Groups
Conversations
All groups and messages
Send feedback to Google
Help
Training
Sign in
Groups
envoy-announce
Conversations
About
Groups keyboard shortcuts have been updated
Dismiss
See shortcuts
Envoy security releases [1.31.2, 1.30.6, 1.29.9, 1.28.7] are available today
59 views
Skip to first unread message
Boteng Yao
unread,
Sep 19, 2024, 11:18:48 AM
9/19/24
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to envoy-secur...@googlegroups.com, envoy-security, envoy-ma...@googlegroups.com, envoy-a...@googlegroups.com, envoy...@googlegroups.com, envo...@googlegroups.com
Hi Envoy Community,
We would like to disclose the following CVEs:
[CVE-2024-45807](
https://github.com/envoyproxy/envoy/security/advisories/GHSA-qc52-r4x5-9w37
): oghttp2 crash on OnBeginHeadersForStream
[CVE-2024-45808](
https://github.com/envoyproxy/envoy/security/advisories/GHSA-p222-xhp9-39rc
): Malicious log injection via access logs
[CVE-2024-45806](
https://github.com/envoyproxy/envoy/security/advisories/GHSA-ffhv-fvxq-r6mf
): Potential manipulate `x-envoy` headers from external sources
[CVE-2024-45809](
https://github.com/envoyproxy/envoy/security/advisories/GHSA-wqr5-qmq7-3qw3
): Jwt filter crash in the clear route cache with remote JWKs
[CVE-2024-45810](
https://github.com/envoyproxy/envoy/security/advisories/GHSA-qm74-x36m-555q
): Envoy crashes for LocalReply in http async client
These issues will be resolved in the following releases:
- v1.31.2
- v1.30.6
- v1.29.9
- v1.28.7
The releases will be published to our releases page as they become available today:
https://github.com/envoyproxy/envoy/releases
You are encouraged to update your versions of Envoy, and documentation for all versions can be found at
https://www.envoyproxy.io/docs
.
A PR to resolve these issues on the `main` branch has been raised here:
https://github.com/envoyproxy/envoy/pull/36221
Thanks,
Ryan Northey <
ry...@synca.io
> (@phlax)
Boteng Yao <
bot...@google.com
> (@botengyao)
Reply all
Reply to author
Forward
0 new messages