Security fix of Envoy main branch (that includes 7d03b62)

12 views

Skip to first unread message

Dhi Aurrahman

unread,

Aug 20, 2020, 10:40:54 PM8/20/20

to envoy-a...@googlegroups.com, envoy-secur...@googlegroups.com

Hello Envoy Community,

The Envoy security team would like to announce the availability of the security fix for security defects introduced in the main branch by https://github.com/envoyproxy/envoy/commit/7d03b628859cdf20d97a4e9dc2e4c137884b4a1e commit. Envoy may experience stack-overflow when proxying HTTP/2 upstream that sends empty trailers. This also affects Envoy configured with an HTTP filter that handles HTTP/2 stream and clears the trailers (for example gRPC-Web filter).

The CVSS score for this is 5.9 Medium (https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

Including this commit, https://github.com/envoyproxy/envoy/commit/7b88015bd60d61f9cc28de0e8e1c57f59bc1cdb is encouraged to fix this issue.

Thank you to Asra Ali and Matt Klein for helping with the fix, test, and review. Lizan Zhou, Harvey Tuch, and Snow Pettersen for scoring and reviewing this announcement.

Thanks,

Dhi Aurrahman (on behalf Envoy security team and maintainers)

Reply all

Reply to author

Forward

0 new messages