auto-merge envoyproxy/envoy[release/v1.35] into envoyproxy/envoy-openssl[release/v1.35]

* upstream/release/v1.35:
  repo: Dev v1.35.8 (#42403)
  repo: Release v1.35.7
  changelogs/1.35.7: Add summary
  Add option to reject early CONNECT data
  fix jwt_auth crash with two or more auth header
  tls: fix SAN validation for OTHERNAME types with embedded nulls Certificates with an OTHERNAME SAN using type `V_ASN1_UNIVERSALSTRING` or `V_ASN1_BMPSTRING` with an embedded null would have the name truncated at the first null, resulting in an incorrect check.
  tcp_proxy: fixes a cx leak in the TCP Proxy when receive_before_connect is enabled (#42024)
  distribution/docker: Bump Ubuntu -> 104ae837 (#42337)
  distribution/docker: Install tzdata (#42338)
  bazel: Bump -> 7.7.1 (#42295)
  bazelrc: Add compatibility with repo settings
  github/ci: Fix request workflow (#42355)

Signed-off-by: jwendell <[email protected]>

Author: jwendell

.bazelrc

@@ -588,6 +588,12 @@ common:debug --config=debug-sandbox
 common:debug --config=debug-coverage
 common:debug --config=debug-tests
 
+#############################################################################
+# compat: Compatibility with main branch repo settings
+#############################################################################
+common:bes --config=bes-envoy-engflow
+common:rbe --config=remote-envoy-engflow
+
 try-import %workspace%/repo.bazelrc
 try-import %workspace%/clang.bazelrc
 try-import %workspace%/user.bazelrc

.bazelversion

@@ -1 +1 @@
-7.6.2
+7.7.1

.github/workflows/request.yml

@@ -25,7 +25,7 @@ concurrency:
 jobs:
   request:
     permissions:
-      actions: read
+      actions: write
       contents: read
       packages: read
       # required to fetch merge commit
@@ -36,9 +36,6 @@ jobs:
       app-id: ${{ secrets.ENVOY_CI_APP_ID }}
       lock-app-key: ${{ secrets.ENVOY_CI_MUTEX_APP_KEY }}
       lock-app-id: ${{ secrets.ENVOY_CI_MUTEX_APP_ID }}
-      gcs-cache-key: ${{ secrets.GCS_CACHE_WRITE_KEY }}
-    with:
-      gcs-cache-bucket: ${{ vars.ENVOY_CACHE_BUCKET }}
     # For branches this can be pinned to a specific version if required
     # NB: `uses` cannot be dynamic so it _must_ be hardcoded anywhere it is read
     uses: envoyproxy/envoy/.github/workflows/_request.yml@main

VERSION.txt

@@ -1 +1 @@
-1.35.7-dev
+1.35.8-dev

changelogs/1.33.13.yaml

@@ -0,0 +1,17 @@
+date: December 3, 2025
+
+behavior_changes:
+- area: http
+  change: |
+    Added runtime flag ``envoy.reloadable_features.reject_early_connect_data`` to reject ``CONNECT`` requests
+    that receive data before Envoy sent a ``200`` response to the client. While this is not a strictly compliant behavior
+    it is very common as a latency reducing measure. As such the option is disabled by default.
+
+bug_fixes:
+- area: tls
+  change: |
+    Fixed an issue where SANs of type ``OTHERNAME`` in a TLS cert were truncated if there was
+    an embedded null octet, leading to incorrect SAN validation.
+- area: http
+  change: |
+    Fixed a remote ``jwt_auth`` token fetch crash with two or more auth headers when ``allow_missing_or_failed`` is set.

changelogs/1.34.11.yaml

@@ -0,0 +1,28 @@
+date: December 3, 2025
+
+behavior_changes:
+- area: dynamic modules
+  change: |
+    The dynamic module ABI has been updated to support streaming body manipulation. This change also
+    fixed potential incorrect behavior when access or modify the request or response body. See
+    https://github.com/envoyproxy/envoy/issues/40918 for more details.
+- area: http
+  change: |
+    Added runtime flag ``envoy.reloadable_features.reject_early_connect_data`` to reject ``CONNECT`` requests
+    that receive data before Envoy sent a ``200`` response to the client. While this is not a strictly compliant behavior
+    it is very common as a latency reducing measure. As such the option is disabled by default.
+
+bug_fixes:
+- area: tcp_proxy
+  change: |
+    Fixed a connection leak in the TCP proxy when the ``receive_before_connect`` feature is enabled and the
+    downstream connection closes before the upstream connection is established.
+
+deprecated:
+- area: tls
+  change: |
+    Fixed an issue where SANs of type ``OTHERNAME`` in a TLS cert were truncated if there was
+    an embedded null octet, leading to incorrect SAN validation.
+- area: http
+  change: |
+    Fixed a remote ``jwt_auth`` token fetch crash with two or more auth headers when ``allow_missing_or_failed`` is set.

changelogs/1.35.7.yaml

@@ -0,0 +1,32 @@
+date: December 4, 2025
+
+behavior_changes:
+- area: dynamic modules
+  change: |
+    The dynamic module ABI has been updated to support streaming body manipulation. This change also
+    fixed potential incorrect behavior when access or modify the request or response body. See
+    https://github.com/envoyproxy/envoy/issues/40918 for more details.
+- area: http
+  change: |
+    Added runtime flag ``envoy.reloadable_features.reject_early_connect_data`` to reject ``CONNECT`` requests
+    that receive data before Envoy sent a ``200`` response to the client. While this is not a strictly compliant behavior
+    it is very common as a latency reducing measure. As such the option is disabled by default.
+
+bug_fixes:
+- area: tcp_proxy
+  change: |
+    Fixed a connection leak in the TCP proxy when the ``receive_before_connect`` feature is enabled and the
+    downstream connection closes before the upstream connection is established.
+- area: tls
+  change: |
+    Fixed an issue where SANs of type ``OTHERNAME`` in a TLS cert were truncated if there was
+    an embedded null octet, leading to incorrect SAN validation.
+- area: http
+  change: |
+    Fixed a remote ``jwt_auth`` token fetch crash with two or more auth headers when ``allow_missing_or_failed`` is set.
+
+new_features:
+- area: dynamic modules
+  change: |
+    Added support for loading dynamic modules globally by setting :ref:`load_globally
+    <envoy_v3_api_field_extensions.dynamic_modules.v3.DynamicModuleConfig.load_globally>` to true.

changelogs/current.yaml

@@ -2,11 +2,6 @@ date: Pending
 
 behavior_changes:
 # *Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required*
-- area: dynamic modules
-  change: |
-    The dynamic module ABI has been updated to support streaming body manipulation. This change also
-    fixed potential incorrect behavior when access or modify the request or response body. See
-    https://github.com/envoyproxy/envoy/issues/40918 for more details.
 
 minor_behavior_changes:
 # *Changes that may cause incompatibilities for some users, but should not for most*
@@ -18,9 +13,5 @@ removed_config_or_runtime:
 # *Normally occurs at the end of the* :ref:`deprecation period <deprecated>`
 
 new_features:
-- area: dynamic modules
-  change: |
-    Added support for loading dynamic modules globally by setting :ref:`load_globally
-    <envoy_v3_api_field_extensions.dynamic_modules.v3.DynamicModuleConfig.load_globally>` to true.
 
 deprecated:

distribution/docker/Dockerfile-envoy

@@ -1,6 +1,6 @@
 ARG BUILD_OS=ubuntu
 ARG BUILD_TAG=22.04
-ARG BUILD_SHA=09506232a8004baa32c47d68f1e5c307d648fdd59f5e7eaa42aaf87914100db3
+ARG BUILD_SHA=104ae83764a5119017b8e8d6218fa0832b09df65aae7d5a6de29a85d813da2fb
 ARG ENVOY_VRP_BASE_IMAGE=envoy-base
 
 
@@ -29,7 +29,7 @@ RUN --mount=type=tmpfs,target=/var/cache/apt \
     --mount=type=tmpfs,target=/var/lib/apt/lists \
     apt-get -qq update \
     && apt-get -qq upgrade -y \
-    && apt-get -qq install --no-install-recommends -y ca-certificates \
+    && apt-get -qq install --no-install-recommends -y ca-certificates tzdata \
     && apt-get -qq autoremove -y