repo: Release v1.28.7

**Summary of changes** [CVE-2024-45808](GHSA-p222-xhp9-39rc): Malicious log injection via access logs [CVE-2024-45806](GHSA-ffhv-fvxq-r6mf): Potential manipulate `x-envoy` headers from external sources [CVE-2024-45810](GHSA-qm74-x36m-555q): Envoy crashes for LocalReply in http async client **Docker images**: https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.28.7 **Docs**: https://www.envoyproxy.io/docs/envoy/v1.28.7/ **Release notes**: https://www.envoyproxy.io/docs/envoy/v1.28.7/version_history/v1.28/v1.28.7 **Full changelog**: v1.28.6...v1.28.7 Signed-off-by: Boteng Yao <boteng@google.com> Signed-off-by: Ryan Northey <ryan@synca.io>
envoyproxy · Sep 19, 2024 · 4848d6d · 4848d6d
1 parent b5a09f7
commit 4848d6d
Show file tree

Hide file tree

Showing 4 changed files with 3 additions and 13 deletions.
diff --git a/VERSION.txt b/VERSION.txt
@@ -1 +1 @@
-1.28.7-dev
+1.28.7
diff --git a/changelogs/current.yaml b/changelogs/current.yaml
@@ -1,7 +1,6 @@
-date: Pending
+date: September 19, 2024
 
 behavior_changes:
-# *Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required*
 - area: http
   change: |
     The default configuration of Envoy will continue to trust internal addresses while in the future it will not trust them by default.
@@ -12,21 +11,12 @@ behavior_changes:
     setting runtime guard ``envoy.reloadable_features.explicit_internal_address_config`` to ``true``.
 
 minor_behavior_changes:
-# *Changes that may cause incompatibilities for some users, but should not for most*
 - area: access_log
   change: |
     Sanitize SNI for potential log injection. The invalid character will be replaced by ``_`` with an ``invalid:`` marker. If runtime
     flag ``envoy.reloadable_features.sanitize_sni_in_access_log`` is set to ``false``, the sanitize behavior is disabled.
 
 bug_fixes:
-# *Changes expected to improve the state of the world and are unlikely to have negative effects*
 - area: http_async_client
   change: |
     Fixed the local reply and destroy order crashes when using the http async client for websocket handshake.
-
-removed_config_or_runtime:
-# *Normally occurs at the end of the* :ref:`deprecation period <deprecated>`
-
-new_features:
-
-deprecated:
diff --git a/docs/inventories/v1.28/objects.inv b/docs/inventories/v1.28/objects.inv
diff --git a/docs/versions.yaml b/docs/versions.yaml
@@ -21,4 +21,4 @@
 "1.25": 1.25.11
 "1.26": 1.26.8
 "1.27": 1.27.7
-"1.28": 1.28.5
+"1.28": 1.28.6