From 5ec84dbfd81e2d43f153984ee5b6f0568e56111b Mon Sep 17 00:00:00 2001 From: John Murret Date: Fri, 8 Dec 2023 14:42:04 -0700 Subject: [PATCH] security: update supported envoy version 1.28.0 in addition to 1.25.11, 1.26.6, 1.27.2, 1.28.0 to address CVE-2023-44487 (#19879) * update too support envoy 1.28.0 * add changelog * update docs --- .changelog/19879.txt | 3 +++ envoyextensions/xdscommon/envoy_versioning_test.go | 2 +- envoyextensions/xdscommon/proxysupport.go | 2 +- website/content/docs/connect/proxies/envoy.mdx | 4 ++-- 4 files changed, 7 insertions(+), 4 deletions(-) create mode 100644 .changelog/19879.txt diff --git a/.changelog/19879.txt b/.changelog/19879.txt new file mode 100644 index 0000000000..12e7e2d75f --- /dev/null +++ b/.changelog/19879.txt @@ -0,0 +1,3 @@ +```release-note:security +mesh: update supported envoy version 1.28.0 in addition to 1.25.11, 1.26.6, 1.27.2, 1.28.0 to address [CVE-2023-44487](https://github.com/envoyproxy/envoy/security/advisories/GHSA-jhv4-f7mr-xx76) +``` \ No newline at end of file diff --git a/envoyextensions/xdscommon/envoy_versioning_test.go b/envoyextensions/xdscommon/envoy_versioning_test.go index 925e2fa537..ed77c00eb2 100644 --- a/envoyextensions/xdscommon/envoy_versioning_test.go +++ b/envoyextensions/xdscommon/envoy_versioning_test.go @@ -151,10 +151,10 @@ func TestDetermineSupportedProxyFeaturesFromString(t *testing.T) { } */ for _, v := range []string{ - "1.24.0", "1.24.1", "1.24.2", "1.24.3", "1.24.4", "1.24.5", "1.24.6", "1.24.7", "1.24.8", "1.24.9", "1.24.10", "1.24.11", "1.24.12", "1.25.0", "1.25.1", "1.25.2", "1.25.3", "1.25.4", "1.25.5", "1.25.6", "1.25.7", "1.25.8", "1.25.9", "1.25.10", "1.25.11", "1.26.0", "1.26.1", "1.26.2", "1.26.3", "1.26.4", "1.26.5", "1.26.6", "1.27.0", "1.27.1", "1.27.2", + "1.28.0", } { cases[v] = testcase{expect: SupportedProxyFeatures{}} } diff --git a/envoyextensions/xdscommon/proxysupport.go b/envoyextensions/xdscommon/proxysupport.go index 9e487e1867..22384f71cc 100644 --- a/envoyextensions/xdscommon/proxysupport.go +++ b/envoyextensions/xdscommon/proxysupport.go @@ -12,10 +12,10 @@ import "strings" // // see: https://www.consul.io/docs/connect/proxies/envoy#supported-versions var EnvoyVersions = []string{ + "1.28.0", "1.27.2", "1.26.6", "1.25.11", - "1.24.12", } // UnsupportedEnvoyVersions lists any unsupported Envoy versions (mainly minor versions) that fall diff --git a/website/content/docs/connect/proxies/envoy.mdx b/website/content/docs/connect/proxies/envoy.mdx index c060346229..1e44b76e36 100644 --- a/website/content/docs/connect/proxies/envoy.mdx +++ b/website/content/docs/connect/proxies/envoy.mdx @@ -39,9 +39,9 @@ Consul supports **four major Envoy releases** at the beginning of each major Con | Consul Version | Compatible Envoy Versions | | ------------------- | -----------------------------------------------------------------------------------| +| 1.18.x | 1.28.0, 1.27.2, 1.26.6, 1.25.11 | | 1.17.x | 1.27.2, 1.26.6, 1.25.11, 1.24.12 | | 1.16.x | 1.26.6, 1.25.11, 1.24.12, 1.23.12 | -| 1.15.x | 1.25.11, 1.24.12, 1.23.12, 1.22.11 | ### Envoy and Consul Dataplane @@ -193,7 +193,7 @@ the [`sidecar_service`](/consul/docs/connect/proxies/deploy-sidecar-services) bl - `envoy_telemetry_collector_bind_socket_dir` - Specifies the directory where Envoy creates a Unix socket. Envoy sends metrics to the socket where a Consul telemetry collector can collect them. - The socket is not configured by default. + The socket is not configured by default. Enabling this sets Envoy's [`stats_flush_interval`](https://www.envoyproxy.io/docs/envoy/v1.17.2/api-v3/config/bootstrap/v3/bootstrap.proto#envoy-v3-api-field-config-bootstrap-v3-bootstrap-stats-flush-interval) to one minute if `envoy_stats_flush_interval` is unset and if no other stats sinks are configured, like `envoy_dogstats_url`, for instance. The [Advanced Configuration](#advanced-configuration) section describes additional configurations that allow incremental or complete control over the bootstrap configuration generated.