Security release of Envoy to address multiple CVEs
26 views
Skip to first unread message
ry...@synca.io
Jun 4, 2024, 5:13:08 PMJun 4
to envoy-secur...@googlegroups.com, envoy-s...@googlegroups.com, envoy-a...@googlegroups.com, envoy-ma...@googlegroups.com, envoy...@googlegroups.com, envo...@googlegroups.com
Hi Envoy community,
We would like to disclose the following CVEs:
- [CVE-2024-34362: Crash (use-after-free) in
EnvoyQuicServerStream](https://github.com/envoyproxy/envoy/security/advisories/GHSA-hww5-43gv-35jv)
- [CVE-2024-34363: Crash due to uncaught nlohmann JSON
exception](https://github.com/envoyproxy/envoy/security/advisories/GHSA-g979-ph9j-5gg4)
- [CVE-2024-34364: Envoy OOM vector from HTTP async client with
unbounded response buffer for mirror response, and other
components](https://github.com/envoyproxy/envoy/security/advisories/GHSA-xcj3-h7vf-fw26)
- [CVE-2024-32974: Crash in
EnvoyQuicServerStream::OnInitialHeadersComplete()](https://github.com/envoyproxy/envoy/security/advisories/GHSA-mgxp-7hhp-8299)
- [CVE-2024-32975: Crash in
QuicheDataReader::PeekVarInt62Length()](https://github.com/envoyproxy/envoy/security/advisories/GHSA-g9mq-6v96-cpqc)
- [CVE-2024-32976: Endless loop while decompressing Brotli data with
extra
input](https://github.com/envoyproxy/envoy/security/advisories/GHSA-7wp5-c2vq-4f8m)
- [CVE-2024-23326: Envoy incorrectly accepts HTTP 200 response for
entering upgrade
mode](https://github.com/envoyproxy/envoy/security/advisories/GHSA-vcf8-7238-v74c)
These issues will be resolved in the following releases:
- 1.30.2
- 1.29.5
- 1.28.4
- 1.27.6
The releases (binaries/Docker/docs) will be published to our releases
page as they become available:
https://github.com/envoyproxy/envoy/releases
A PR to resolve these issues on the `main` branch has been raised here:
https://github.com/envoyproxy/envoy/pull/34523
thanks,
Boteng Yao <bot...@google.com>
Ryan Northey <ry...@synca.io> (@phlax)
We would like to disclose the following CVEs:
- [CVE-2024-34362: Crash (use-after-free) in
EnvoyQuicServerStream](https://github.com/envoyproxy/envoy/security/advisories/GHSA-hww5-43gv-35jv)
- [CVE-2024-34363: Crash due to uncaught nlohmann JSON
exception](https://github.com/envoyproxy/envoy/security/advisories/GHSA-g979-ph9j-5gg4)
- [CVE-2024-34364: Envoy OOM vector from HTTP async client with
unbounded response buffer for mirror response, and other
components](https://github.com/envoyproxy/envoy/security/advisories/GHSA-xcj3-h7vf-fw26)
- [CVE-2024-32974: Crash in
EnvoyQuicServerStream::OnInitialHeadersComplete()](https://github.com/envoyproxy/envoy/security/advisories/GHSA-mgxp-7hhp-8299)
- [CVE-2024-32975: Crash in
QuicheDataReader::PeekVarInt62Length()](https://github.com/envoyproxy/envoy/security/advisories/GHSA-g9mq-6v96-cpqc)
- [CVE-2024-32976: Endless loop while decompressing Brotli data with
extra
input](https://github.com/envoyproxy/envoy/security/advisories/GHSA-7wp5-c2vq-4f8m)
- [CVE-2024-23326: Envoy incorrectly accepts HTTP 200 response for
entering upgrade
mode](https://github.com/envoyproxy/envoy/security/advisories/GHSA-vcf8-7238-v74c)
These issues will be resolved in the following releases:
- 1.30.2
- 1.29.5
- 1.28.4
- 1.27.6
The releases (binaries/Docker/docs) will be published to our releases
page as they become available:
https://github.com/envoyproxy/envoy/releases
A PR to resolve these issues on the `main` branch has been raised here:
https://github.com/envoyproxy/envoy/pull/34523
thanks,
Boteng Yao <bot...@google.com>
Ryan Northey <ry...@synca.io> (@phlax)
Reply all
Reply to author
Forward
0 new messages