repo: Release v1.33.14

**Summary of changes**:

* Security updates:

  Resolve dependency CVEs:
  - c-ares/CVE-2025-0913:
      Use after free can crash Envoy due to malfunctioning or compromised DNS.

While a potentially severe bug in some cloud environments, this has limited exploitability
as any attacker would require control of DNS.

Envoy advisory is here GHSA-fg9g-pvc4-776f

**Docker images**:
    https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.33.14
**Docs**:
    https://www.envoyproxy.io/docs/envoy/v1.33.14/
**Release notes**:
    https://www.envoyproxy.io/docs/envoy/v1.33.14/version_history/v1.33/v1.33.14
**Full changelog**:
    v1.33.13...v1.33.14

Author: publish-envoy[bot]

VERSION.txt

@@ -1 +1 @@
-1.33.14-dev
+1.33.14

changelogs/current.yaml

@@ -1,13 +1,6 @@
-date: Pending
-
-behavior_changes:
-# *Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required*
-
-minor_behavior_changes:
-# *Changes that may cause incompatibilities for some users, but should not for most*
+date: December 9, 2025
 
 bug_fixes:
-# *Changes expected to improve the state of the world and are unlikely to have negative effects*
 - area: dns
   change: |
     Update c-ares to version 1.34.6 to resolve CVE-2025-0913.
@@ -16,14 +9,8 @@ bug_fixes:
 
     advisory: https://github.com/envoyproxy/envoy/security/advisories/GHSA-fg9g-pvc4-776f.
 
-
-removed_config_or_runtime:
-# *Normally occurs at the end of the* :ref:`deprecation period <deprecated>`
-
 new_features:
 - area: dns
   change: |
     Update c-ares to version 1.34.4. This upgrade exposes ``ares_reinit()`` which allows the reinitialization of c-ares channels,
     among several other new features, bug-fixes, etc.
-
-deprecated:

docs/inventories/v1.33/objects.inv

@@ -26,4 +26,4 @@
 "1.30": 1.30.11
 "1.31": 1.31.10
 "1.32": 1.32.13
-"1.33": 1.33.12
+"1.33": 1.33.13