Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

Envoy security releases [1.31.2, 1.30.6, 1.29.9, 1.28.7] are available today

59 views
Skip to first unread message

Boteng Yao

unread,
Sep 19, 2024, 11:18:48 AM9/19/24
to envoy-secur...@googlegroups.com, envoy-security, envoy-ma...@googlegroups.com, envoy-a...@googlegroups.com, envoy...@googlegroups.com, envo...@googlegroups.com
Hi Envoy Community,

We would like to disclose the following CVEs:

[CVE-2024-45807](https://github.com/envoyproxy/envoy/security/advisories/GHSA-qc52-r4x5-9w37): oghttp2 crash on OnBeginHeadersForStream
[CVE-2024-45808](https://github.com/envoyproxy/envoy/security/advisories/GHSA-p222-xhp9-39rc): Malicious log injection via access logs
[CVE-2024-45806](https://github.com/envoyproxy/envoy/security/advisories/GHSA-ffhv-fvxq-r6mf): Potential manipulate `x-envoy` headers from external sources
[CVE-2024-45809](https://github.com/envoyproxy/envoy/security/advisories/GHSA-wqr5-qmq7-3qw3): Jwt filter crash in the clear route cache with remote JWKs
[CVE-2024-45810](https://github.com/envoyproxy/envoy/security/advisories/GHSA-qm74-x36m-555q): Envoy crashes for LocalReply in http async client

These issues will be resolved in the following releases:

- v1.31.2
- v1.30.6
- v1.29.9
- v1.28.7

The releases will be published to our releases page as they become available today:

     https://github.com/envoyproxy/envoy/releases

You are encouraged to update your versions of Envoy, and documentation for all versions can be found at https://www.envoyproxy.io/docs.

A PR to resolve these issues on the `main` branch has been raised here:

https://github.com/envoyproxy/envoy/pull/36221

Thanks,

Ryan Northey <ry...@synca.io> (@phlax)
Boteng Yao <bot...@google.com> (@botengyao)
Reply all
Reply to author
Forward
0 new messages