Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[IMPORTANT/bp/1.31] Multiple CVEs #36225

Merged
merged 5 commits into from
Sep 19, 2024
Merged

[IMPORTANT/bp/1.31] Multiple CVEs #36225

merged 5 commits into from
Sep 19, 2024

Conversation

phlax
Copy link
Member

@phlax phlax commented Sep 19, 2024

CVE-2024-45807: oghttp2 crash on OnBeginHeadersForStream
CVE-2024-45808: Malicious log injection via access logs
CVE-2024-45806: Potential manipulate x-envoy headers from external sources
CVE-2024-45809: Jwt filter crash in the clear route cache with remote JWKs
CVE-2024-45810: Envoy crashes for LocalReply in http async client

kyessenov and others added 5 commits September 19, 2024 16:10
@kyessenov @phlax
jwt: fix clear route cache with remote JWKs
f79cfd7 
Change-Id: If54c7143ecb1bf936e88fbb3371d9c47f6d8f671
Signed-off-by: Kuat Yessenov <kuat@google.com>

Signed-off-by: Ryan Northey <ryan@synca.io>
@alyssawilk @phlax
internal_address_config: change the default to be more secure for ser…
cfbc572 
…vice mesh environments

Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
Signed-off-by: Boteng Yao <boteng@google.com>
Signed-off-by: Ryan Northey <ryan@synca.io>
@botengyao @phlax
fix local reply in async client and destroy order
a8e26b4 
Signed-off-by: Boteng Yao <boteng@google.com>
Signed-off-by: Ryan Northey <ryan@synca.io>
@botengyao @phlax
flip oghttp flag
b70ffeb 
Signed-off-by: Boteng Yao <boteng@google.com>
Signed-off-by: Ryan Northey <ryan@synca.io>
@tyxia @phlax
escape invalid host name
5433319 
Signed-off-by: tyxia <tyxia@google.com>
Signed-off-by: Boteng Yao <boteng@google.com>
Signed-off-by: Ryan Northey <ryan@synca.io>
@repokitteh-read-only RepoKitteh - Read Only
Copy link

CC @envoyproxy/runtime-guard-changes: FYI only for changes made to (source/common/runtime/runtime_features.cc).
CC @envoyproxy/api-shepherds: Your approval is needed for changes made to (api/envoy/|docs/root/api-docs/).
envoyproxy/api-shepherds assignee is @mattklein123
CC @envoyproxy/api-watchers: FYI only for changes made to (api/envoy/|docs/root/api-docs/).

🐱

Caused by: #36225 was opened by phlax.

see: more, trace.

@botengyao
Copy link
Member

@phlax, is this for 1.31, may want to change the tittle.

adisuissa
adisuissa approved these changes Sep 19, 2024
View reviewed changes
Copy link
Contributor

@adisuissa adisuissa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

adisuissa
adisuissa reviewed Sep 19, 2024
View reviewed changes
Copy link
Contributor

@adisuissa adisuissa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm api

@phlax phlax changed the title [IMPORTANT/bp/1.30] Multiple CVEs [IMPORTANT/bp/1.31] Multiple CVEs Sep 19, 2024
@phlax
Copy link
Member Author

phlax commented Sep 19, 2024

is this for 1.31, may want to change the tittle.

good spot - updated - i will rebase these anyhow

@phlax phlax enabled auto-merge (rebase) September 19, 2024 15:25
@phlax phlax merged commit 5f777dc into envoyproxy:release/v1.31 Sep 19, 2024
40 of 41 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adisuissa adisuissa adisuissa approved these changes

@tyxia tyxia Awaiting requested review from tyxia tyxia is a code owner

@ggreenway ggreenway Awaiting requested review from ggreenway ggreenway is a code owner

@alyssawilk alyssawilk Awaiting requested review from alyssawilk alyssawilk is a code owner

@mattklein123 mattklein123 Awaiting requested review from mattklein123 mattklein123 is a code owner

@yanavlasov yanavlasov Awaiting requested review from yanavlasov yanavlasov is a code owner

Assignees

@mattklein123 mattklein123

@botengyao botengyao

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@phlax @botengyao @adisuissa @mattklein123 @kyessenov @alyssawilk @tyxia