v1.34.4

Summary of changes:

• Wasm:
  • Update v8 and wasmtime to resolve CVEs.

Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.34.4
Docs:
https://www.envoyproxy.io/docs/envoy/v1.34.4/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.34.4/version_history/v1.34/v1.34.4
Full changelog:
v1.34.3...v1.34.4

Signed-off-by: Ryan Northey [email protected]
Signed-off-by: Rohit Agrawal [email protected]

v1.33.6

Summary of changes:

• Wasm:
  • Update v8 and wasmtime to resolve CVEs.

Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.33.6
Docs:
https://www.envoyproxy.io/docs/envoy/v1.33.6/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.33.6/version_history/v1.33/v1.33.6
Full changelog:
v1.33.5...v1.33.6

Signed-off-by: Ryan Northey [email protected]
Signed-off-by: Rohit Agrawal [email protected]

v1.32.9

Summary of changes:

• Wasm:
  • Update v8 to resolve CVEs.

Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.32.9
Docs:
https://www.envoyproxy.io/docs/envoy/v1.32.9/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.32.9/version_history/v1.32/v1.32.9
Full changelog:
v1.32.8...v1.32.9

Signed-off-by: Ryan Northey [email protected]
Signed-off-by: Rohit Agrawal [email protected]

v1.35.0

Summary of changes:

• Security:

  • Fixed TLS inspector handling of client hello messages larger than 16KB.
  • Fixed bug where empty trusted CA files were accepted, causing validation of any certificate chain.

• Build:

  • Major: Upgraded to C++20, enabling modern C++ features throughout the codebase.
  • Consolidated clang/gcc toolchains using --config=clang or --config=gcc.
  • Breaking: Removed grpc_credentials/aws_iam extension and contrib squash filter.

• HTTP:

  • Added x-envoy-original-host header to record original host values before mutation.
  • Added HTTP/3 pseudo header validation (disable via envoy.restart_features.validate_http3_pseudo_headers).
  • Fixed HTTP/1 parser to properly handle newlines between requests per RFC 9112.
  • Added request/response trailer mutations support in header mutation filter.

• Load balancing:

  • Added override host load balancing policy.
  • Added hash policy configuration directly to ring hash and maglev load balancers.
  • Added matcher-based cluster specifier plugin for dynamic cluster selection.

• External processing:

  • Added FULL_DUPLEX_STREAMED body mode for bidirectional streaming.
  • Implemented graceful gRPC side stream closing with timeout.
  • Added per-route failure_mode_allow override support.

• Wasm:

  • Update v8 and wasmtime dependencies to resolve multiple CVEs

• Authentication:

  • Added OAuth2 token encryption, configurable token expiration, and OIDC logout support.
  • Added API key auth filter with forwarding configuration.
  • Added AWS IAM Roles Anywhere support.

• Observability:

  • Added TLS certificate expiration metrics.
  • Enhanced transport tap with streaming trace capability.
  • Added JA4 fingerprinting to TLS inspector.
  • Added TCP tunneling access log substitution strings.

• New features:

  • Dynamic modules: Added support for LocalityLbEndpoints metadata and SSL connection info attributes.
  • Stateful session cookie attributes and envelope mode support.
  • Redis proxy AWS IAM authentication and scan/info command support.
  • Lua filter access to filter context and typed metadata.
  • ServerNameMatcher for trie-based domain matching.

• Notable fixes:

  • Fixed Wasm hang after VM crash in request callbacks.
  • Fixed Lua filter crash when removing status header.
  • Fixed connection pool capacity calculation issues.
  • Improved TCP proxy retry logic to avoid connection issues.

Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.35.0
Docs:
https://www.envoyproxy.io/docs/envoy/v1.35.0/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.35.0/version_history/v1.35/v1.35.0
Full changelog:
v1.34.0...v1.35.0

Signed-off-by: Ryan Northey [email protected]
Signed-off-by: Rohit Agrawal [email protected]

v1.34.3

Summary of changes:

• TLS:

  • Fixed incorrectly cached connection properties on TLS connections that could cause network RBAC filters to fail.

• HTTP/2:

  • Fixed connection window buffer leak in oghttp2 that could cause connections to get stuck.

• Observability:

  • Fixed division by zero bug in Dynatrace sampling controller.

• Release:

  • Fixed permissions for distroless config directory.
  • Updated container images (Ubuntu/distroless).

Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.34.3
Docs:
https://www.envoyproxy.io/docs/envoy/v1.34.3/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.34.3/version_history/v1.34/v1.34.3
Full changelog:
v1.34.2...v1.34.3

Signed-off-by: Ryan Northey [email protected]
Signed-off-by: Rohit Agrawal [email protected]

v1.33.5

Summary of changes:

• TLS:

  • Fixed incorrectly cached connection properties on TLS connections that could cause network RBAC filters to fail.

• Observability:

  • Fixed division by zero bug in Dynatrace sampling controller.

• Release:

  • Fixed permissions for distroless config directory.
  • Updated container images (Ubuntu/distroless).

Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.33.5
Docs:
https://www.envoyproxy.io/docs/envoy/v1.33.5/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.33.5/version_history/v1.33/v1.33.5
Full changelog:
v1.33.4...v1.33.5

Signed-off-by: Ryan Northey [email protected]
Signed-off-by: Rohit Agrawal [email protected]

v1.32.8

Summary of changes:

• Observability:

  • Fixed division by zero bug in Dynatrace sampling controller.

• Release:

  • Fixed permissions for distroless config directory.
  • Updated container images (Ubuntu/distroless).

Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.32.8
Docs:
https://www.envoyproxy.io/docs/envoy/v1.32.8/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.32.8/version_history/v1.32/v1.32.8
Full changelog:
v1.32.7...v1.32.8

Signed-off-by: Ryan Northey [email protected]
Signed-off-by: Rohit Agrawal [email protected]

v1.31.10

Summary of changes:

• Observability:

  • Fixed division by zero bug in Dynatrace sampling controller.

• Release:

  • Fixed permissions for distroless config directory.
  • Updated container images (Ubuntu/distroless).

Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.31.10
Docs:
https://www.envoyproxy.io/docs/envoy/v1.31.10/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.31.10/version_history/v1.31/v1.31.10
Full changelog:
v1.31.9...v1.31.10

Signed-off-by: Ryan Northey [email protected]
Signed-off-by: Rohit Agrawal [email protected]

v1.34.2

Summary of changes:

• Container update to resolve glibc vulnerabilities
• Assorted fixes

Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.34.2
Docs:
https://www.envoyproxy.io/docs/envoy/v1.34.2/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.34.2/version_history/v1.34/v1.34.2
Full changelog:
v1.34.1...v1.34.2

v1.33.4

Summary of changes:

• Container update to resolve glibc vulnerabilities
• Assorted fixes

Docker images:
https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.33.4
Docs:
https://www.envoyproxy.io/docs/envoy/v1.33.4/
Release notes:
https://www.envoyproxy.io/docs/envoy/v1.33.4/version_history/v1.33/v1.33.4
Full changelog:
v1.33.3...v1.33.4