repo: Release v1.34.11

publish-envoy[bot] · phlax · commit 35e736f3dba5 · 2025-12-03T22:19:13.000Z
* Security fixes: - CVE-2025-64527: Envoy crashes when JWT authentication is configured with the remote JWKS fetching - CVE-2025-66220: TLS certificate matcher for `match_typed_subject_alt_names` may incorrectly treat certificates containing an embedded null byte - CVE-2025-64763: Potential request smuggling from early data after the CONNECT upgrade **Docker images**: https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.34.11 **Docs**: https://www.envoyproxy.io/docs/envoy/v1.34.11/ **Release notes**: https://www.envoyproxy.io/docs/envoy/v1.34.11/version_history/v1.34/v1.34.11 **Full changelog**: v1.34.10...v1.34.11
diff --git a/VERSION.txt b/VERSION.txt
@@ -1 +1 @@
-1.34.11-dev
+1.34.11
diff --git a/changelogs/1.33.13.yaml b/changelogs/1.33.13.yaml
@@ -0,0 +1,17 @@
+date: December 3, 2025
+
+behavior_changes:
+- area: http
+  change: |
+    Added runtime flag ``envoy.reloadable_features.reject_early_connect_data`` to reject ``CONNECT`` requests
+    that receive data before Envoy sent a ``200`` response to the client. While this is not a strictly compliant behavior
+    it is very common as a latency reducing measure. As such the option is disabled by default.
+
+bug_fixes:
+- area: tls
+  change: |
+    Fixed an issue where SANs of type ``OTHERNAME`` in a TLS cert were truncated if there was
+    an embedded null octet, leading to incorrect SAN validation.
+- area: http
+  change: |
+    Fixed a remote ``jwt_auth`` token fetch crash with two or more auth headers when ``allow_missing_or_failed`` is set.
diff --git a/changelogs/current.yaml b/changelogs/current.yaml
@@ -1,7 +1,6 @@
-date: Pending
+date: December 3, 2025
 
 behavior_changes:
-# *Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required*
 - area: dynamic modules
   change: |
     The dynamic module ABI has been updated to support streaming body manipulation. This change also
@@ -13,21 +12,12 @@ behavior_changes:
     that receive data before Envoy sent a ``200`` response to the client. While this is not a strictly compliant behavior
     it is very common as a latency reducing measure. As such the option is disabled by default.
 
-minor_behavior_changes:
-# *Changes that may cause incompatibilities for some users, but should not for most*
-
 bug_fixes:
-# *Changes expected to improve the state of the world and are unlikely to have negative effects*
 - area: tcp_proxy
   change: |
     Fixed a connection leak in the TCP proxy when the ``receive_before_connect`` feature is enabled and the
     downstream connection closes before the upstream connection is established.
 
-removed_config_or_runtime:
-# *Normally occurs at the end of the* :ref:`deprecation period <deprecated>`
-
-new_features:
-
 deprecated:
 - area: tls
   change: |
diff --git a/docs/inventories/v1.33/objects.inv b/docs/inventories/v1.33/objects.inv
diff --git a/docs/inventories/v1.34/objects.inv b/docs/inventories/v1.34/objects.inv
diff --git a/docs/versions.yaml b/docs/versions.yaml
@@ -26,5 +26,5 @@
 "1.30": 1.30.11
 "1.31": 1.31.10
 "1.32": 1.32.13
-"1.33": 1.33.12
-"1.34": 1.34.9
+"1.33": 1.33.13
+"1.34": 1.34.10
