v1.34.13
📦 envoyView on GitHub →
🐛 5 fixes🔧 4 symbols
Summary
Release v1.34.13 primarily focuses on critical security fixes across RBAC, networking, JSON handling, and HTTP decoding. It also includes a bug fix for OAuth2 host rewriting and dependency updates.
Migration Steps
- Migrated googleurl source to GitHub (`google/gurl`).
🐛 Bug Fixes
- Fixed OAuth2 refresh requests so host rewriting no longer overrides the original Host value.
- Fixed multivalue header bypass in rbac (Security fix for CVE-2026-26308).
- Fixed crash in getAddressWithPort() when called with a scoped IPv6 address (Security fix for CVE-2026-26310).
- Fixed an off-by-one write in json that could corrupt the string null terminator (Security fix for CVE-2026-26309).
- Ensured decode* methods are blocked after a downstream reset in http (Security fix for CVE-2026-26311).