security: Bump Envoy versions to address CVEs

hashicorp · Feb 12, 2024 · 7217763 · 7217763
1 parent ec76090
commit 7217763
Show file tree

Hide file tree

Showing 9 changed files with 24 additions and 21 deletions.
diff --git a/.changelog/20589.txt b/.changelog/20589.txt
@@ -0,0 +1,3 @@
+```release-note:security
+mesh: Update Envoy versions to 1.28.1, 1.27.3, and 1.26.7 to address [CVE-2024-23324](https://github.com/envoyproxy/envoy/security/advisories/GHSA-gq3v-vvhj-96j6), [CVE-2024-23325](https://github.com/envoyproxy/envoy/security/advisories/GHSA-5m7c-mrwr-pm26), [CVE-2024-23322](https://github.com/envoyproxy/envoy/security/advisories/GHSA-6p83-mfmh-qv38), [CVE-2024-23323](https://github.com/envoyproxy/envoy/security/advisories/GHSA-x278-4w4x-r7ch), [CVE-2024-23327](https://github.com/envoyproxy/envoy/security/advisories/GHSA-4h5x-x9vh-m29j), and [CVE-2023-44487](https://github.com/envoyproxy/envoy/security/advisories/GHSA-jhv4-f7mr-xx76)
+```
diff --git a/.github/workflows/nightly-test-integrations-1.16.x.yml b/.github/workflows/nightly-test-integrations-1.16.x.yml
@@ -74,9 +74,9 @@ jobs:
           # this is further going to multiplied in envoy-integration tests by the 
           # other dimensions in the matrix.  Currently TOTAL_RUNNERS would be
           # multiplied by 8 based on these values:
-          # envoy-version: ["1.23.12", "1.24.12", "1.25.11", "1.26.6"]
+          # envoy-version: ["1.23.12", "1.24.12", "1.25.11", "1.26.7"]
           # xds-target: ["server", "client"]
-          TOTAL_RUNNERS: 4 
+          TOTAL_RUNNERS: 8
           JQ_SLICER: '[ inputs ] | [_nwise(length / $runnercount | floor)]'
         run: |
           NUM_RUNNERS=$TOTAL_RUNNERS
@@ -109,7 +109,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        envoy-version: ["1.23.12", "1.24.12", "1.25.11", "1.26.6"]
+        envoy-version: ["1.23.12", "1.24.12", "1.25.11", "1.26.7"]
         xds-target: ["server", "client"]
         test-cases: ${{ fromJSON(needs.generate-envoy-job-matrices.outputs.envoy-matrix) }}
     env:

diff --git a/.github/workflows/nightly-test-integrations-1.17.x.yml b/.github/workflows/nightly-test-integrations-1.17.x.yml
@@ -74,7 +74,7 @@ jobs:
           # this is further going to multiplied in envoy-integration tests by the 
           # other dimensions in the matrix.  Currently TOTAL_RUNNERS would be
           # multiplied by 8 based on these values:
-          # envoy-version: ["1.24.12", "1.25.11", "1.26.6", "1.27.2"]
+          # envoy-version: ["1.24.12", "1.25.11", "1.26.7", "1.27.3"]
           # xds-target: ["server", "client"]
           TOTAL_RUNNERS: 4 
           JQ_SLICER: '[ inputs ] | [_nwise(length / $runnercount | floor)]'
@@ -109,7 +109,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        envoy-version: ["1.24.12", "1.25.11", "1.26.6", "1.27.2"]
+        envoy-version: ["1.24.12", "1.25.11", "1.26.7", "1.27.3"]
         xds-target: ["server", "client"]
         test-cases: ${{ fromJSON(needs.generate-envoy-job-matrices.outputs.envoy-matrix) }}
     env:

diff --git a/.github/workflows/nightly-test-integrations.yml b/.github/workflows/nightly-test-integrations.yml
@@ -71,9 +71,9 @@ jobs:
           # this is further going to multiplied in envoy-integration tests by the 
           # other dimensions in the matrix.  Currently TOTAL_RUNNERS would be
           # multiplied by 8 based on these values:
-          # envoy-version: ["1.25.11", "1.26.6", "1.27.2", "1.28.0"]
+          # envoy-version: ["1.25.11", "1.26.7", "1.27.3", "1.28.1"]
           # xds-target: ["server", "client"]
-          TOTAL_RUNNERS: 4 
+          TOTAL_RUNNERS: 8
           JQ_SLICER: '[ inputs ] | [_nwise(length / $runnercount | floor)]'
         run: |
           NUM_RUNNERS=$TOTAL_RUNNERS
@@ -106,7 +106,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        envoy-version: ["1.25.11", "1.26.6", "1.27.2", "1.28.0"]
+        envoy-version: ["1.25.11", "1.26.7", "1.27.3", "1.28.1"]
         xds-target: ["server", "client"]
         test-cases: ${{ fromJSON(needs.generate-envoy-job-matrices.outputs.envoy-matrix) }}
     env:

diff --git a/.github/workflows/test-integrations-windows.yml b/.github/workflows/test-integrations-windows.yml
@@ -62,7 +62,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        envoy-version: [ "1.28.0" ]
+        envoy-version: [ "1.28.1" ]
         xds-target: [ "server", "client" ]
     env:
       ENVOY_VERSION: ${{ matrix.envoy-version }}

diff --git a/.github/workflows/test-integrations.yml b/.github/workflows/test-integrations.yml
@@ -270,7 +270,7 @@ jobs:
           # this is further going to multiplied in envoy-integration tests by the
           # other dimensions in the matrix.  Currently TOTAL_RUNNERS would be
           # multiplied by 2 based on these values:
-          # envoy-version: ["1.28.0"]
+          # envoy-version: ["1.28.1"]
           # xds-target: ["server", "client"]
           TOTAL_RUNNERS: 4
           JQ_SLICER: '[ inputs ] | [_nwise(length / $runnercount | floor)]'
@@ -305,7 +305,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        envoy-version: ["1.28.0"]
+        envoy-version: ["1.28.1"]
         xds-target: ["server", "client"]
         test-cases: ${{ fromJSON(needs.generate-envoy-job-matrices.outputs.envoy-matrix) }}
     env:
@@ -395,7 +395,7 @@ jobs:
       id-token: write # NOTE: this permission is explicitly required for Vault auth.
       contents: read
     env:
-      ENVOY_VERSION: "1.28.0"
+      ENVOY_VERSION: "1.28.1"
       CONSUL_DATAPLANE_IMAGE: "docker.io/hashicorppreview/consul-dataplane:1.3-dev-ubi"
     steps:
       - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3

diff --git a/envoyextensions/xdscommon/envoy_versioning_test.go b/envoyextensions/xdscommon/envoy_versioning_test.go
@@ -152,9 +152,9 @@ func TestDetermineSupportedProxyFeaturesFromString(t *testing.T) {
 	*/
 	for _, v := range []string{
 		"1.25.0", "1.25.1", "1.25.2", "1.25.3", "1.25.4", "1.25.5", "1.25.6", "1.25.7", "1.25.8", "1.25.9", "1.25.10", "1.25.11",
-		"1.26.0", "1.26.1", "1.26.2", "1.26.3", "1.26.4", "1.26.5", "1.26.6",
-		"1.27.0", "1.27.1", "1.27.2",
-		"1.28.0",
+		"1.26.0", "1.26.1", "1.26.2", "1.26.3", "1.26.4", "1.26.5", "1.26.6", "1.26.7",
+		"1.27.0", "1.27.1", "1.27.2", "1.27.3",
+		"1.28.0", "1.28.1",
 	} {
 		cases[v] = testcase{expect: SupportedProxyFeatures{}}
 	}

diff --git a/envoyextensions/xdscommon/proxysupport.go b/envoyextensions/xdscommon/proxysupport.go
@@ -12,9 +12,9 @@ import "strings"
 //
 // see: https://www.consul.io/docs/connect/proxies/envoy#supported-versions
 var EnvoyVersions = []string{
-	"1.28.0",
-	"1.27.2",
-	"1.26.6",
+	"1.28.1",
+	"1.27.3",
+	"1.26.7",
 	"1.25.11",
 }
 

diff --git a/website/content/docs/connect/proxies/envoy.mdx b/website/content/docs/connect/proxies/envoy.mdx
@@ -39,9 +39,9 @@ Consul supports **four major Envoy releases** at the beginning of each major Con
 
 | Consul Version      | Compatible Envoy Versions                                                          |
 | ------------------- | -----------------------------------------------------------------------------------|
-| 1.18.x              | 1.28.0, 1.27.2, 1.26.6, 1.25.11                                                    |
-| 1.17.x              | 1.27.2, 1.26.6, 1.25.11, 1.24.12                                                   |
-| 1.16.x              | 1.26.6, 1.25.11, 1.24.12, 1.23.12                                                  |
+| 1.18.x              | 1.28.1, 1.27.3, 1.26.7, 1.25.11                                                    |
+| 1.17.x              | 1.27.3, 1.26.7, 1.25.11, 1.24.12                                                   |
+| 1.16.x              | 1.26.7, 1.25.11, 1.24.12, 1.23.12                                                  |
 
 ### Envoy and Consul Dataplane