TL;DR: Mainline Envoy builds use BoringSSL and are NOT affected. Any custom builds using OpenSSL will have to do their own analysis.
are all based on code BoringSSL does not include. BoringSSL is happily living up to its name :-)
Alyssa, on behalf of Envoy Security Team.