Date: Sun, 22 Nov 2020 23:03:53 GMT
<p>The Envoy Proxy fixed two zero day vulnerabilities, from Envoy groups :</p> <p>We are announcing the fixes for two zero days that were identified today:</p> <ol> <li>Crash in UDP proxy when datagram size is > 1500. This can happen if either MTU > 1500 or if fragmented datagrams are forwarded and reassembled: <a href="https://github.com/envoyproxy/envoy/pull/14122">https://github.com/envoyproxy/envoy/pull/14122</a>. This issue was already under embargo and a new issue was opened in public GitHub.</li> <li>Proxy proto downstream address not restored correctly for <strong>non-HTTP connections</strong>: <a href="https://github.com/envoyproxy/envoy/pull/14131">https://github.com/envoyproxy/envoy/pull/14131</a>. This issue was opened publicly recently but the security implications were not clear at the time. This will affect logging and network level RBAC for <strong>non-HTTP network connections</strong>.</li> </ol> <p>Resources</p> <p><a href="https://groups.google.com/g/envoy-security-announce/c/aqtBt5VUor0">https://groups.google.com/g/envoy-security-announce/c/aqtBt5VUor0</a></p> <p>0:00</p> <p>0:20 UDP Proxy Crash</p> <p>2:15 Incorrect Downstream Remote Address</p>