Correction: Security release of Envoy 1.12.2 is now available

[Yan Avlasov]

Hello Envoy Community, 

previously sent announcement contained a typo in two CVE numbers. Correct CVE numbers are as follows:

• CVE-2019-18801 (CVSS score 9.0, Critical): An untrusted remote client may send HTTP/2 requests that write to the heap outside of the request buffers when the upstream is HTTP/1.

• CVE-2019-18802 (CVSS score 7.5, High): A request header with trailing whitespace may cause route matchers or access controls to be bypassed, resulting in escalation of privileges or information disclosure.

• CVE-2019-18838 (CVSS score 7.5, High): Malformed HTTP request without the Host header may cause abnormal termination of the Envoy process.

My apologies for any inconvenience.

Yan Avlasov (Google) (on behalf of the Envoy security team and maintainers)