Change8

v1.35.9

📦 envoyView on GitHub →
🐛 5 fixes

Summary

This release focuses primarily on security fixes addressing various vulnerabilities, including issues in rbac, IPv6 handling, JSON parsing, and HTTP decoding. It also includes a fix for OAuth2 host rewriting and dependency updates.

Migration Steps

  1. Migrated googleurl source to GitHub (google/gurl).

🐛 Bug Fixes

  • Fixed OAuth2 refresh requests so host rewriting no longer overrides the original Host value.
  • Fixed multivalue header bypass in rbac (Security fix CVE-2026-26308).
  • Fixed crash in getAddressWithPort() when called with a scoped IPv6 address (Security fix CVE-2026-26310).
  • Fixed an off-by-one write in json that could corrupt the string null terminator (Security fix CVE-2026-26309).
  • Ensured decode* methods are blocked after a downstream reset in http (Security fix CVE-2026-26311).