oss-sec mailing list archives

Envoy security releases [1.29.3, 1.28.2, 1.27.4, 1.26.8] are now available

From: Jan Schaumann <jschauma () netmeister org>
Date: Fri, 5 Apr 2024 13:51:36 -0400

[ threading under VU#421644; I'm not affiliated with
  Envoy, but happen to track this vulnerability ]

https://groups.google.com/g/envoy-security-announce/c/5XgxqT2lDg8

| We would like to announce the release of the following
| patch versions:
| 
| - 1.29.3
| - 1.28.2
| - 1.27.4
| - 1.26.8
| 
| These releases resolve
| [CVE-2024-30255](https://github.com/envoyproxy/envoy/security/advisories/GHSA-j654-3ccm-vfmm)
| 
| We would also like to disclose that versions 1.29.0
| and 1.29.1 were also
| vulnerable to the more severe
| [CVE-2024-27919](https://github.com/envoyproxy/envoy/security/advisories/GHSA-gghf-vfxp-799r)
| 
| You are encouraged to update your versions of Envoy.
| 
| Further information about the releases can be found on
| the Envoy releases page:
| 
| https://github.com/envoyproxy/envoy/releases

-Jan

Current thread:

CERT/CC VU#421644: HTTP/2 CONTINUATION frames can be utilized for DoS attacks Alan Coopersmith (Apr 03)
- Envoy security releases [1.29.3, 1.28.2, 1.27.4, 1.26.8] are now available Jan Schaumann (Apr 05)
- Go 1.22.2 and 1.21.9 (CVE-2023-45288 HTTP/2 CONTINUATION issue) Jan Schaumann (Apr 05)