Bug ID 1165615
Summary VUL-0: envoy-proxy: multiple security issues
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee mrostecki@suse.com
Reporter abergmann@suse.com
QA Contact security-team@suse.de
Found By ---
Blocker --- 

This only affects openSUSE:Factory.

https://blog.getambassador.io/high-severity-vulnerabilities-in-envoy-proxy-34f49bab78b1

The full list of vulnerabilities addressed in this release are:

* CVE-2020���8659 (CVSS score 7.5, High): Envoy version 1.13.0 or earlier may
consume excessive amounts of memory when proxying HTTP/1.1 requests or
responses with many small (i.e. 1 byte) chunks.

* CVE-2020���8661 (CVSS score 7.5, High): Envoy version 1.13.0 or earlier may
consume excessive amounts of memory when responding internally to pipelined
requests.

* CVE-2020���8664 (CVSS score 5.3, Medium): Using the same secret (e.g. trusted
CA) across many resources together with the combined validation context could
lead to the ���static��� part of the validation context to be not applied, even
though it was visible in the active config dump.

* CVE-2020���8660 (CVSS score 5.3, Medium): TLS inspector could have been
bypassed (not recognized as a TLS client) by a client using only TLS 1.3.
Because TLS extensions (SNI, ALPN) were not inspected, those connections might
have been matched to a wrong filter chain, possibly bypassing some security
restrictions in the process.

These security fixes are also included in Envoy 1.13.1 and 1.12.3, which are
also being released today.

You are receiving this mail because: