Skip to content

Commit

Permalink
repo: Release 1.22.3 (#22389)
Browse files Browse the repository at this point in the history 
Signed-off-by: Ryan Northey <[email protected]>
  • Loading branch information
@phlax
phlax authored Jul 27, 2022
1 parent 7153b31 commit 2aca584
Show file tree
Hide file tree
Showing 20 changed files with 451 additions and 113 deletions.
4 changes: 3 additions & 1 deletion docs/conf.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -330,5 +330,7 @@ def _config(key):
'v1.16': ('https://www.envoyproxy.io/docs/envoy/v1.16.5', None),
'v1.17': ('https://www.envoyproxy.io/docs/envoy/v1.17.4', None),
'v1.18': ('https://www.envoyproxy.io/docs/envoy/v1.18.4', None),
'v1.19': ('https://www.envoyproxy.io/docs/envoy/v1.19.1', None),
'v1.19': ('https://www.envoyproxy.io/docs/envoy/v1.19.5', None),
'v1.20': ('https://www.envoyproxy.io/docs/envoy/v1.20.7', None),
'v1.21': ('https://www.envoyproxy.io/docs/envoy/v1.21.5', None),
}
6 changes: 4 additions & 2 deletions docs/root/version_history/current.rst
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
1.22.3 (Pending)
================
1.22.3 (July 27, 2022)
======================

Incompatible Behavior Changes
-----------------------------
Expand All @@ -13,6 +13,8 @@ Bug Fixes
---------
*Changes expected to improve the state of the world and are unlikely to have negative effects*

* docker: update Docker images (``distroless`` -> ``49d2923f35d6``) to resolve CVE issues in container packages.

Removed Config or Runtime
-------------------------
*Normally occurs at the end of the* :ref:`deprecation period <deprecated>`
Expand Down
13 changes: 12 additions & 1 deletion docs/root/version_history/v1.19.3.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,16 @@ Incompatible Behavior Changes
-----------------------------
*Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required*

* dns_filter: :ref:`dns_filter <v1.19:envoy_v3_api_msg_extensions.filters.udp.dns_filter.v3alpha.DnsFilterConfig>`
protobuf fields have been renumbered to restore compatibility with Envoy
1.18, breaking compatibility with Envoy 1.19.0 and 1.19.1. The new field
numbering allows control planes supporting Envoy 1.18 to gracefully upgrade to
:ref:`dns_resolution_config <v1.19:envoy_v3_api_field_extensions.filters.udp.dns_filter.v3alpha.DnsFilterConfig.ClientContextConfig.dns_resolution_config>`,
provided they skip over Envoy 1.19.0 and 1.19.1.
Control planes upgrading from Envoy 1.19.0 and 1.19.1 will need to
vendor the corresponding protobuf definitions to ensure that the
renumbered fields have the types expected by those releases.

Minor Behavior Changes
----------------------

Expand All @@ -14,7 +24,8 @@ Bug Fixes

* data plane: fix crash when internal redirect selects a route configured with direct response or redirect actions.
* jwt_authn: fixed the crash when a CONNECT request is sent to JWT filter configured with regex match on the Host header.
* tcp_proxy: fix a crash that occurs when configured for :ref:`upstream tunneling <envoy_v3_api_field_extensions.filters.network.tcp_proxy.v3.TcpProxy.tunneling_config>` and the downstream connection disconnects while the the upstream connection or http/2 stream is still being established.
* listener: fixed an issue on Windows where connections are not handled by all worker threads.
* tcp_proxy: fix a crash that occurs when configured for :ref:`upstream tunneling <v1.19:envoy_v3_api_field_extensions.filters.network.tcp_proxy.v3.TcpProxy.tunneling_config>` and the downstream connection disconnects while the the upstream connection or http/2 stream is still being established.

Removed Config or Runtime
-------------------------
Expand Down
28 changes: 28 additions & 0 deletions docs/root/version_history/v1.19.4.rst
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
1.19.4 (April 25, 2022)
=======================

Incompatible Behavior Changes
-----------------------------
*Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required*

Minor Behavior Changes
----------------------
*Changes that may cause incompatibilities for some users, but should not for most*

* perf: ssl contexts are now tracked without scan based garbage collection and greatly improved the performance on secret update.

Bug Fixes
---------
*Changes expected to improve the state of the world and are unlikely to have negative effects*

* docker: update Docker images to resolve CVE issues in container packages (#20760).

Removed Config or Runtime
-------------------------
*Normally occurs at the end of the* :ref:`deprecation period <deprecated>`

New Features
------------

Deprecated
----------
30 changes: 30 additions & 0 deletions docs/root/version_history/v1.19.5.rst
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
1.19.5 (June 9, 2022)
=====================

Incompatible Behavior Changes
-----------------------------
*Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required*

Minor Behavior Changes
----------------------
*Changes that may cause incompatibilities for some users, but should not for most*

Bug Fixes
---------
*Changes expected to improve the state of the world and are unlikely to have negative effects*

* decompression: fixed CVE-2022-29225 due to which decompressors can be zip bombed. Previously decompressors were susceptible to memory inflation in takes in which specially crafted payloads could cause a large amount of memory usage by Envoy. The max inflation payload size is now limited. This change can be reverted via the ``envoy.reloadable_features.enable_compression_bomb_protection`` runtime flag.
* health_check: fixed CVE-2022-29224 which caused a segfault in GrpcHealthCheckerImpl. An attacker-controlled upstream server that is health checked using gRPC health checking can crash Envoy via a null pointer dereference in certain circumstances.
* oauth: fixed CVE-2022-29226 due to which oauth filter allows trivial bypass. The OAuth filter implementation does not include a mechanism for validating access tokens, so by design when the HMAC signed cookie is missing a full authentication flow should be triggered. However, the current implementation assumes that access tokens are always validated thus allowing access in the presence of any access token attached to the request.
* oauth: fixed CVE-2022-29228 due to which oauth filter calls continueDecoding() from within decodeHeaders(). The OAuth filter would try to invoke the remaining filters in the chain after emitting a local response, which triggers an ASSERT() in newer versions and corrupts memory on earlier versions.
* router: fixed CVE-2022-29227 which caused an internal redirect crash for requests with body/trailers. Envoy would previously crash in some cases when processing internal redirects for requests with bodies or trailers if the redirect prompts an Envoy-generated local reply.

Removed Config or Runtime
-------------------------
*Normally occurs at the end of the* :ref:`deprecation period <deprecated>`

New Features
------------

Deprecated
----------
Loading

0 comments on commit 2aca584

Please sign in to comment.