envoyproxy · publish-envoy · Jun 24, 2026
diff --git a/VERSION.txt b/VERSION.txt
@@ -1 +1 @@
-1.35.13
+1.35.14-dev
diff --git a/changelogs/current/PLACEHOLDER.txt → changelogs/current/PLACEHOLDER b/changelogs/current/PLACEHOLDER.txt → changelogs/current/PLACEHOLDER
diff --git a/changelogs/current/behavior_changes/build__disable_dlb.rst b/changelogs/current/behavior_changes/build__disable_dlb.rst
diff --git a/changelogs/current/bug_fixes/dns_filter__fixed-abort-on-long-name.rst b/changelogs/current/bug_fixes/dns_filter__fixed-abort-on-long-name.rst
diff --git a/changelogs/current/bug_fixes/ext_proc__fixed-a-bug-when-the-ext-proc-server.rst b/changelogs/current/bug_fixes/ext_proc__fixed-a-bug-when-the-ext-proc-server.rst
diff --git a/changelogs/current/bug_fixes/grpc_stats__fixed-a-crash-or-use-after-free-when.rst b/changelogs/current/bug_fixes/grpc_stats__fixed-a-crash-or-use-after-free-when.rst
diff --git a/changelogs/current/bug_fixes/json__limit-json-depth.rst b/changelogs/current/bug_fixes/json__limit-json-depth.rst
diff --git a/changelogs/current/bug_fixes/oauth2__fixed-a-bug-where-filter-may-access.rst b/changelogs/current/bug_fixes/oauth2__fixed-a-bug-where-filter-may-access.rst
diff --git a/changelogs/current/bug_fixes/oauth2__fixed-a-bug-where-the-attacker-could.rst b/changelogs/current/bug_fixes/oauth2__fixed-a-bug-where-the-attacker-could.rst
diff --git a/...gelogs/current/bug_fixes/proxy_protocol__fixed-a-bug-where-passthrough-tlvs.rst b/...gelogs/current/bug_fixes/proxy_protocol__fixed-a-bug-where-passthrough-tlvs.rst
diff --git a/changelogs/current/bug_fixes/quic__dos-qpack.rst b/changelogs/current/bug_fixes/quic__dos-qpack.rst
diff --git a/changelogs/current/bug_fixes/quic__validate-http3-headers-only.rst b/changelogs/current/bug_fixes/quic__validate-http3-headers-only.rst
diff --git a/changelogs/current/bug_fixes/router__fixed-an-issue-when-handling-http-303.rst b/changelogs/current/bug_fixes/router__fixed-an-issue-when-handling-http-303.rst
diff --git a/...logs/current/bug_fixes/tcp_statsd_sync__fix_buffer_overflow_with_large_name.rst b/...logs/current/bug_fixes/tcp_statsd_sync__fix_buffer_overflow_with_large_name.rst
diff --git a/changelogs/current/bug_fixes/tls__envoy-fails-to-validate-san.rst b/changelogs/current/bug_fixes/tls__envoy-fails-to-validate-san.rst
diff --git a/changelogs/current/bug_fixes/wasm__resolve_cve.rst b/changelogs/current/bug_fixes/wasm__resolve_cve.rst
diff --git a/.../bug_fixes/zstd__fixed-memory-exhaustion-vulnerability-in-zstd-decompressor.rst b/.../bug_fixes/zstd__fixed-memory-exhaustion-vulnerability-in-zstd-decompressor.rst
diff --git a/changelogs/summary.md b/changelogs/summary.md
@@ -1,22 +0,0 @@
-**Summary of changes**:
-
-* Security fixes:
-  - [CVE-2026-47207](https://github.com/envoyproxy/envoy/security/advisories/GHSA-68cv-hq5f-g6xv): ext_proc response in one gRPC message
-  - [CVE-2026-47221](https://github.com/envoyproxy/envoy/security/advisories/GHSA-rcff-gw58-pjpr): router internal redirects crash
-  - [CVE-2026-47775](https://github.com/envoyproxy/envoy/security/advisories/GHSA-396h-jpq4-vc7p): OAuth2 code verifier padding oracle
-  - [CVE-2026-48044](https://github.com/envoyproxy/envoy/security/advisories/GHSA-m3p9-47wh-88wg): zstd RLE zip bomb
-  - [CVE-2026-47204](https://github.com/envoyproxy/envoy/security/advisories/GHSA-3jxh-8p6x-7pf6): grpc_stats filter segfault on Connect protocol requests to direct_response routes
-  - [CVE-2026-47692](https://github.com/envoyproxy/envoy/security/advisories/GHSA-wh36-hm39-mm3r): PROXY Protocol v2 header generator emits "skipped" TLVs, causing 65 KB attacker-controlled spillover into the upstream application stream
-  - [CVE-2026-47778](https://github.com/envoyproxy/envoy/security/advisories/GHSA-f8x4-rw5x-f3r7): Embedded NUL in TLS SAN Truncation, Auth Bypass
-  - [CVE-2026-48042](https://github.com/envoyproxy/envoy/security/advisories/GHSA-f24p-rxw2-g6pv): Stack overflow in destructor of highly nested JSON
-  - [CVE-2026-48090](https://github.com/envoyproxy/envoy/security/advisories/GHSA-3cj2-c63f-q26f): OAuth2 filter late async token completion after stream teardown results in UAF/crash risk
-  - [CVE-2026-48497](https://github.com/envoyproxy/envoy/security/advisories/GHSA-j6g2-wf95-q66q): DNS filter abnormal process termination on long query name
-  - [CVE-2026-48743](https://github.com/envoyproxy/envoy/security/advisories/GHSA-8phg-2h2q-jgxf): HTTP/3 headers-only request/response content-length not validated
-  - [CVE-2026-48706](https://github.com/envoyproxy/envoy/security/advisories/GHSA-7q3f-gwg7-j8g4): TcpStatsdSync buffer overflow with large stats name
-  - [GHSA-p7c7-7c47-pwch](https://github.com/envoyproxy/envoy/security/advisories/GHSA-p7c7-7c47-pwch): Denial-of-Service Attack Against the HTTP/3 Stack via QPACK Blocked Decoding
-
-* Upstream security fixes:
-  - CVE-2026-47261: wasm: bumped `com_github_wasmtime` to resolve CVE-2026-47261.
-
-* Behavior changes:
-  - build: disabled the contrib extension `envoy.network.connection_balance.dlb` (Intel DLB connection balancer) at the Bazel layer for all builds and platforms due to a breakage at the source archive. See https://github.com/envoyproxy/envoy/issues/45491 for local workarounds.