Hello Envoy Community,
BoringSSL and OpenSSL are planning to release a security fix on Tuesday February 7th (see
https://mta.openssl.org/pipermail/openssl-announce/2023-January/000248.html). The nature of the fix has not been publicly released.
Envoy uses BoringSSL and may be affected. Because the fix is under embargo, we cannot evaluate whether Envoy is affected or not until the fix is released.
Envoy will release new versions of Envoy which include the BoringSSL fix for main, 1.25, 1.24, 1.23, and 1.22, on February 7, when the BoringSSL fix is released.
Thanks,
Greg (on behalf of the Envoy security team and maintainers)