Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

auto-merge envoyproxy/envoy[release/v1.31] into envoyproxy/envoy-openssl[release/v1.31] #275

Open
wants to merge 49 commits into
base: release/v1.31
Choose a base branch
from

Conversation

update-openssl-envoy[bot]
Copy link

Generated by envoy-sync-receive.sh

@update-openssl-envoy update-openssl-envoy bot force-pushed the auto-merge-release-v1-31 branch from 8fa5076 to fd881f3 Compare October 24, 2024 01:31
@update-openssl-envoy update-openssl-envoy bot force-pushed the auto-merge-release-v1-31 branch 4 times, most recently from 7161b7b to f3032f1 Compare October 28, 2024 01:31
phlax and others added 3 commits October 28, 2024 11:46
this is currently triggering on the release branches

codeql uses ci cache which is very limited and running this on multiple
branches is expiring caches making this take a very long time

Signed-off-by: Ryan Northey <[email protected]>
This allows per-repo configuration/customization of the bazel (eg rbe)
settings

Signed-off-by: Ryan Northey <[email protected]>

Signed-off-by: phlax <[email protected]>
…a91f01` in /ci (#36847)



Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Ryan Northey <[email protected]>
@update-openssl-envoy update-openssl-envoy bot force-pushed the auto-merge-release-v1-31 branch from f3032f1 to 1add931 Compare October 29, 2024 01:31
phlax and others added 2 commits October 29, 2024 10:54
**Summary of changes**

- Minor tracing bug fix
- CI and release container updates

**Docker images**:
    https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.31.3
**Docs**:
    https://www.envoyproxy.io/docs/envoy/v1.31.3/
**Release notes**:
    https://www.envoyproxy.io/docs/envoy/v1.31.3/version_history/v1.31/v1.31.3
**Full changelog**:
    envoyproxy/envoy@v1.31.2...v1.31.3

Signed-off-by: Kateryna Nezdolii <[email protected]>
Signed-off-by: Ryan Northey <[email protected]>

Signed-off-by: publish-envoy[bot] <140627008+publish-envoy[bot]@users.noreply.github.com>
@update-openssl-envoy update-openssl-envoy bot force-pushed the auto-merge-release-v1-31 branch 2 times, most recently from 27011d3 to 660366a Compare October 31, 2024 01:31
@update-openssl-envoy update-openssl-envoy bot force-pushed the auto-merge-release-v1-31 branch 7 times, most recently from 12424e3 to 7ad500b Compare November 7, 2024 01:30
See istio/istio#53426. Istio has used
underscores in their SNI since the beginning and it is critical to its
functionality. Usage of underscores in SNI is a bit of a grey area in
the RFCs, which are extremely under-specified wrt to what exactly is the
allowed formats. However, the de-facto standard is to allow them, as
virtually every TLS library does so (including, but not limited to,
Golang, rustls, openssl, boringssl).

This PR loosens the restriction to additionally allow underscores.

Note the intent of the SNI restrictions was not RFC compliance, etc --
but rather to fix [log
injection](GHSA-p222-xhp9-39rc)
attacks (putting ANSI escapes, HTML, etc) into logs. This change does
not loosen the security properties we hoped to gain with the initial
patch.

Signed-off-by: John Howard <[email protected]>
(cherry picked from commit 79ee342)
@update-openssl-envoy update-openssl-envoy bot force-pushed the auto-merge-release-v1-31 branch from 4cbe0ce to 26a99df Compare December 9, 2024 01:32
Signed-off-by: Ryan Northey <[email protected]>
@update-openssl-envoy update-openssl-envoy bot force-pushed the auto-merge-release-v1-31 branch 8 times, most recently from cc1fe48 to 10fe056 Compare December 17, 2024 01:31
@update-openssl-envoy update-openssl-envoy bot force-pushed the auto-merge-release-v1-31 branch from 10fe056 to cae0c25 Compare December 18, 2024 01:31
phlax and others added 6 commits December 18, 2024 13:34
…tead of crashing when sorting.

Signed-off-by: Ryan Hamilton <[email protected]>
Signed-off-by: Ryan Northey <[email protected]>
Signed-off-by: Paul Ogilby <[email protected]>

Signed-off-by: Ryan Northey <[email protected]>
**Summary of changes**:

- [CVE-2024-53269](GHSA-mfqp-7mmj-rm53): Happy Eyeballs: Validate that additional_address are IP addresses instead of crashing when sorting.
- [CVE-2024-53270](GHSA-q9qv-8j52-77p3):  HTTP/1: sending overload crashes when the request is reset beforehand
- [CVE-2024-53271](GHSA-rmm5-h2wv-mg4f):  HTTP/1.1 multiple issues with envoy.reloadable_features.http1_balsa_delay_reset

**Docker images**:
    https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.31.5
**Docs**:
    https://www.envoyproxy.io/docs/envoy/v1.31.5/
**Release notes**:
    https://www.envoyproxy.io/docs/envoy/v1.31.5/version_history/v1.31/v1.31.5
**Full changelog**:
    envoyproxy/envoy@v1.31.4...v1.31.5

Signed-off-by: Ryan Northey <[email protected]>
Signed-off-by: Boteng Yao <[email protected]>
Signed-off-by: Ryan Northey <[email protected]>
@update-openssl-envoy update-openssl-envoy bot force-pushed the auto-merge-release-v1-31 branch 8 times, most recently from b82fa95 to cdc2a5f Compare December 26, 2024 01:31
@update-openssl-envoy update-openssl-envoy bot force-pushed the auto-merge-release-v1-31 branch 3 times, most recently from b7080ca to 12116f4 Compare December 29, 2024 01:31
…ssl[release/v1.31]

* upstream/release/v1.31:
  repo: Dev v1.31.6
  repo: Release v1.31.5
  [balsa] fix for 1xx response mixup
  happy_eyeballs: Validate that additional_address are IP addresses instead of crashing when sorting.
  http/1: fix sending overload crash when request is reset
  github/ci: Set default runner in config (#37738)
  repo: Dev v1.31.5
  repo: Release v1.31.4
  build(deps): bump distroless/base-nossl-debian12 from `174f326` to `2a803cc` in /ci (#37410)
  ci: Boost cpu for flakey on_demand integration test (#37294)
  ci: Boost cpu for flakey grpc integration test (#37223)
  ci: Boost mem for integration test (#37009)
  ci/rbe: Boost cpus for more flakey tests (#36942)
  ci/rbe: Boost cpus for some more integration tests (#36930)
  ci/rbe: Boost cpu for another integration test (#36885)
  ci/rbe: Boost cpus for more integration tests (#36837)
  ci/rbe: Boost cpu/mem for more integration tests (#36825)
  ci/rbe: Boost cpus for a couple more integration tests (#36807)
  ci/tests: Boost more worker cores for flakey integration tests (#36793)
  Patch c-ares CVE-2024-25629 (#37269)
  changelog: Add entry for `schema_validation_tool` fix (#37335)
  ci/bazel: Fix repo config (#37349)
  github/ci: Only trigger pr-notifier ci on `main` PRs (#37336)
  validator: add in removed extension (#37261)
  limit calculated sampling exponent (#37240)
  build(deps): bump distroless/base-nossl-debian12 from `aa91f01` to `174f326` in /ci (#37119)
  deps/api: Bump `envoy_toolshed` -> 0.1.16 (#37219)
  deps: Bump python -> 3.12.3 (#35334)
  headers/geoip: Fix macro (#36964)
  bazel: Make `ci` config common (#37027)
  bazel/distribution: Cleanups to fix aquery (#36977)
  ci: Add bazel client caching (#37096)
  Add release note for "Relax recent SNI restrictions" (#37000)
  Relax recent SNI restrictions (#36950)
  ci/rbe: Boost cpu for another flakey integration test
  repo: Dev v1.31.4
  repo: Release v1.31.3
  ci: Fix coverage/docs upload redirect path (#36423)
  build(deps): bump distroless/base-nossl-debian12 from `e130c09` to `aa91f01` in /ci (#36847)
  bazel/ci: Add repo customizations (#36831)
  ci/codeql: Only run on main branch (#36806)
  ci/rbe: Boost quic integration test (#36805)
  deps/release: Bump Ubuntu -> 0e5e4a5 (#36723)
  ci/tests: Revert some integration tests to `2core` (#36784)
  ci/rbe: Switch rbe pools `2core` -> `6gig` (#36761)
  ocsp/formatting: Fix format issue in generated cert (#36763)
  test/ocsp: Renew certificates (#36755)
  ci/rbe: Switch backend RBE cluster (#36730)

Signed-off-by: tedjpoole <[email protected]>
@update-openssl-envoy update-openssl-envoy bot force-pushed the auto-merge-release-v1-31 branch from 12116f4 to 3218385 Compare December 30, 2024 01:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants