status-im
/
consul
mirror of https://github.com/status-im/consul.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

[NET-7948] Bump Envoy version to address multiple CVEs (#20589) 

security: Bump Envoy versions to address CVEs
This commit is contained in:
Michael Zalimeni 2024-02-12 17:29:50 -05:00 committed by GitHub
parent 671c436415
commit 5862c52642
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
10 changed files with 36 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.changelog/20589.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:security
mesh: Update Envoy versions to 1.28.1, 1.27.3, and 1.26.7 to address [CVE-2024-23324](https://github.com/envoyproxy/envoy/security/advisories/GHSA-gq3v-vvhj-96j6), [CVE-2024-23325](https://github.com/envoyproxy/envoy/security/advisories/GHSA-5m7c-mrwr-pm26), [CVE-2024-23322](https://github.com/envoyproxy/envoy/security/advisories/GHSA-6p83-mfmh-qv38), [CVE-2024-23323](https://github.com/envoyproxy/envoy/security/advisories/GHSA-x278-4w4x-r7ch), [CVE-2024-23327](https://github.com/envoyproxy/envoy/security/advisories/GHSA-4h5x-x9vh-m29j), and [CVE-2023-44487](https://github.com/envoyproxy/envoy/security/advisories/GHSA-jhv4-f7mr-xx76)
```

4
.github/workflows/nightly-test-integrations-1.15.x.yml vendored
View File

@ -74,7 +74,7 @@ jobs:
# this is further going to multiplied in envoy-integration tests by the
# other dimensions in the matrix. Currently TOTAL_RUNNERS would be
# 14 based on these values:
# envoy-version: ["1.22.11", "1.23.12", "1.24.12", "1.25.11", "1.26.6", "1.27.2", "1.28.0"]
# envoy-version: ["1.22.11", "1.23.12", "1.24.12", "1.25.11", "1.26.7", "1.27.3", "1.28.1"]
# xds-target: ["server", "client"]
TOTAL_RUNNERS: 7
JQ_SLICER: '[ inputs ] | [_nwise(length / $runnercount | floor)]'
@ -109,7 +109,7 @@ jobs:
strategy:
fail-fast: false
matrix:
envoy-version: ["1.22.11", "1.23.12", "1.24.12", "1.25.11", "1.26.6", "1.27.2", "1.28.0"]
envoy-version: ["1.22.11", "1.23.12", "1.24.12", "1.25.11", "1.26.7", "1.27.3", "1.28.1"]
xds-target: ["server", "client"]
test-cases: ${{ fromJSON(needs.generate-envoy-job-matrices.outputs.envoy-matrix) }}
env:

6
.github/workflows/nightly-test-integrations-1.16.x.yml vendored
View File

@ -74,9 +74,9 @@ jobs:
# this is further going to multiplied in envoy-integration tests by the
# other dimensions in the matrix. Currently TOTAL_RUNNERS would be
# multiplied by 8 based on these values:
# envoy-version: ["1.23.12", "1.24.12", "1.25.11", "1.26.6"]
# envoy-version: ["1.23.12", "1.24.12", "1.25.11", "1.26.7"]
# xds-target: ["server", "client"]
TOTAL_RUNNERS: 4
TOTAL_RUNNERS: 8
JQ_SLICER: '[ inputs ] | [_nwise(length / $runnercount | floor)]'
run: |
NUM_RUNNERS=$TOTAL_RUNNERS
@ -109,7 +109,7 @@ jobs:
strategy:
fail-fast: false
matrix:
envoy-version: ["1.23.12", "1.24.12", "1.25.11", "1.26.6"]
envoy-version: ["1.23.12", "1.24.12", "1.25.11", "1.26.7"]
xds-target: ["server", "client"]
test-cases: ${{ fromJSON(needs.generate-envoy-job-matrices.outputs.envoy-matrix) }}
env:

4
.github/workflows/nightly-test-integrations-1.17.x.yml vendored
View File

@ -74,7 +74,7 @@ jobs:
# this is further going to multiplied in envoy-integration tests by the
# other dimensions in the matrix. Currently TOTAL_RUNNERS would be
# multiplied by 8 based on these values:
# envoy-version: ["1.24.12", "1.25.11", "1.26.6", "1.27.2"]
# envoy-version: ["1.24.12", "1.25.11", "1.26.7", "1.27.3"]
# xds-target: ["server", "client"]
TOTAL_RUNNERS: 4
JQ_SLICER: '[ inputs ] | [_nwise(length / $runnercount | floor)]'
@ -109,7 +109,7 @@ jobs:
strategy:
fail-fast: false
matrix:
envoy-version: ["1.24.12", "1.25.11", "1.26.6", "1.27.2"]
envoy-version: ["1.24.12", "1.25.11", "1.26.7", "1.27.3"]
xds-target: ["server", "client"]
test-cases: ${{ fromJSON(needs.generate-envoy-job-matrices.outputs.envoy-matrix) }}
env:

6
.github/workflows/nightly-test-integrations.yml vendored
View File

@ -71,9 +71,9 @@ jobs:
# this is further going to multiplied in envoy-integration tests by the
# other dimensions in the matrix. Currently TOTAL_RUNNERS would be
# multiplied by 8 based on these values:
# envoy-version: ["1.25.11", "1.26.6", "1.27.2", "1.28.0"]
# envoy-version: ["1.25.11", "1.26.7", "1.27.3", "1.28.1"]
# xds-target: ["server", "client"]
TOTAL_RUNNERS: 4
TOTAL_RUNNERS: 8
JQ_SLICER: '[ inputs ] | [_nwise(length / $runnercount | floor)]'
run: |
NUM_RUNNERS=$TOTAL_RUNNERS
@ -106,7 +106,7 @@ jobs:
strategy:
fail-fast: false
matrix:
envoy-version: ["1.25.11", "1.26.6", "1.27.2", "1.28.0"]
envoy-version: ["1.25.11", "1.26.7", "1.27.3", "1.28.1"]
xds-target: ["server", "client"]
test-cases: ${{ fromJSON(needs.generate-envoy-job-matrices.outputs.envoy-matrix) }}
env:

2
.github/workflows/test-integrations-windows.yml vendored
View File

@ -62,7 +62,7 @@ jobs:
strategy:
fail-fast: false
matrix:
envoy-version: [ "1.28.0" ]
envoy-version: [ "1.28.1" ]
xds-target: [ "server", "client" ]
env:
ENVOY_VERSION: ${{ matrix.envoy-version }}

8
.github/workflows/test-integrations.yml vendored
View File

@ -270,9 +270,9 @@ jobs:
# this is further going to multiplied in envoy-integration tests by the
# other dimensions in the matrix. Currently TOTAL_RUNNERS would be
# multiplied by 2 based on these values:
# envoy-version: ["1.28.0"]
# envoy-version: ["1.28.1"]
# xds-target: ["server", "client"]
TOTAL_RUNNERS: 4
TOTAL_RUNNERS: 2
JQ_SLICER: '[ inputs ] | [_nwise(length / $runnercount | floor)]'
run: |
NUM_RUNNERS=$TOTAL_RUNNERS
@ -305,7 +305,7 @@ jobs:
strategy:
fail-fast: false
matrix:
envoy-version: ["1.28.0"]
envoy-version: ["1.28.1"]
xds-target: ["server", "client"]
test-cases: ${{ fromJSON(needs.generate-envoy-job-matrices.outputs.envoy-matrix) }}
env:
@ -395,7 +395,7 @@ jobs:
id-token: write # NOTE: this permission is explicitly required for Vault auth.
contents: read
env:
ENVOY_VERSION: "1.28.0"
ENVOY_VERSION: "1.28.1"
CONSUL_DATAPLANE_IMAGE: "docker.io/hashicorppreview/consul-dataplane:1.3-dev-ubi"
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3

6
envoyextensions/xdscommon/envoy_versioning_test.go
View File

@ -152,9 +152,9 @@ func TestDetermineSupportedProxyFeaturesFromString(t *testing.T) {
*/
for _, v := range []string{
"1.25.0", "1.25.1", "1.25.2", "1.25.3", "1.25.4", "1.25.5", "1.25.6", "1.25.7", "1.25.8", "1.25.9", "1.25.10", "1.25.11",
"1.26.0", "1.26.1", "1.26.2", "1.26.3", "1.26.4", "1.26.5", "1.26.6",
"1.27.0", "1.27.1", "1.27.2",
"1.28.0",
"1.26.0", "1.26.1", "1.26.2", "1.26.3", "1.26.4", "1.26.5", "1.26.6", "1.26.7",
"1.27.0", "1.27.1", "1.27.2", "1.27.3",
"1.28.0", "1.28.1",
} {
cases[v] = testcase{expect: SupportedProxyFeatures{}}
}

6
envoyextensions/xdscommon/proxysupport.go
View File

@ -12,9 +12,9 @@ import "strings"
//
// see: https://www.consul.io/docs/connect/proxies/envoy#supported-versions
var EnvoyVersions = []string{
"1.28.0",
"1.27.2",
"1.26.6",
"1.28.1",
"1.27.3",
"1.26.7",
"1.25.11",
}

22
website/content/docs/connect/proxies/envoy.mdx
View File

@ -37,21 +37,23 @@ The following matrix describes Envoy compatibility for the currently supported *
Consul supports **four major Envoy releases** at the beginning of each major Consul release. Consul maintains compatibility with Envoy patch releases for each major version so that users can benefit from bug and security fixes in Envoy. As a policy, Consul will add support for a new major versions of Envoy in a Consul major release. Support for newer versions of Envoy will not be added to existing releases.
| Consul Version | Compatible Envoy Versions |
| ------------------- | -----------------------------------------------------------------------------------|
| 1.18.x | 1.28.0, 1.27.2, 1.26.6, 1.25.11 |
| 1.17.x | 1.27.2, 1.26.6, 1.25.11, 1.24.12 |
| 1.16.x | 1.26.6, 1.25.11, 1.24.12, 1.23.12 |
| Consul Version | Compatible Envoy Versions |
| ------------------------------- | -----------------------------------------------------------------------------------|
| 1.18.x | 1.28.1, 1.27.3, 1.26.7, 1.25.11 |
| 1.17.x | 1.27.3, 1.26.7, 1.25.11, 1.24.12 |
| 1.16.x | 1.26.7, 1.25.11, 1.24.12, 1.23.12 |
| 1.15.x (LTS - Enterprise only) | 1.28.1, 1.27.3, 1.26.7, 1.25.11, 1.26.7, 1.25.11, 1.24.12, 1.23.12 |
### Envoy and Consul Dataplane
The Consul dataplane component was introduced in Consul v1.14 as a way to manage Envoy proxies without the use of Consul clients. Each new minor version of Consul is released with a new minor version of Consul dataplane, which packages both Envoy and the `consul-dataplane` binary in a single container image. For backwards compatibility reasons, each new minor version of Consul will also support the previous minor version of Consul dataplane to allow for seamless upgrades. In addition, each minor version of Consul will support the next minor version of Consul dataplane to allow for extended dataplane support via newer versions of Envoy.
| Consul Version | Default `consul-dataplane` Version | Other compatible `consul-dataplane` Versions |
| ------------------- | ------------------------------------------------------------|----------------------------------------------|
| 1.17.x | 1.3.x (Envoy 1.27.x) | 1.2.x (Envoy 1.26.x) |
| 1.16.x | 1.2.x (Envoy 1.26.x) | 1.3.x (Envoy 1.27.x), 1.1.x (Envoy 1.25.x) |
| 1.15.x | 1.1.x (Envoy 1.25.x) | 1.2.x (Envoy 1.26.x), 1.0.x (Envoy 1.24.x) |
| Consul Version | Default `consul-dataplane` Version | Other compatible `consul-dataplane` Versions |
| ------------------------------ | -------------------------------------|----------------------------------------------|
| 1.18.x | 1.4.x (Envoy 1.28.x) | 1.3.x (Envoy 1.27.x) |
| 1.17.x | 1.3.x (Envoy 1.27.x) | 1.4.x (Envoy 1.28.x), 1.2.x (Envoy 1.26.x) |
| 1.16.x | 1.2.x (Envoy 1.26.x) | 1.3.x (Envoy 1.27.x), 1.1.x (Envoy 1.25.x) |
| 1.15.x (LTS - Enterprise only) | 1.1.x (Envoy 1.25.x) | 1.2.x (Envoy 1.26.x), 1.0.x (Envoy 1.24.x) |
## Getting Started