Skip to content

Commit

Permalink
Prepare Release.
Browse files Browse the repository at this point in the history
Signed-off-by: Pradeep Rao <[email protected]>
  • Loading branch information
pradeepcrao committed Jun 8, 2022
1 parent 6b1fb93 commit fccfb7d
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 3 deletions.
2 changes: 1 addition & 1 deletion VERSION
Original file line number Diff line number Diff line change
@@ -1 +1 @@
1.19.5-dev
1.19.5
10 changes: 8 additions & 2 deletions docs/root/version_history/current.rst
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
1.19.5 (Pending)
================
1.19.5 (June 9, 2022)
=====================

Incompatible Behavior Changes
-----------------------------
Expand All @@ -13,6 +13,12 @@ Bug Fixes
---------
*Changes expected to improve the state of the world and are unlikely to have negative effects*

* decompression: fixed CVE-2022-29225 due to which decompressors can be zip bombed. Previously decompressors were susceptible to memory inflation in takes in which specially crafted payloads could cause a large amount of memory usage by Envoy. The max inflation payload size is now limited. This change can be reverted via the ``envoy.reloadable_features.enable_compression_bomb_protection`` runtime flag.
* health_check: fixed CVE-2022-29224 which caused a segfault in GrpcHealthCheckerImpl. An attacker-controlled upstream server that is health checked using gRPC health checking can crash Envoy via a null pointer dereference in certain circumstances.
* oauth: fixed CVE-2022-29226 due to which oauth filter allows trivial bypass. The OAuth filter implementation does not include a mechanism for validating access tokens, so by design when the HMAC signed cookie is missing a full authentication flow should be triggered. However, the current implementation assumes that access tokens are always validated thus allowing access in the presence of any access token attached to the request.
* oauth: fixed CVE-2022-29228 due to which oauth filter calls continueDecoding() from within decodeHeaders(). The OAuth filter would try to invoke the remaining filters in the chain after emitting a local response, which triggers an ASSERT() in newer versions and corrupts memory on earlier versions.
* router: fixed CVE-2022-29227 which caused an internal redirect crash for requests with body/trailers. Envoy would previously crash in some cases when processing internal redirects for requests with bodies or trailers if the redirect prompts an Envoy-generated local reply.

Removed Config or Runtime
-------------------------
*Normally occurs at the end of the* :ref:`deprecation period <deprecated>`
Expand Down

0 comments on commit fccfb7d

Please sign in to comment.