Skip to content

Commit

Permalink
docs: 1.13.3 release notes. (#186)
Browse files Browse the repository at this point in the history 
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
  • Loading branch information
@PiotrSikora
PiotrSikora authored Jun 30, 2020
1 parent ca28a10 commit 57b5aee
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 7 deletions.
2 changes: 1 addition & 1 deletion VERSION
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
1.13.3-dev
1.13.3
14 changes: 8 additions & 6 deletions docs/root/intro/version_history.rst
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,14 @@
Version history
---------------

1.13.3 (Pending)
================
* http: the :ref:`stream_idle_timeout <envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.stream_idle_timeout>`
now also defends against an HTTP/2 peer that does not open stream window once an entire response has been buffered to be sent to a downstream client.
* listener: add runtime support for `per-listener limits <config_listeners_runtime>` on active/accepted connections.
* overload management: add runtime support for :ref:`global limits <config_overload_manager>` on active/accepted connections.
1.13.3 (June 30, 2020)
======================
* buffer: fixed CVE-2020-12603 by avoiding fragmentation, and tracking of HTTP/2 data and control frames in the output buffer.
* http: fixed CVE-2020-12604 by changing :ref:`stream_idle_timeout <envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.stream_idle_timeout>`
to also defend against an HTTP/2 peer that does not open stream window once an entire response has been buffered to be sent to a downstream client.
* http: fixed CVE-2020-12605 by including request URL in request header size computation, and rejecting partial headers that exceed configured limits.
* listener: mitigated CVE-2020-8663 by adding runtime support for :ref:`per-listener limits <config_listeners_runtime>` on active/accepted connections.
* overload management: mitigated CVE-2020-8663 by adding runtime support for :ref:`global limits <config_overload_manager>` on active/accepted connections.

1.13.2 (June 8, 2020)
=====================
Expand Down

0 comments on commit 57b5aee

Please sign in to comment.