repo: Release v1.29.9

**Summary of changes**

[CVE-2024-45808](GHSA-p222-xhp9-39rc): Malicious log injection via access logs
[CVE-2024-45806](GHSA-ffhv-fvxq-r6mf): Potential manipulate `x-envoy` headers from external sources
[CVE-2024-45809](GHSA-wqr5-qmq7-3qw3): Jwt filter crash in the clear route cache with remote JWKs
[CVE-2024-45810](GHSA-qm74-x36m-555q): Envoy crashes for LocalReply in http async client

**Docker images**:
    https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.29.9
**Docs**:
    https://www.envoyproxy.io/docs/envoy/v1.29.9/
**Release notes**:
    https://www.envoyproxy.io/docs/envoy/v1.29.9/version_history/v1.29/v1.29.9
**Full changelog**:
    v1.29.8...v1.29.9

Signed-off-by: Boteng Yao <boteng@google.com>
Signed-off-by: Ryan Northey <ryan@synca.io>

Signed-off-by: publish-envoy[bot] <140627008+publish-envoy[bot]@users.noreply.github.com>

VERSION.txt

@@ -1 +1 @@
-1.29.9-dev
+1.29.9

changelogs/1.28.7.yaml

@@ -0,0 +1,22 @@
+date: September 19, 2024
+
+behavior_changes:
+- area: http
+  change: |
+    The default configuration of Envoy will continue to trust internal addresses while in the future it will not trust them by default.
+    If you have tooling such as probes on your private network which need to be treated as trusted (e.g. changing arbitrary ``x-envoy``
+    headers) please explictily include those addresses or CIDR ranges into :ref:`internal_address_config
+    <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.internal_address_config>`
+    See the config examples from the above ``internal_address_config`` link. This default no trust internal address can be turned on by
+    setting runtime guard ``envoy.reloadable_features.explicit_internal_address_config`` to ``true``.
+
+minor_behavior_changes:
+- area: access_log
+  change: |
+    Sanitize SNI for potential log injection. The invalid character will be replaced by ``_`` with an ``invalid:`` marker. If runtime
+    flag ``envoy.reloadable_features.sanitize_sni_in_access_log`` is set to ``false``, the sanitize behavior is disabled.
+
+bug_fixes:
+- area: http_async_client
+  change: |
+    Fixed the local reply and destroy order crashes when using the http async client for websocket handshake.

changelogs/current.yaml

@@ -1,7 +1,6 @@
-date: Pending
+date: September 19, 2024
 
 behavior_changes:
-# *Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required*
 - area: http
   change: |
     The default configuration of Envoy will continue to trust internal addresses while in the future it will not trust them by default.
@@ -12,14 +11,12 @@ behavior_changes:
     setting runtime guard ``envoy.reloadable_features.explicit_internal_address_config`` to ``true``.
 
 minor_behavior_changes:
-# *Changes that may cause incompatibilities for some users, but should not for most*
 - area: access_log
   change: |
     Sanitize SNI for potential log injection. The invalid character will be replaced by ``_`` with an ``invalid:`` marker. If runtime
     flag ``envoy.reloadable_features.sanitize_sni_in_access_log`` is set to ``false``, the sanitize behavior is disabled.
 
 bug_fixes:
-# *Changes expected to improve the state of the world and are unlikely to have negative effects*
 - area: jwt
   change: |
     Fixed a bug where using ``clear_route_cache`` with remote JWKs works
@@ -28,10 +25,3 @@ bug_fixes:
 - area: http_async_client
   change: |
     Fixed the local reply and destroy order crashes when using the http async client for websocket handshake.
-
-removed_config_or_runtime:
-# *Normally occurs at the end of the* :ref:`deprecation period <deprecated>`
-
-new_features:
-
-deprecated:

docs/versions.yaml

@@ -21,5 +21,5 @@
 "1.25": 1.25.11
 "1.26": 1.26.8
 "1.27": 1.27.7
-"1.28": 1.28.6
-"1.29": 1.29.7
+"1.28": 1.28.7
+"1.29": 1.29.8