v1.35.11
📦 envoyView on GitHub →
✨ 2 features🐛 5 fixes🔧 8 symbols
Summary
This release focuses heavily on security fixes, addressing vulnerabilities in HTTP/2 header limits, HMAC verification, and AES-CBC decryption. It also introduces new features for periodic metric eviction and limiting stats scope size.
Migration Steps
- If you were relying on uncompressed cookies not counting towards header size limits, be aware they now count towards `mutable_max_request_headers_kb` and `max_headers_count`. This behavior can be reverted by setting the runtime feature `envoy.reloadable_features.http2_include_cookies_in_limits` to false.
✨ New Features
- Added support to remove unused metrics from memory for extensions that support evictable metrics, controlled by `stats_eviction_interval`.
- Added support to limit the number of stats stored in each stats scope in the stats library.
🐛 Bug Fixes
- Fixed a shutdown race with ADS stream by introducing proper gRPC stream cleanup in load_report.
- http2: HTTP/2 streams are now reset if they violate the configured maximum header list size. Uncompressed cookies now count towards `mutable_max_request_headers_kb` and `max_headers_count` limits.
- oauth2: Fixed a timing side-channel in HMAC verification that could leak HMAC secret validity.
- oauth2: Fixed a crash where AES-CBC decryption of token cookies could spuriously succeed (~1/256) on a secret mismatch, tripping a `HeaderString` validation assert.
- http2: Applied nghttp2 CVE-2026-27135 patch.