repo: Release v1.28.1

**Summary of changes**:

- Fix [CVE-2024-23324](GHSA-gq3v-vvhj-96j6)
- Fix [CVE-2024-23325](GHSA-5m7c-mrwr-pm26)
- Fix [CVE-2024-23322](GHSA-6p83-mfmh-qv38)
- Fix [CVE-2024-23323](GHSA-x278-4w4x-r7ch)
- Fix [CVE-2024-23327](GHSA-4h5x-x9vh-m29j)
- Assorted bug fixes

**Docker images**:
    https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.28.1
**Docs**:
    https://www.envoyproxy.io/docs/envoy/v1.28.1/
**Release notes**:
    https://www.envoyproxy.io/docs/envoy/v1.28.1/version_history/v1.28/v1.28.1
**Full changelog**:
    v1.28.0...v1.28.1

Signed-off-by: Ryan Northey <[email protected]>

VERSION.txt

@@ -1 +1 @@
-1.28.1-dev
+1.28.1

changelogs/1.26.7.yaml

@@ -0,0 +1,28 @@
+date: February 9, 2024
+
+bug_fixes:
+- area: buffer
+  change: |
+    Fixed a bug (https://github.com/envoyproxy/envoy/issues/28760) that the internal listener causes an undefined
+    behavior due to the unintended release of the buffer memory.
+- area: http
+  change: |
+    Fixed recursion when HTTP connection is disconnected due to a high number of premature resets.
+- area: proxy protocol
+  change: |
+    fixed a crash when Envoy is configured for PROXY protocol on both a listener and cluster, and the listener receives
+    a PROXY protocol header with address type LOCAL (typically used for health checks).
+- area: proxy_protocol
+  change: |
+    Fix crash due to uncaught exception when the operating system does not support an address type (such as IPv6) that is
+    received in a proxy protocol header. Connections will instead be dropped/reset.
+- area: proxy_protocol
+  change: |
+    Fixed a bug where TLVs with non utf8 characters were inserted as protobuf values into filter metadata circumventing
+    ext_authz checks when ``failure_mode_allow`` is set to ``true``.
+- area: http
+  change: |
+    Fixed crash when HTTP request idle and per try timeouts occurs within backoff interval.
+- area: url matching
+  change: |
+    Fixed excessive CPU utilization when using regex URL template matcher.

changelogs/1.27.3.yaml

@@ -0,0 +1,52 @@
+date: February 9, 2024
+
+minor_behavior_changes:
+- area: access_log
+  change: |
+    When emitting grpc logs, only downstream filter state was used. Now, both downstream and upstream filter states will be tried
+    to find the keys configured in filter_state_objects_to_log.
+
+bug_fixes:
+- area: buffer
+  change: |
+    Fixed a bug (https://github.com/envoyproxy/envoy/issues/28760) that the internal listener causes an undefined
+    behavior due to the unintended release of the buffer memory.
+- area: http
+  change: |
+    Fixed recursion when HTTP connection is disconnected due to a high number of premature resets.
+- area: grpc
+  change: |
+    Fixed a bug in gRPC async client cache which intermittently causes CPU spikes due to busy loop in timer expiration.
+- area: tracing
+  change: |
+    Fixed a bug where Datadog spans tagged as errors would not have the appropriate error property set.
+- area: tracing
+  change: |
+    Fixed a bug where child spans produced by the Datadog tracer would have an incorrect operation name.
+- area: tracing
+  change: |
+    Fixed a bug that caused the Datadog tracing extension to drop traces that
+    should be kept on account of an extracted sampling decision.
+- area: proxy protocol
+  change: |
+    fixed a crash when Envoy is configured for PROXY protocol on both a listener and cluster, and the listener receives
+    a PROXY protocol header with address type LOCAL (typically used for health checks).
+- area: proxy_protocol
+  change: |
+    Fix crash due to uncaught exception when the operating system does not support an address type (such as IPv6) that is
+    received in a proxy protocol header. Connections will instead be dropped/reset.
+- area: proxy_protocol
+  change: |
+    Fixed a bug where TLVs with non utf8 characters were inserted as protobuf values into filter metadata circumventing
+    ext_authz checks when ``failure_mode_allow`` is set to ``true``.
+- area: tls
+  change: |
+    Fix crash due to uncaught exception when the operating system does not support an address type (such as IPv6) that is
+    received in an mTLS client cert IP SAN. These SANs will be ignored. This applies only when using formatter
+    ``%DOWNSTREAM_PEER_IP_SAN%``.
+- area: http
+  change: |
+    Fixed crash when HTTP request idle and per try timeouts occurs within backoff interval.
+- area: url matching
+  change: |
+    Fixed excessive CPU utilization when using regex URL template matcher.

changelogs/current.yaml

@@ -1,17 +1,12 @@
-date: Pending
+date: February 9, 2024
 
 behavior_changes:
-# *Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required*
 - area: listener
   change: |
     undeprecated runtime key ``overload.global_downstream_max_connections`` until :ref:`downstream connections monitor
     <envoy_v3_api_msg_extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig>` extension becomes stable.
 
-minor_behavior_changes:
-# *Changes that may cause incompatibilities for some users, but should not for most*
-
 bug_fixes:
-# *Changes expected to improve the state of the world and are unlikely to have negative effects*
 - area: buffer
   change: |
     Fixed a bug (https://github.com/envoyproxy/envoy/issues/28760) that the internal listener causes an undefined
@@ -56,10 +51,3 @@ bug_fixes:
 - area: url matching
   change: |
     Fixed excessive CPU utilization when using regex URL template matcher.
-
-removed_config_or_runtime:
-# *Normally occurs at the end of the* :ref:`deprecation period <deprecated>`
-
-new_features:
-
-deprecated:

docs/versions.yaml

@@ -19,5 +19,6 @@
 "1.23": 1.23.12
 "1.24": 1.24.12
 "1.25": 1.25.11
-"1.26": 1.26.6
-"1.27": 1.27.2
+"1.26": 1.26.7
+"1.27": 1.27.3
+"1.28": 1.28.0