auto-merge envoyproxy/envoy[release/v1.34] into envoyproxy/envoy-openssl[release/v1.34]

* upstream/release/v1.34:
  repo: Release v1.34.11
  changelogs/1.34.11: Add summary
  Add option to reject early CONNECT data
  fix jwt_auth crash with two or more auth header
  tls: fix SAN validation for OTHERNAME types with embedded nulls Certificates with an OTHERNAME SAN using type `V_ASN1_UNIVERSALSTRING` or `V_ASN1_BMPSTRING` with an embedded null would have the name truncated at the first null, resulting in an incorrect check.
  tcp_proxy: fixes a cx leak in the TCP Proxy when receive_before_connect is enabled (#42024)
  distribution/docker: Bump Ubuntu -> 104ae837 (#42337)
  distribution/docker: Install tzdata (#42338)
  bazel: Bump -> 7.7.1 (#42295)
  bazelrc: Add compatibility with repo settings
  github/ci: Fix request workflow (#42355)

Signed-off-by: jwendell <125759+jwendell@users.noreply.github.com>

Author: jwendell

.bazelrc

@@ -611,6 +611,12 @@ common:debug --config=debug-sandbox
 common:debug --config=debug-coverage
 common:debug --config=debug-tests
 
+#############################################################################
+# compat: Compatibility with main branch repo settings
+#############################################################################
+common:bes --config=bes-envoy-engflow
+common:rbe --config=remote-envoy-engflow
+
 try-import %workspace%/repo.bazelrc
 try-import %workspace%/clang.bazelrc
 try-import %workspace%/user.bazelrc

.bazelversion

@@ -1 +1 @@
-7.6.2
+7.7.1

.github/workflows/request.yml

@@ -25,7 +25,7 @@ concurrency:
 jobs:
   request:
     permissions:
-      actions: read
+      actions: write
       contents: read
       packages: read
       # required to fetch merge commit
@@ -36,9 +36,6 @@ jobs:
       app-id: ${{ secrets.ENVOY_CI_APP_ID }}
       lock-app-key: ${{ secrets.ENVOY_CI_MUTEX_APP_KEY }}
       lock-app-id: ${{ secrets.ENVOY_CI_MUTEX_APP_ID }}
-      gcs-cache-key: ${{ secrets.GCS_CACHE_WRITE_KEY }}
-    with:
-      gcs-cache-bucket: ${{ vars.ENVOY_CACHE_BUCKET }}
     # For branches this can be pinned to a specific version if required
     # NB: `uses` cannot be dynamic so it _must_ be hardcoded anywhere it is read
     uses: envoyproxy/envoy/.github/workflows/_request.yml@main

VERSION.txt

@@ -1 +1 @@
-1.34.11-dev
+1.34.11

changelogs/1.33.13.yaml

@@ -0,0 +1,17 @@
+date: December 3, 2025
+
+behavior_changes:
+- area: http
+  change: |
+    Added runtime flag ``envoy.reloadable_features.reject_early_connect_data`` to reject ``CONNECT`` requests
+    that receive data before Envoy sent a ``200`` response to the client. While this is not a strictly compliant behavior
+    it is very common as a latency reducing measure. As such the option is disabled by default.
+
+bug_fixes:
+- area: tls
+  change: |
+    Fixed an issue where SANs of type ``OTHERNAME`` in a TLS cert were truncated if there was
+    an embedded null octet, leading to incorrect SAN validation.
+- area: http
+  change: |
+    Fixed a remote ``jwt_auth`` token fetch crash with two or more auth headers when ``allow_missing_or_failed`` is set.

changelogs/current.yaml

@@ -1,22 +1,28 @@
-date: Pending
+date: December 3, 2025
 
 behavior_changes:
-# *Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required*
 - area: dynamic modules
   change: |
     The dynamic module ABI has been updated to support streaming body manipulation. This change also
     fixed potential incorrect behavior when access or modify the request or response body. See
     https://github.com/envoyproxy/envoy/issues/40918 for more details.
-
-minor_behavior_changes:
-# *Changes that may cause incompatibilities for some users, but should not for most*
+- area: http
+  change: |
+    Added runtime flag ``envoy.reloadable_features.reject_early_connect_data`` to reject ``CONNECT`` requests
+    that receive data before Envoy sent a ``200`` response to the client. While this is not a strictly compliant behavior
+    it is very common as a latency reducing measure. As such the option is disabled by default.
 
 bug_fixes:
-# *Changes expected to improve the state of the world and are unlikely to have negative effects*
-
-removed_config_or_runtime:
-# *Normally occurs at the end of the* :ref:`deprecation period <deprecated>`
-
-new_features:
+- area: tcp_proxy
+  change: |
+    Fixed a connection leak in the TCP proxy when the ``receive_before_connect`` feature is enabled and the
+    downstream connection closes before the upstream connection is established.
 
 deprecated:
+- area: tls
+  change: |
+    Fixed an issue where SANs of type ``OTHERNAME`` in a TLS cert were truncated if there was
+    an embedded null octet, leading to incorrect SAN validation.
+- area: http
+  change: |
+    Fixed a remote ``jwt_auth`` token fetch crash with two or more auth headers when ``allow_missing_or_failed`` is set.

changelogs/summary.md

@@ -0,0 +1,5 @@
+
+* Security fixes:
+  - CVE-2025-64527: Envoy crashes when JWT authentication is configured with the remote JWKS fetching
+  - CVE-2025-66220: TLS certificate matcher for `match_typed_subject_alt_names` may incorrectly treat certificates containing an embedded null byte
+  - CVE-2025-64763: Potential request smuggling from early data after the CONNECT upgrade

distribution/docker/Dockerfile-envoy

@@ -1,6 +1,6 @@
 ARG BUILD_OS=ubuntu
 ARG BUILD_TAG=22.04
-ARG BUILD_SHA=09506232a8004baa32c47d68f1e5c307d648fdd59f5e7eaa42aaf87914100db3
+ARG BUILD_SHA=104ae83764a5119017b8e8d6218fa0832b09df65aae7d5a6de29a85d813da2fb
 ARG ENVOY_VRP_BASE_IMAGE=envoy-base
 
 
@@ -29,7 +29,7 @@ RUN --mount=type=tmpfs,target=/var/cache/apt \
     --mount=type=tmpfs,target=/var/lib/apt/lists \
     apt-get -qq update \
     && apt-get -qq upgrade -y \
-    && apt-get -qq install --no-install-recommends -y ca-certificates \
+    && apt-get -qq install --no-install-recommends -y ca-certificates tzdata \
     && apt-get -qq autoremove -y