You do not have permission to delete messages in this group
Report message as abuse
Sign in to report message as abuse
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to envoy-secur...@googlegroups.com, envoy-a...@googlegroups.com, envoy-users, envoy-dev, Envoy-maintainers, envoy-security
We are announcing the fixes for two zero days that were identified today:
Crash in UDP proxy when datagram size is > 1500. This can happen if either MTU > 1500 or if fragmented datagrams are forwarded and reassembled: https://github.com/envoyproxy/envoy/pull/14122. This issue was already under embargo and a new issue was opened in public GitHub.
Proxy proto downstream address not restored correctly for non-HTTP connections: https://github.com/envoyproxy/envoy/pull/14131. This issue was opened publicly recently but the security implications were not clear at the time. This will affect logging and network level RBAC for non-HTTP network connections.
A few administrative items:
Backports are complete for v1.16.1. The release has been tagged. Images should be available later.
Backports for other supported stable versions where the bugs apply will go out next week. Issue (1) affects all versions with the UDP proxy filter. Issue (2) only effects v1.16.0.
We will provide more complete writeups, CVE numbers, etc. later next week.