repo: Release v1.30.2

**Summary of changes:**

- [CVE-2024-34362: Crash (use-after-free) in EnvoyQuicServerStream](GHSA-hww5-43gv-35jv)
- [CVE-2024-34363: Crash due to uncaught nlohmann JSON exception](GHSA-g979-ph9j-5gg4)
- [CVE-2024-34364: Envoy OOM vector from HTTP async client with unbounded response buffer for mirror response, and other components](GHSA-xcj3-h7vf-fw26)
- [CVE-2024-32974: Crash in EnvoyQuicServerStream::OnInitialHeadersComplete()](GHSA-mgxp-7hhp-8299)
- [CVE-2024-32975: Crash in QuicheDataReader::PeekVarInt62Length()](GHSA-g9mq-6v96-cpqc)
- [CVE-2024-32976: Endless loop while decompressing Brotli data with extra input](GHSA-7wp5-c2vq-4f8m)
- [CVE-2024-23326: Envoy incorrectly accepts HTTP 200 response for entering upgrade mode](GHSA-vcf8-7238-v74c)

**Docker images**:
    https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.30.2
**Docs**:
    https://www.envoyproxy.io/docs/envoy/v1.30.2/
**Release notes**:
    https://www.envoyproxy.io/docs/envoy/v1.30.2/version_history/v1.30/v1.30.2
**Full changelog**:
    v1.30.1...v1.30.2

Signed-off-by: publish-envoy[bot] <140627008+publish-envoy[bot]@users.noreply.github.com>
Signed-off-by: Ryan Northey <[email protected]>

Signed-off-by: publish-envoy[bot] <140627008+publish-envoy[bot]@users.noreply.github.com>

Author: publish-envoy[bot]

VERSION.txt

@@ -1 +1 @@
-1.30.2-dev
+1.30.2

changelogs/1.27.6.yaml

@@ -0,0 +1,33 @@
+date: June 4, 2024
+
+bug_fixes:
+- area: router
+  change: |
+    Fix a timing issue when upstream requests are empty when decoding data and send local reply when that happends. This is
+    controlled by ``envoy_reloadable_features_send_local_reply_when_no_buffer_and_upstream_request``.
+- area: quic
+  change: |
+    Applied 2 QUICHE patches for crash bugs in ``QuicSpdyStream`` ``OnDataAvailable()`` and ``OnInitialHeaderComplete()``.
+- area: quic
+  change: |
+    Fixed crash bug when QUIC downstream stream was read closed and then timed out.
+- area: decompression
+  change: |
+    Fixed a bug where Envoy will go into an endless loop when using the brotli decompressor. If the input stream has
+    redundant data, the decompressor will loop forever.
+- area: websocket
+  change: |
+    Only 101 is considered a successful response for websocket handshake for HTTP/1.1, and Envoy as a proxy will proxy the response
+    header from upstream to downstream and then close the request if other status is received. This behavior can be
+    reverted by ``envoy_reloadable_features_check_switch_protocol_websocket_handshake``.
+- area: async http client
+  change: |
+    Added one option to disable the response body buffering for mirror request. Also introduced a 32MB cap for the response
+    buffer, which can be changed by the runtime flag ``http.async_response_buffer_limit`` based on the product needs.
+
+removed_config_or_runtime:
+# *Normally occurs at the end of the* :ref:`deprecation period <deprecated>`
+
+new_features:
+
+deprecated:

changelogs/1.28.4.yaml

@@ -0,0 +1,26 @@
+date: June 5, 2024
+
+bug_fixes:
+- area: router
+  change: |
+    Fix a timing issue when upstream requests are empty when decoding data and send local reply when that happends. This is
+    controlled by ``envoy_reloadable_features_send_local_reply_when_no_buffer_and_upstream_request``.
+- area: quic
+  change: |
+    Applied 2 QUICHE patches for crash bugs in ``QuicSpdyStream`` ``OnDataAvailable()`` and ``OnInitialHeaderComplete()``.
+- area: quic
+  change: |
+    Fixed crash bug when QUIC downstream stream was read closed and then timed out.
+- area: decompression
+  change: |
+    Fixed a bug where Envoy will go into an endless loop when using the brotli decompressor. If the input stream has
+    redundant data, the decompressor will loop forever.
+- area: websocket
+  change: |
+    Only 101 is considered a successful response for websocket handshake for HTTP/1.1, and Envoy as a proxy will proxy the response
+    header from upstream to downstream and then close the request if other status is received. This behavior can be
+    reverted by ``envoy_reloadable_features_check_switch_protocol_websocket_handshake``.
+- area: async http client
+  change: |
+    Added one option to disable the response body buffering for mirror request. Also introduced a 32MB cap for the response
+    buffer, which can be changed by the runtime flag ``http.async_response_buffer_limit`` based on the product needs.

changelogs/1.29.5.yaml

@@ -0,0 +1,26 @@
+date: June 5, 2024
+
+bug_fixes:
+- area: router
+  change: |
+    Fix a timing issue when upstream requests are empty when decoding data and send local reply when that happends. This is
+    controlled by ``envoy_reloadable_features_send_local_reply_when_no_buffer_and_upstream_request``.
+- area: quic
+  change: |
+    Applied 2 QUICHE patches for crash bugs in ``QuicSpdyStream`` ``OnDataAvailable()`` and ``OnInitialHeaderComplete()``.
+- area: quic
+  change: |
+    Fixed crash bug when QUIC downstream stream was read closed and then timed out.
+- area: decompression
+  change: |
+    Fixed a bug where Envoy will go into an endless loop when using the brotli decompressor. If the input stream has
+    redundant data, the decompressor will loop forever.
+- area: websocket
+  change: |
+    Only 101 is considered a successful response for websocket handshake for HTTP/1.1, and Envoy as a proxy will proxy the response
+    header from upstream to downstream and then close the request if other status is received. This behavior can be
+    reverted by ``envoy_reloadable_features_check_switch_protocol_websocket_handshake``.
+- area: async http client
+  change: |
+    Added one option to disable the response body buffering for mirror request. Also introduced a 32MB cap for the response
+    buffer, which can be changed by the runtime flag ``http.async_response_buffer_limit`` based on the product needs.

changelogs/current.yaml

@@ -1,10 +1,4 @@
-date: Pending
-
-behavior_changes:
-# *Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required*
-
-minor_behavior_changes:
-# *Changes that may cause incompatibilities for some users, but should not for most*
+date: June 5, 2024
 
 bug_fixes:
 # *Changes expected to improve the state of the world and are unlikely to have negative effects*
@@ -27,10 +21,3 @@ bug_fixes:
   change: |
     Added one option to disable the response body buffering for mirror request. Also introduced a 32MB cap for the response
     buffer, which can be changed by the runtime flag ``http.async_response_buffer_limit`` based on the product needs.
-
-removed_config_or_runtime:
-# *Normally occurs at the end of the* :ref:`deprecation period <deprecated>`
-
-new_features:
-
-deprecated:

docs/inventories/v1.27/objects.inv

@@ -20,7 +20,7 @@
 "1.24": 1.24.12
 "1.25": 1.25.11
 "1.26": 1.26.8
-"1.27": 1.27.5
-"1.28": 1.28.3
-"1.29": 1.29.4
-"1.30": 1.30.0
+"1.27": 1.27.6
+"1.28": 1.28.4
+"1.29": 1.29.5
+"1.30": 1.30.1