security: update supported envoy version 1.28.0 in addition to 1.25.1…

…1, 1.26.6, 1.27.2, 1.28.0 to address CVE-2023-44487 (#19879) * update too support envoy 1.28.0 * add changelog * update docs
hashicorp · Dec 8, 2023 · 5ec84db · 5ec84db
1 parent 1d9234a
commit 5ec84db
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 4 deletions.
diff --git a/.changelog/19879.txt b/.changelog/19879.txt
@@ -0,0 +1,3 @@
+```release-note:security
+mesh: update supported envoy version 1.28.0 in addition to 1.25.11, 1.26.6, 1.27.2, 1.28.0 to address [CVE-2023-44487](https://github.com/envoyproxy/envoy/security/advisories/GHSA-jhv4-f7mr-xx76)
+```
diff --git a/envoyextensions/xdscommon/envoy_versioning_test.go b/envoyextensions/xdscommon/envoy_versioning_test.go
@@ -151,10 +151,10 @@ func TestDetermineSupportedProxyFeaturesFromString(t *testing.T) {
 	}
 	*/
 	for _, v := range []string{
-		"1.24.0", "1.24.1", "1.24.2", "1.24.3", "1.24.4", "1.24.5", "1.24.6", "1.24.7", "1.24.8", "1.24.9", "1.24.10", "1.24.11", "1.24.12",
 		"1.25.0", "1.25.1", "1.25.2", "1.25.3", "1.25.4", "1.25.5", "1.25.6", "1.25.7", "1.25.8", "1.25.9", "1.25.10", "1.25.11",
 		"1.26.0", "1.26.1", "1.26.2", "1.26.3", "1.26.4", "1.26.5", "1.26.6",
 		"1.27.0", "1.27.1", "1.27.2",
+		"1.28.0",
 	} {
 		cases[v] = testcase{expect: SupportedProxyFeatures{}}
 	}

diff --git a/envoyextensions/xdscommon/proxysupport.go b/envoyextensions/xdscommon/proxysupport.go
@@ -12,10 +12,10 @@ import "strings"
 //
 // see: https://www.consul.io/docs/connect/proxies/envoy#supported-versions
 var EnvoyVersions = []string{
+	"1.28.0",
 	"1.27.2",
 	"1.26.6",
 	"1.25.11",
-	"1.24.12",
 }
 
 // UnsupportedEnvoyVersions lists any unsupported Envoy versions (mainly minor versions) that fall

diff --git a/website/content/docs/connect/proxies/envoy.mdx b/website/content/docs/connect/proxies/envoy.mdx
@@ -39,9 +39,9 @@ Consul supports **four major Envoy releases** at the beginning of each major Con
 
 | Consul Version      | Compatible Envoy Versions                                                          |
 | ------------------- | -----------------------------------------------------------------------------------|
+| 1.18.x              | 1.28.0, 1.27.2, 1.26.6, 1.25.11                                                    |
 | 1.17.x              | 1.27.2, 1.26.6, 1.25.11, 1.24.12                                                   |
 | 1.16.x              | 1.26.6, 1.25.11, 1.24.12, 1.23.12                                                  |
-| 1.15.x              | 1.25.11, 1.24.12, 1.23.12, 1.22.11                                                 |
 
 ### Envoy and Consul Dataplane
 
@@ -193,7 +193,7 @@ the [`sidecar_service`](/consul/docs/connect/proxies/deploy-sidecar-services) bl
 
 - `envoy_telemetry_collector_bind_socket_dir` - Specifies the directory where Envoy creates a Unix socket.
   Envoy sends metrics to the socket where a Consul telemetry collector can collect them.
-  The socket is not configured by default. 
+  The socket is not configured by default.
   Enabling this sets Envoy's [`stats_flush_interval`](https://www.envoyproxy.io/docs/envoy/v1.17.2/api-v3/config/bootstrap/v3/bootstrap.proto#envoy-v3-api-field-config-bootstrap-v3-bootstrap-stats-flush-interval) to one minute if `envoy_stats_flush_interval` is unset and if no other stats sinks are configured, like `envoy_dogstats_url`, for instance.
 
 The [Advanced Configuration](#advanced-configuration) section describes additional configurations that allow incremental or complete control over the bootstrap configuration generated.