Change8

v1.36.7

📦 envoyView on GitHub →
🐛 5 fixes🔧 4 symbols

Summary

This release focuses on security fixes, addressing vulnerabilities in HTTP/2 header limits and OAuth2 HMAC verification, alongside a fix for a load report shutdown race condition.

Migration Steps

  1. If you rely on the previous behavior where uncompressed cookies did not count towards header limits, you may need to adjust configurations or be aware that cookies now count towards ``mutable_max_request_headers_kb`` and ``max_headers_count``. This change can be reverted by setting the runtime feature ``envoy.reloadable_features.http2_include_cookies_in_limits`` to false.

🐛 Bug Fixes

  • http2: HTTP/2 streams are now reset if they violate the configured maximum header list size; uncompressed cookies now count towards ``mutable_max_request_headers_kb`` and ``max_headers_count`` limits.
  • oauth2: Fixed a timing side-channel in HMAC verification that could leak HMAC secret validity.
  • oauth2: Fixed a crash where AES-CBC decryption of token cookies could spuriously succeed (~1/256) on a secret mismatch, tripping a ``HeaderString`` validation assert.
  • http2: Applied nghttp2 CVE-2026-27135 patch.
  • load_report: Fixed a shutdown race with ADS stream by introducing proper gRPC stream cleanup.

Affected Symbols