Update to incorporate CVE fixes (#349)

* Update to incorporate CVE fixes * Add changelog
solo-io · Jul 2, 2024 · 9f8d012 · 9f8d012
1 parent 511b864
commit 9f8d012
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 1 deletion.
diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl
@@ -2,7 +2,8 @@ REPOSITORY_LOCATIONS = dict(
     envoy = dict(
         # envoy 1.26.7 forked with extproc changes
         # sourced from release v1.26.8-fork1
-        commit = "f87a6143de75426bff63d0da4e9d4ed400b74a40",
+        # add fixes for async buffer limit and nlohmann json CVEs
+        commit = "60f831f4e6abb1e458b2016ab36ac581ae440c65",
         remote = "https://github.com/solo-io/envoy-fork",
     ),
     inja = dict(

diff --git a/changelog/v1.26.8-patch3/envoy-cves.yaml b/changelog/v1.26.8-patch3/envoy-cves.yaml
@@ -0,0 +1,10 @@
+changelog:
+  - type: DEPENDENCY_BUMP
+    dependencyRepo: envoy-fork
+    dependencyOwner: solo-io
+    dependencyTag: v1.26.8-fork2
+    issueLink: https://github.com/solo-io/envoy-gloo-ee/issues/807
+    resolvesIssue: false
+    description: >
+      Bump Envoy to v1.26.8 for our fork.
+      Tackles the http2 crazy cve CVE-2024-30255