Hello Envoy Community,
The Envoy security team would like to announce the availability of Envoy versions 1.15.1, 1.14.5, 1.13.6, and 1.12.7 .
This addresses the following CVE(s):
* CVE-2020-25017 (CVSS score 6.5, Medium): Incorrect handling of duplicate HTTP headers
Upgrading to 1.15.1, 1.14.5, 1.13.6, or 1.12.7 is encouraged to fix this issue.
GitHub tags: https://github.com/envoyproxy/envoy/releases/tag/v1.15.1
Docker images: docker pull envoyproxy/envoy:v1.15.1
Text release notes can be found here
Expect a followup email tomorrow with links to release notes and docs for 1.15.1;
GitHub tags: https://github.com/envoyproxy/envoy/releases/tag/v1.14.5
Docker images: docker pull envoyproxy/envoy:v1.14.5
Release notes: https://www.envoyproxy.io/docs/envoy/v1.14.5/intro/version_history
Docs: https://www.envoyproxy.io/docs/envoy/v1.14.5/
GitHub tags: https://github.com/envoyproxy/envoy/releases/tag/v1.13.6
Docker images: docker pull envoyproxy/envoy:v1.13.6
Release notes: https://www.envoyproxy.io/docs/envoy/v1.13.6/intro/version_history
Docs: https://www.envoyproxy.io/docs/envoy/v1.13.6/
GitHub tags: https://github.com/envoyproxy/envoy/releases/tag/v1.12.7
Docker images: docker pull envoyproxy/envoy:v1.12.7
Release notes: https://www.envoyproxy.io/docs/envoy/v1.12.7/intro/version_history
Docs: https://www.envoyproxy.io/docs/envoy/v1.12.7/
Run `envoy --version` and if it indicates a base version of 1.15.0, 1.14.4, 1.13.4, 1.12.6 or older you are running a vulnerable version.
Update to 1.15.1, 1.14.5, 1.13.6, or 1.12.7 via your Envoy distribution or rebuild from the Envoy GitHub source at the 1.15.1, 1.14.5, 1.13.6, or 1.12.7 tag or HEAD @ master.
CVE-2020-25017 Incorrect handling of duplicate HTTP headers
Envoy through 1.15.0 only considers the first value when multiple header values are present for some HTTP headers. Envoy’s setCopy() header map API does not replace all existing occurences of a non-inline header.
We rated CVE-2020-25017 as CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L (8.3, High). See the GitHub advisory for more details.
Thank you to Harvey Tuch, Mark D. Roth, Matt Klein, and Yuchen Dai for making this release happen.
Thanks,
Antonio Vicente (on behalf of the Envoy security team and maintainers)