Change8

v1.35.11

📦 envoyView on GitHub →
2 features🐛 5 fixes🔧 8 symbols

Summary

This release focuses heavily on security fixes, addressing vulnerabilities in HTTP/2 header limits, HMAC verification, and AES-CBC decryption. It also introduces new features for periodic metric eviction and limiting stats scope size.

Migration Steps

  1. If you were relying on uncompressed cookies not counting towards header size limits, be aware they now count towards `mutable_max_request_headers_kb` and `max_headers_count`. This behavior can be reverted by setting the runtime feature `envoy.reloadable_features.http2_include_cookies_in_limits` to false.

✨ New Features

  • Added support to remove unused metrics from memory for extensions that support evictable metrics, controlled by `stats_eviction_interval`.
  • Added support to limit the number of stats stored in each stats scope in the stats library.

🐛 Bug Fixes

  • Fixed a shutdown race with ADS stream by introducing proper gRPC stream cleanup in load_report.
  • http2: HTTP/2 streams are now reset if they violate the configured maximum header list size. Uncompressed cookies now count towards `mutable_max_request_headers_kb` and `max_headers_count` limits.
  • oauth2: Fixed a timing side-channel in HMAC verification that could leak HMAC secret validity.
  • oauth2: Fixed a crash where AES-CBC decryption of token cookies could spuriously succeed (~1/256) on a secret mismatch, tripping a `HeaderString` validation assert.
  • http2: Applied nghttp2 CVE-2026-27135 patch.

Affected Symbols