Skip to content

Commit

Permalink
repo: Release v1.29.9
Browse files Browse the repository at this point in the history
**Summary of changes**

[CVE-2024-45808](GHSA-p222-xhp9-39rc): Malicious log injection via access logs
[CVE-2024-45806](GHSA-ffhv-fvxq-r6mf): Potential manipulate `x-envoy` headers from external sources
[CVE-2024-45809](GHSA-wqr5-qmq7-3qw3): Jwt filter crash in the clear route cache with remote JWKs
[CVE-2024-45810](GHSA-qm74-x36m-555q): Envoy crashes for LocalReply in http async client

**Docker images**:
    https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.29.9
**Docs**:
    https://www.envoyproxy.io/docs/envoy/v1.29.9/
**Release notes**:
    https://www.envoyproxy.io/docs/envoy/v1.29.9/version_history/v1.29/v1.29.9
**Full changelog**:
    v1.29.8...v1.29.9

Signed-off-by: Boteng Yao <boteng@google.com>
Signed-off-by: Ryan Northey <ryan@synca.io>

Signed-off-by: publish-envoy[bot] <140627008+publish-envoy[bot]@users.noreply.github.com>
  • Loading branch information
publish-envoy[bot] authored and phlax committed Sep 19, 2024
1 parent 4c4927e commit 94aa5f7
Show file tree
Hide file tree
Showing 6 changed files with 26 additions and 14 deletions.
2 changes: 1 addition & 1 deletion VERSION.txt
Original file line number Diff line number Diff line change
@@ -1 +1 @@
1.29.9-dev
1.29.9
22 changes: 22 additions & 0 deletions changelogs/1.28.7.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
date: September 19, 2024

behavior_changes:
- area: http
change: |
The default configuration of Envoy will continue to trust internal addresses while in the future it will not trust them by default.
If you have tooling such as probes on your private network which need to be treated as trusted (e.g. changing arbitrary ``x-envoy``
headers) please explictily include those addresses or CIDR ranges into :ref:`internal_address_config
<envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.internal_address_config>`
See the config examples from the above ``internal_address_config`` link. This default no trust internal address can be turned on by
setting runtime guard ``envoy.reloadable_features.explicit_internal_address_config`` to ``true``.
minor_behavior_changes:
- area: access_log
change: |
Sanitize SNI for potential log injection. The invalid character will be replaced by ``_`` with an ``invalid:`` marker. If runtime
flag ``envoy.reloadable_features.sanitize_sni_in_access_log`` is set to ``false``, the sanitize behavior is disabled.
bug_fixes:
- area: http_async_client
change: |
Fixed the local reply and destroy order crashes when using the http async client for websocket handshake.
12 changes: 1 addition & 11 deletions changelogs/current.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
date: Pending
date: September 19, 2024

behavior_changes:
# *Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required*
- area: http
change: |
The default configuration of Envoy will continue to trust internal addresses while in the future it will not trust them by default.
Expand All @@ -12,14 +11,12 @@ behavior_changes:
setting runtime guard ``envoy.reloadable_features.explicit_internal_address_config`` to ``true``.
minor_behavior_changes:
# *Changes that may cause incompatibilities for some users, but should not for most*
- area: access_log
change: |
Sanitize SNI for potential log injection. The invalid character will be replaced by ``_`` with an ``invalid:`` marker. If runtime
flag ``envoy.reloadable_features.sanitize_sni_in_access_log`` is set to ``false``, the sanitize behavior is disabled.
bug_fixes:
# *Changes expected to improve the state of the world and are unlikely to have negative effects*
- area: jwt
change: |
Fixed a bug where using ``clear_route_cache`` with remote JWKs works
Expand All @@ -28,10 +25,3 @@ bug_fixes:
- area: http_async_client
change: |
Fixed the local reply and destroy order crashes when using the http async client for websocket handshake.
removed_config_or_runtime:
# *Normally occurs at the end of the* :ref:`deprecation period <deprecated>`

new_features:

deprecated:
Binary file modified docs/inventories/v1.28/objects.inv
Binary file not shown.
Binary file modified docs/inventories/v1.29/objects.inv
Binary file not shown.
4 changes: 2 additions & 2 deletions docs/versions.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,5 +21,5 @@
"1.25": 1.25.11
"1.26": 1.26.8
"1.27": 1.27.7
"1.28": 1.28.6
"1.29": 1.29.7
"1.28": 1.28.7
"1.29": 1.29.8

0 comments on commit 94aa5f7

Please sign in to comment.