Skip to content

chore(deps): update envoy 1.36.x to v1.36.9 (v1.36)#1956

Merged
sayboras merged 1 commit into
v1.36from
renovate/v1.36-envoy-1.36.x
Jun 24, 2026
Merged

chore(deps): update envoy 1.36.x to v1.36.9 (v1.36)#1956
sayboras merged 1 commit into
v1.36from
renovate/v1.36-envoy-1.36.x

Conversation

@renovate

@renovate renovate Bot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Update Change
envoyproxy/envoy patch 1.36.81.36.9
envoyproxy/envoy patch v1.36.8v1.36.9

Release Notes

envoyproxy/envoy (envoyproxy/envoy)

v1.36.9

Compare Source

repo: Release v1.36.9

Summary of changes:

  • Upstream security fixes:

    • CVE-2026-47205:Authz per route crash
    • CVE-2026-47207: ext_proc response in one gRPC message
    • CVE-2026-47221: router internal redirects crash
    • CVE-2026-47775: OAuth2 code verifier padding oracle
    • CVE-2026-48044: zstd RLE zip bomb
    • CVE-2026-47204: grpc_stats filter segfault on Connect protocol requests to direct_response routes
    • CVE-2026-47692: PROXY Protocol v2 header generator emits "skipped" TLVs, causing 65 KB attacker-controlled spillover into the upstream application stream
    • CVE-2026-47778: Embedded NUL in TLS SAN Truncation, Auth Bypass
    • CVE-2026-48042: Stack overflow in destructor of highly nested JSON
    • CVE-2026-48090: OAuth2 filter late async token completion after stream teardown results in UAF/crash risk
    • CVE-2026-48497: Abnormal process termination in DNS UDP filter
    • CVE-2026-48743: HTTP/3 to HTTP/1 request smuggling via headers-only request with nonzero Content-Length
    • CVE-2026-48706: Envoy Heap Buffer Overflow in TcpStatsdSink
    • GHSA-p7c7-7c47-pwch: Denial-of-Service Attack Against the HTTP/3 Stack via QPACK Blocked Decoding

  • Upstream security fixes:

  • Behavior changes:

    • build: disabled the contrib extension envoy.network.connection_balance.dlb (Intel DLB connection balancer) at the Bazel layer for all builds and platforms due to a breakage at the source archive. See #​45491 for local workarounds.

Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.36.9
Docs:
https://www.envoyproxy.io/docs/envoy/v1.36.9/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.36.9/version_history/v1.36/v1.36.9
Full changelog:
envoyproxy/envoy@v1.36.8...v1.36.9

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • "on monday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
chore(deps): update envoy 1.36.x to v1.36.9
daedfa6 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate Bot requested a review from a team as a code owner June 23, 2026 23:34
@renovate renovate Bot requested review from nezdolik and removed request for a team June 23, 2026 23:34
@sayboras sayboras merged commit cb078cc into v1.36 Jun 24, 2026
7 checks passed
@sayboras sayboras deleted the renovate/v1.36-envoy-1.36.x branch June 24, 2026 00:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sayboras sayboras sayboras approved these changes
@nezdolik nezdolik Awaiting requested review from nezdolik nezdolik is a code owner automatically assigned from cilium/envoy

Assignees

No one assigned

Labels

kind/enhancement release-note/misc

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sayboras