Security fix of Envoy main branch (that includes c9c4709, d828958, and 2d69e30) is now available

[Antonio Vicente]

Hello Envoy Community,

The Envoy security team would like to announce the availability of the fix for security defect(s) introduced in the main branch by commits c9c4709, d828958, and 2d69e30. The defect(s) caused by c9c4709, d828958, and 2d69e30 were not part of any Envoy stable releases.

Vulnerability Details

CVE-2020-25018 Crash in URL parsing

Envoy master between 2d69e30 and 3b5acb2 may fail to parse request URL that requires host canonicalization. The use of Internationalized Domain Name (IDN) as the host component in a request URL triggers the URL parser library used by Envoy to do Punycode encoding (to convert Unicode characters to ASCII). Since the conversion data is not available, it fails the conversion, which could result in executing code in faulting address (segmentation fault).

The CVSS score for this is CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5, High). See the GitHub advisory for more details.

Including the 3b5acb2 commit is encouraged to fix this issue.

Security fix timeline

1. The defect(s) introduced by c9c4709, d828958, and 2d69e30 were landed in the main

   branch on between 9 of July 2020 and 6 of August 2020.

2. The fix 3b5acb2 was pushed into the main branch on 29 of September 2020 at 12 PDT (19 GMT).

Thank you

Thank you to Asra Ali, Dhi Aurrahman, and Harvey Tuch for making this release happen.

Thanks,

Antonio Vicente (on behalf of the Envoy security team and maintainers)