Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: envoyproxy/envoy
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v1.28.3
Choose a base ref
...
head repository: envoyproxy/envoy
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v1.28.4
Choose a head ref
  • 18 commits
  • 70 files changed
  • 10 contributors

Commits on Apr 19, 2024

  1. repo: Dev v1.28.4 

    Signed-off-by: Ryan Northey <ryan@synca.io>
    @phlax
    phlax committed Apr 19, 2024
    Configuration menu
    Copy the full SHA
    0aca8ea View commit details
    Browse the repository at this point in the history

  2. tests: fixed & expanded checking of ocsp response 

    In SslCertficateIntegrationTest.BothEcdsaAndRsaOnlyEcdsaOcspResponse,
the only check made on the OCSP response was on it's length not being
zero. However, in some error circumstances, the length given by
SSL_get0_ocsp_response() may be -1, which gives a false positive
result from the test. This commit expands the checking on the OCSP
response to check for the actual expected length and expected bytes.

Signed-off-by: Ted Poole <tpoole@redhat.com>
    @tedjpoole @phlax
    tedjpoole authored and phlax committed Apr 19, 2024
    Configuration menu
    Copy the full SHA
    19bdbb4 View commit details
    Browse the repository at this point in the history

Commits on May 1, 2024

  1. build(deps): bump distroless/base-nossl-debian12 from 0cf184c to `3… 

    …12c829` in /ci (#33860)

build(deps): bump distroless/base-nossl-debian12 in /ci

Bumps distroless/base-nossl-debian12 from `0cf184c` to `312c829`.

---
updated-dependencies:
- dependency-name: distroless/base-nossl-debian12
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Ryan Northey <ryan@synca.io>
    @dependabot @phlax
    dependabot[bot] authored and phlax committed May 1, 2024
    Configuration menu
    Copy the full SHA
    d5a8032 View commit details
    Browse the repository at this point in the history

Commits on May 2, 2024

  1. arm/tests: Temporarily disable failing io_uring test (#33822) 

    Signed-off-by: Ryan Northey <ryan@synca.io>
    @phlax
    phlax committed May 2, 2024
    Configuration menu
    Copy the full SHA
    50f2cdb View commit details
    Browse the repository at this point in the history

  2. iouring: fix the IoUringImpl tests for latest kernel (#33833) 

    Signed-off-by: He Jie Xu <hejie.xu@intel.com>
Signed-off-by: Ryan Northey <ryan@synca.io>
    @soulxu @phlax
    soulxu authored and phlax committed May 2, 2024
    Configuration menu
    Copy the full SHA
    907d880 View commit details
    Browse the repository at this point in the history

Commits on May 6, 2024

  1. build(deps): bump distroless/base-nossl-debian12 from 312c829 to `8… 

    …a09e57` in /ci (#33956)

build(deps): bump distroless/base-nossl-debian12 in /ci

Bumps distroless/base-nossl-debian12 from `312c829` to `8a09e57`.

---
updated-dependencies:
- dependency-name: distroless/base-nossl-debian12
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Ryan Northey <ryan@synca.io>
    @dependabot @phlax
    dependabot[bot] authored and phlax committed May 6, 2024
    Configuration menu
    Copy the full SHA
    0eb68e2 View commit details
    Browse the repository at this point in the history

Commits on May 15, 2024

  1. backports: backporting 34142 (#34150) 

    * backports: backporting 34142

Signed-off-by: Alyssa Wilk <alyssar@chromium.org>
Co-authored-by: botengyao <boteng@google.com>
    @alyssawilk @botengyao
    alyssawilk and botengyao authored May 15, 2024
    Configuration menu
    Copy the full SHA
    73a2db9 View commit details
    Browse the repository at this point in the history

Commits on May 16, 2024

  1. docker/release: Bump Ubuntu base image -> 874aca5 

    Signed-off-by: Ryan Northey <ryan@synca.io>
    @phlax
    phlax committed May 16, 2024
    Configuration menu
    Copy the full SHA
    6fe457b View commit details
    Browse the repository at this point in the history

Commits on May 21, 2024

  1. ci/tooling/examples: Update vulnerable deps (#34273) 

    Signed-off-by: Ryan Northey <ryan@synca.io>
    @phlax
    phlax authored May 21, 2024
    Configuration menu
    Copy the full SHA
    e9316a2 View commit details
    Browse the repository at this point in the history

Commits on May 22, 2024

  1. [Backport 1.28] tls_inspector: Fix invalid ALPN extension in test (#3… 

    …4300) (#34302)

tls_inspector: Fix invalid ALPN extension in test (#34300)

This commit stops generateClientHelloFromJA3Fingerprint() generating client
hellos containing an invalid ALPN extension. It also updates relevant
tls_inspector_test functions to check the ALPN value, if expected.

When the generateClientHelloFromJA3Fingerprint() function was asked to include
an ALPN extension (16) in the generated client hello, it was generating a
default empty extension with the correct id (16) but a zero length. While this
is technically a valid extension, it is not a valid ALPN extension, which must
include a list of the client's preferred protocol(s).

This was causing test failures in the envoy-openssl repo because OpenSSL
responds to the malformed ALPN extension by sending a TLS alert 50 (Decode
Error) which causes many of the tls_inspector_test functions to fail.

Signed-off-by: Ted Poole <tpoole@redhat.com>
    @tedjpoole
    tedjpoole authored May 22, 2024
    Configuration menu
    Copy the full SHA
    7681a1d View commit details
    Browse the repository at this point in the history

Commits on Jun 5, 2024

  1. fix brotli decompression endless loop 

    Signed-off-by: wbpcode <wbphub@live.com>

Signed-off-by: Ryan Northey <ryan@synca.io>
    @wbpcode @phlax
    wbpcode authored and phlax committed Jun 5, 2024
    Configuration menu
    Copy the full SHA
    fb17735 View commit details
    Browse the repository at this point in the history

  2. quic: add 2 quiche patches 

    Signed-off-by: Dan Zhang <danzh@google.com>
Signed-off-by: Ryan Northey <ryan@synca.io>
    @danzh1989 @phlax
    danzh1989 authored and phlax committed Jun 5, 2024
    Configuration menu
    Copy the full SHA
    d80d4bf View commit details
    Browse the repository at this point in the history

  3. Fix CVE from uncaught nlohmann json exception. 

    Signed-off-by: Kevin Baichoo <kbaichoo@netflix.com>

Signed-off-by: Ryan Northey <ryan@synca.io>
    @KBaichoo @phlax
    KBaichoo authored and phlax committed Jun 5, 2024
    Configuration menu
    Copy the full SHA
    779a435 View commit details
    Browse the repository at this point in the history

  4. quic: fix crash from EnvoyQuicServerSession::OnConnectionClosed() 

    Signed-off-by: Dan Zhang <danzh@google.com>
Signed-off-by: Ryan Northey <ryan@synca.io>
    @danzh1989 @phlax
    danzh1989 authored and phlax committed Jun 5, 2024
    Configuration menu
    Copy the full SHA
    a63121c View commit details
    Browse the repository at this point in the history

  5. websocket handshake check 101 protocol 

    Signed-off-by: Boteng Yao <boteng@google.com>
Signed-off-by: Ryan Northey <ryan@synca.io>
    @botengyao @phlax
    botengyao authored and phlax committed Jun 5, 2024
    Configuration menu
    Copy the full SHA
    3f4475b View commit details
    Browse the repository at this point in the history

  6. async http: set buffer limit for response and do not buffer for mirror 

    Signed-off-by: Boteng Yao <boteng@google.com>
Signed-off-by: Yan Avlasov <yavlasov@google.com>
Signed-off-by: Ryan Northey <ryan@synca.io>
    @botengyao @phlax
    botengyao authored and phlax committed Jun 5, 2024
    Configuration menu
    Copy the full SHA
    54915d2 View commit details
    Browse the repository at this point in the history

  7. deps/release: Bump Ubuntu -> 0b897358 (#34547) 

    Signed-off-by: Ryan Northey <ryan@synca.io>
    @phlax
    phlax authored Jun 5, 2024
    Configuration menu
    Copy the full SHA
    823d482 View commit details
    Browse the repository at this point in the history

  8. repo: Release v1.28.4 

    **Summary of changes:**

- [CVE-2024-34362: Crash (use-after-free) in EnvoyQuicServerStream](GHSA-hww5-43gv-35jv)
- [CVE-2024-34363: Crash due to uncaught nlohmann JSON exception](GHSA-g979-ph9j-5gg4)
- [CVE-2024-34364: Envoy OOM vector from HTTP async client with unbounded response buffer for mirror response, and other components](GHSA-xcj3-h7vf-fw26)
- [CVE-2024-32974: Crash in EnvoyQuicServerStream::OnInitialHeadersComplete()](GHSA-mgxp-7hhp-8299)
- [CVE-2024-32975: Crash in QuicheDataReader::PeekVarInt62Length()](GHSA-g9mq-6v96-cpqc)
- [CVE-2024-32976: Endless loop while decompressing Brotli data with extra input](GHSA-7wp5-c2vq-4f8m)
- [CVE-2024-23326: Envoy incorrectly accepts HTTP 200 response for entering upgrade mode](GHSA-vcf8-7238-v74c)

**Docker images**:
    https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.28.4
**Docs**:
    https://www.envoyproxy.io/docs/envoy/v1.28.4/
**Release notes**:
    https://www.envoyproxy.io/docs/envoy/v1.28.4/version_history/v1.28/v1.28.4
**Full changelog**:
    v1.28.3...v1.28.4

Signed-off-by: Ryan Northey <ryan@synca.io>
    @phlax
    phlax committed Jun 5, 2024
    Configuration menu
    Copy the full SHA
    25b6b1f View commit details
    Browse the repository at this point in the history
Loading