[1.17] make: Bump envoy for recent cve release

solo-io · Dec 19, 2024 · b1e4e12 · b1e4e12
1 parent b84a4b2
commit b1e4e12
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 0 deletions.
diff --git a/Makefile b/Makefile
@@ -54,7 +54,11 @@ SOURCES := $(shell find . -name "*.go" | grep -v test.go)
 # for more information, see https://github.com/solo-io/gloo/pull/9633
 # and
 # https://soloio.slab.com/posts/extended-http-methods-design-doc-40j7pjeu
+<<<<<<< HEAD
 ENVOY_GLOO_IMAGE ?= quay.io/solo-io/envoy-gloo:1.30.6-patch5
+=======
+ENVOY_GLOO_IMAGE ?= quay.io/solo-io/envoy-gloo:1.31.5-patch1
+>>>>>>> 35384926eb (make: Bump envoy for recent cve release)
 LDFLAGS := "-X github.com/solo-io/gloo/pkg/version.Version=$(VERSION)"
 GCFLAGS ?=
 

diff --git a/changelog/v1.17.19/envoy-cve.yaml b/changelog/v1.17.19/envoy-cve.yaml
@@ -0,0 +1,11 @@
+changelog:
+  - type: DEPENDENCY_BUMP
+    issueLink: https://github.com/solo-io/envoy-gloo-ee/issues/868
+    dependencyOwner: solo-io
+    dependencyRepo: envoy-gloo
+    dependencyTag: v1.30.9-patch1
+    resolvesIssue: false
+    description: >-
+      CVE-2024-53269: Happy Eyeballs: Validate that additional_address are IP addresses instead of crashing when sorting.
+      CVE-2024-53270: HTTP/1: sending overload crashes when the request is reset beforehand
+      CVE-2024-53271: HTTP/1.1 multiple issues with envoy.reloadable_features.http1_balsa_delay_reset
diff --git a/install/helm/gloo/templates/9-gateway-proxy-configmap.yaml b/install/helm/gloo/templates/9-gateway-proxy-configmap.yaml
@@ -35,6 +35,9 @@ data:
           upstream:
             healthy_panic_threshold:
               value: {{ $spec.healthyPanicThreshold }}
+          envoy: #  ON_LTS_UPDATE remove the reloadable feature block and this envoy  block
+            reloadable_features:
+              check_switch_protocol_websocket_handshake : false
       - name: admin_layer
         admin_layer: {}
     node:

diff --git a/projects/gateway2/helm/gloo-gateway/templates/gateway/proxy-deployment.yaml b/projects/gateway2/helm/gloo-gateway/templates/gateway/proxy-deployment.yaml
@@ -346,6 +346,13 @@ data:
     admin:
       address:
         socket_address: { address: 127.0.0.1, port_value: 19000 }
+    layered_runtime:
+      layers:
+      - name: static_layer
+        static_layer:
+        envoy: #  ON_LTS_UPDATE remove the reloadable feature block and this envoy  block
+            reloadable_features:
+              check_switch_protocol_websocket_handshake : false
     node:
       cluster: {{ include "gloo-gateway.gateway.fullname" . }}.{{ .Release.Namespace }}
       metadata:

diff --git a/test/services/envoy/bootstrap_builder.go b/test/services/envoy/bootstrap_builder.go
@@ -51,6 +51,9 @@ layered_runtime:
       upstream:
         healthy_panic_threshold:
           value: 0
+      envoy:
+        reloadable_features:
+          check_switch_protocol_websocket_handshake : false
   - name: admin_layer
     admin_layer: {}
 node: