v1.36.7
📦 envoyView on GitHub →
🐛 5 fixes🔧 4 symbols
Summary
This release focuses on security fixes, addressing vulnerabilities in HTTP/2 header limits and OAuth2 HMAC verification, alongside a fix for a load report shutdown race condition.
Migration Steps
- If you rely on the previous behavior where uncompressed cookies did not count towards header limits, you may need to adjust configurations or be aware that cookies now count towards ``mutable_max_request_headers_kb`` and ``max_headers_count``. This change can be reverted by setting the runtime feature ``envoy.reloadable_features.http2_include_cookies_in_limits`` to false.
🐛 Bug Fixes
- http2: HTTP/2 streams are now reset if they violate the configured maximum header list size; uncompressed cookies now count towards ``mutable_max_request_headers_kb`` and ``max_headers_count`` limits.
- oauth2: Fixed a timing side-channel in HMAC verification that could leak HMAC secret validity.
- oauth2: Fixed a crash where AES-CBC decryption of token cookies could spuriously succeed (~1/256) on a secret mismatch, tripping a ``HeaderString`` validation assert.
- http2: Applied nghttp2 CVE-2026-27135 patch.
- load_report: Fixed a shutdown race with ADS stream by introducing proper gRPC stream cleanup.