-35942 <https://github.com/envoyproxy/envoy/security/advisories/GHSA-69vr-g55c-v2v4>`_.
- area: oauth2
change: |
Fixed a cookie validator bug that meant the HMAC calculation could be the same for different payloads.

This prevents malicious clients from constructing credentials with permanent validity in some specific scenarios.

Fix `CVE-2023-35941 <https://github.com/envoyproxy/envoy/security/advisories/GHSA-7mhv-gr67-hq55>`_.
- area: http
change: |
Switched Envoy internal scheme checks from case sensitive to case insensitive. This behaviorial change can be temporarily
reverted by setting runtime guard ``envoy.reloadable_features.handle_uppercase_scheme`` to ``false``.

Fix `CVE-2023-35944 <https://github.com/envoyproxy/envoy/security/advisories/GHSA-pvgm-7jpg-pw5g>`_.
41 changes: 41 additions & 0 deletions changelogs/1.24.10.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
date: July 25, 2023

minor_behavior_changes:
- area: http
change: |
Envoy will now lower case scheme values by default. This behaviorial change can be temporarily reverted
by setting runtime guard ``envoy.reloadable_features.lowercase_scheme`` to ``false``.

bug_fixes:
- area: cors
change: |
Fix a use-after-free bug that occurs in the CORS filter if the ``origin`` header is removed between
request header decoding and response header encoding.

Fix `CVE-2023-35943 <https://github.com/envoyproxy/envoy/security/advisories/GHSA-mc6h-6j9x-v3gq>`_.
- area: http
change: |
Switched Envoy internal scheme checks from case sensitive to case insensitive. This behaviorial change can be temporarily
reverted by setting runtime guard ``envoy.reloadable_features.handle_uppercase_scheme`` to ``false``.

Fix `CVE-2023-35944 <https://github.com/envoyproxy/envoy/security/advisories/GHSA-pvgm-7jpg-pw5g>`_.
- area: opentelemetry/grpc/access log
change: |
Fixed a bug in the open telemetry access logger. This logger now uses the
server scope for stats instead of the listener's global scope. This fixes a
use-after-free that can occur if the listener is drained but the cached
gRPC access logger uses the listener's global scope for stats.

Fix `CVE-2023-35942 <https://github.com/envoyproxy/envoy/security/advisories/GHSA-69vr-g55c-v2v4>`_.
- area: oauth2
change: |
Fixed a cookie validator bug that HMAC caluation could be same for different payloads.

This prevents malicious clients from constructing credentials with permanent validity in some specific scenarios.

Fix `CVE-2023-35941 <https://github.com/envoyproxy/envoy/security/advisories/GHSA-7mhv-gr67-hq55>`_.

new_features:
- area: tls
change: |
Added FIPS compliant build for arm64.
23 changes: 12 additions & 11 deletions changelogs/current.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,40 +1,41 @@
date: Pending

behavior_changes:
# *Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required*
date: July 25, 2023

minor_behavior_changes:
# *Changes that may cause incompatibilities for some users, but should not for most*
- area: http
change: |
Envoy will now lower case scheme values by default. This behaviorial change can be temporarily reverted
by setting runtime guard ``envoy.reloadable_features.lowercase_scheme`` to ``false``.

bug_fixes:
# *Changes expected to improve the state of the world and are unlikely to have negative effects*
- area: cors
change: |
Fix a use-after-free bug that occurs in the CORS filter if the ``origin`` header is removed between
request header decoding and response header encoding.

Fix `CVE-2023-35943 <https://github.com/envoyproxy/envoy/security/advisories/GHSA-mc6h-6j9x-v3gq>`_.
- area: http
change: |
Switched Envoy internal scheme checks from case sensitive to case insensitive. This behaviorial change can be temporarily
reverted by setting runtime guard ``envoy.reloadable_features.handle_uppercase_scheme`` to ``false``.

Fix `CVE-2023-35944 <https://github.com/envoyproxy/envoy/security/advisories/GHSA-pvgm-7jpg-pw5g>`_.
- area: opentelemetry/grpc/access log
change: |
Fixed a bug in the open telemetry access logger. This logger now uses the
server scope for stats instead of the listener's global scope. This fixes a
use-after-free that can occur if the listener is drained but the cached
gRPC access logger uses the listener's global scope for stats.

Fix `CVE-2023-35942 <https://github.com/envoyproxy/envoy/security/advisories/GHSA-69vr-g55c-v2v4>`_.
- area: oauth2
change: |
Fixed a cookie validator bug that meant the HMAC calculation could be the same for different payloads.
Fixed a cookie validator bug that HMAC calculation could be same for different payloads.

This prevents malicious clients from constructing credentials with permanent validity in some specific scenarios.

removed_config_or_runtime:
# *Normally occurs at the end of the* :ref:`deprecation period <deprecated>`
Fix `CVE-2023-35941 <https://github.com/envoyproxy/envoy/security/advisories/GHSA-7mhv-gr67-hq55>`_.

new_features:

deprecated:
- area: tls
change: |
Added FIPS compliant build for arm64.
Binary file modified docs/inventories/v1.23/objects.inv
View file
Open in desktop
Binary file not shown.
Binary file modified docs/inventories/v1.24/objects.inv
View file
Open in desktop
Binary file not shown.
Binary file modified docs/inventories/v1.25/objects.inv
View file
Open in desktop
Binary file not shown.
6 changes: 3 additions & 3 deletions docs/versions.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,6 @@
"1.20": 1.20.7
"1.21": 1.21.6
"1.22": 1.22.11
"1.23": 1.23.11
"1.24": 1.24.9
"1.25": 1.25.7
"1.23": 1.23.12
"1.24": 1.24.10
"1.25": 1.25.8
Loading