Merge envoy[release/v1.28] into envoy-openssl[release/v1.28] #260
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fix #35686 and resolve related CVE ```console CVE-2024-7264 (com_github_curl@8.4.0) CVSS v3 score: 6.5 Severity: MEDIUM Published date: 2024-07-31 Last modified date: 2024-08-12 Description: libcurl's ASN1 parser code has the `GTime2str()` function, used for parsing an ASN.1 Generalized Time field. If given an syntactically incorrect field, the parser might end up using -1 for the length of the *time fraction*, leading to a `strlen()` getting performed on a pointer to a heap buffer area that is not (purposely) null terminated. This flaw most likely leads to a crash, but can also lead to heap contents getting returned to the application when [CURLINFO_CERTINFO](https://curl.se/libcurl/c/CURLINFO_CERTINFO.html) is used. Affected CPEs: - cpe:2.3:a:haxx:libcurl:* ``` Signed-off-by: Ryan Northey <ryan@synca.io>
Signed-off-by: Ryan Northey <ryan@synca.io> Signed-off-by: phlax <phlax@users.noreply.github.com>
…#35802) Signed-off-by: Ryan Northey <ryan@synca.io>
Signed-off-by: Ryan Northey <ryan@synca.io> Signed-off-by: phlax <phlax@users.noreply.github.com>
There are multiple files named config.h and in some build environments it causes the build postscript to fail Commit Message: Additional Description: Risk Level: Testing: Docs Changes: Release Notes: Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] Signed-off-by: Ryan Northey <ryan@synca.io>
Signed-off-by: Ryan Northey <ryan@synca.io>
Signed-off-by: Ryan Northey <ryan@synca.io>
…b10a97` in /ci (#35982) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Ryan Northey <ryan@synca.io>
Changes: - Update curl lib to resolve CVE-2024-7264 - Assorted fixes - Updated container images **Docker images**: https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.28.6 **Docs**: https://www.envoyproxy.io/docs/envoy/v1.28.6/ **Release notes**: https://www.envoyproxy.io/docs/envoy/v1.28.6/version_history/v1.28/v1.28.6 **Full changelog**: envoyproxy/envoy@v1.28.5...v1.28.6 Signed-off-by: Ryan Northey <ryan@synca.io>
Signed-off-by: Ryan Northey <ryan@synca.io>
Signed-off-by: Ryan Northey <ryan@synca.io>
Signed-off-by: Ryan Northey <ryan@synca.io>
…cc93c5` in /ci (#36206) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Ryan Northey <ryan@synca.io>
…vice mesh environments Signed-off-by: Alyssa Wilk <alyssar@chromium.org> Signed-off-by: Boteng Yao <boteng@google.com> Signed-off-by: Ryan Northey <ryan@synca.io>
Signed-off-by: Boteng Yao <boteng@google.com> Signed-off-by: Ryan Northey <ryan@synca.io>
Signed-off-by: tyxia <tyxia@google.com> Signed-off-by: Boteng Yao <boteng@google.com> Signed-off-by: Ryan Northey <ryan@synca.io>
**Summary of changes** [CVE-2024-45808](GHSA-p222-xhp9-39rc): Malicious log injection via access logs [CVE-2024-45806](GHSA-ffhv-fvxq-r6mf): Potential manipulate `x-envoy` headers from external sources [CVE-2024-45810](GHSA-qm74-x36m-555q): Envoy crashes for LocalReply in http async client **Docker images**: https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.28.7 **Docs**: https://www.envoyproxy.io/docs/envoy/v1.28.7/ **Release notes**: https://www.envoyproxy.io/docs/envoy/v1.28.7/version_history/v1.28/v1.28.7 **Full changelog**: envoyproxy/envoy@v1.28.6...v1.28.7 Signed-off-by: Boteng Yao <boteng@google.com> Signed-off-by: Ryan Northey <ryan@synca.io>
Signed-off-by: Ryan Northey <ryan@synca.io>
Signed-off-by: Ted Poole <tpoole@redhat.com>
tedjpoole
requested review from
ggreenway,
alyssawilk and
mattklein123
as code owners
|
Executed 1090 out of 1090 tests: 1090 tests pass. |
tedjpoole
requested review from
dcillera
and removed request for
mattklein123,
ggreenway and
alyssawilk
dcillera
approved these changes
Sep 26, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Brings us up to v1.28.7