[Zero day] zero day for users of Envoy's datadog tracer

Alyssa Wilk

unread,

Jun 25, 2024, 4:02:56 PM (8 days ago) Jun 25

to envoy-security, envoy-a...@googlegroups.com, Envoy-maintainers, Envoy Users, envoy-dev

Hello Envoy Community,

We are announcing an upcoming release for a zero day crash in the datadog library from datadog builds dd-tra...@v0.1.12 and onwards. We believe this affects Envoy builds 1.29 and following. We are working as fast as we can to generate releases using the fixed version of datadog libraries.

We will email as soon as the patch releases are available. Please note that this bug only affects users of Envoy’s datadog tracer, so if you’re not using that extensions you can safely disregard the following emails.

Thanks,

Alyssa (on behalf of the Envoy security team)

Alyssa Wilk

unread,

Jun 25, 2024, 4:11:10 PM (8 days ago) Jun 25

to envoy-security, envoy-a...@googlegroups.com, Envoy-maintainers, Envoy Users, envoy-dev, envoy-secur...@googlegroups.com, cncf-envoy-distr...@lists.cncf.io

Alyssa Wilk

unread,

Jun 26, 2024, 9:14:00 AM (8 days ago) Jun 26

to cncf-envoy-distr...@lists.cncf.io, envoy-security, envoy-a...@googlegroups.com, Envoy-maintainers, Envoy Users, envoy-dev, envoy-secur...@googlegroups.com

Hello Envoy Community,

Envoy releases v1.29.6 and v1.30.3 are now available to address security advisory GHSA-8mq4-c2v5-3h39

We encourage users of the datadog tracer using 1.29 and 1.30 to update their Envoy binaries as soon as possible.

Best,

Alyssa

On Tue, Jun 25, 2024 at 4:11 PM Alyssa Wilk via lists.cncf.io <alyssar=googl...@lists.cncf.io> wrote:

On Tue, Jun 25, 2024 at 4:02 PM Alyssa Wilk <aly...@google.com> wrote:

_._,_._,_

Links:
You receive all messages sent to this group.
View/Reply Online (#106) | Reply To Group | Reply To Sender | Mute This Topic | New Topic
Your Subscription | Contact Group Owner | Unsubscribe [aly...@google.com]

_._,_._,_

Reply all

Reply to author

Forward