Groups keyboard shortcuts have been updated
Dismiss
See shortcuts
Envoy security releases [1.32.3, 1.31.5, 1.30.9, 1.29.12] are available today
24 views
Skip to first unread message
Boteng Yao
Dec 18, 2024, 1:05:20 PM12/18/24
to envoy-secur...@googlegroups.com, envoy-security, envoy-ma...@googlegroups.com, envoy-a...@googlegroups.com, envoy...@googlegroups.com, envo...@googlegroups.com
Hi Envoy Community,
We would like to disclose the following CVEs:
[CVE-2024-53269](https://github.com/envoyproxy/envoy/security/advisories/GHSA-mfqp-7mmj-rm53): - Happy Eyeballs: Validate that additional_address are IP addresses instead of crashing when sorting.
Affected branches: >= 1.30
[CVE-2024-53270](https://github.com/envoyproxy/envoy/security/advisories/GHSA-q9qv-8j52-77p3): HTTP/1: sending overload crashes when the request is reset beforehand.
Affected branches: all listed below
[CVE-2024-53271] (https://github.com/envoyproxy/envoy/security/advisories/GHSA-rmm5-h2wv-mg4f): HTTP/1.1 multiple issues with envoy.reloadable_features.http1_balsa_delay_reset.
Affected branches: >= 1.31
These issues will be resolved in the following releases:
- v1.32.3
- v1.31.5
- v1.30.9
- v1.29.12
The releases will be published to our releases page as they become available today:
https://github.com/envoyproxy/envoy/releases
You are encouraged to update your versions of Envoy, and documentation for all versions can be found at https://www.envoyproxy.io/docs.
A PR to resolve these issues on the `main` branch has been raised here:
https://github.com/envoyproxy/envoy/pull/37743
Thanks,
We would like to disclose the following CVEs:
[CVE-2024-53269](https://github.com/envoyproxy/envoy/security/advisories/GHSA-mfqp-7mmj-rm53): - Happy Eyeballs: Validate that additional_address are IP addresses instead of crashing when sorting.
Affected branches: >= 1.30
[CVE-2024-53270](https://github.com/envoyproxy/envoy/security/advisories/GHSA-q9qv-8j52-77p3): HTTP/1: sending overload crashes when the request is reset beforehand.
Affected branches: all listed below
[CVE-2024-53271] (https://github.com/envoyproxy/envoy/security/advisories/GHSA-rmm5-h2wv-mg4f): HTTP/1.1 multiple issues with envoy.reloadable_features.http1_balsa_delay_reset.
Affected branches: >= 1.31
These issues will be resolved in the following releases:
- v1.32.3
- v1.31.5
- v1.30.9
- v1.29.12
The releases will be published to our releases page as they become available today:
https://github.com/envoyproxy/envoy/releases
You are encouraged to update your versions of Envoy, and documentation for all versions can be found at https://www.envoyproxy.io/docs.
A PR to resolve these issues on the `main` branch has been raised here:
https://github.com/envoyproxy/envoy/pull/37743
Thanks,
Ryan Northey (@phlax)
Boteng Yao (@botengyao)
Reply all
Reply to author
Forward
0 new messages