From fe5965ec8618105ac03ebfbd237bd1cb9701508a Mon Sep 17 00:00:00 2001
From: Lance Austin <laustin@datawire.io>
Date: Tue, 25 Jul 2023 11:10:49 -0500
Subject: [PATCH] deps: bump to Envoy 1.26.4

Bumps to our latest Envoy custom build based on 1.26.4 which
addresses the following CVEs:

- CVE-2023-35941 : Not affected but pulled in
- CVE-2023-35942
- CVE-2023-35943
- CVE-2023-35944

Signed-off-by: Lance Austin <laustin@datawire.io>
---
 CHANGELOG.md          |  8 ++++++++
 _cxx/envoy.mk         |  4 ++--
 docs/releaseNotes.yml | 10 ++++++++++
 3 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index c4418510ea..7fca07a0fc 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -85,6 +85,14 @@ it will be removed; but as it won't be user-visible this isn't considered a brea
 
 ## RELEASE NOTES
 
+## [3.7.2] July 25, 2023
+[3.7.2]: https://github.com/emissary-ingress/emissary/compare/v3.7.1...v3.7.2
+
+### Emissary-ingress and Ambassador Edge Stack
+
+- Security: This upgrades Emissary-ingress to be built on Envoy v1.26.4 which includes a security
+  fixes for  CVE-2023-35942, CVE-2023-35943,  VE-2023-35944.
+
 ## [3.7.1] July 13, 2023
 [3.7.1]: https://github.com/emissary-ingress/emissary/compare/v3.7.0...v3.7.1
 
diff --git a/_cxx/envoy.mk b/_cxx/envoy.mk
index d873fdc995..ba58a394af 100644
--- a/_cxx/envoy.mk
+++ b/_cxx/envoy.mk
@@ -13,8 +13,8 @@ RSYNC_EXTRAS ?=
 
 # IF YOU MESS WITH ANY OF THESE VALUES, YOU MUST RUN `make update-base`.
   ENVOY_REPO ?= $(if $(IS_PRIVATE),git@github.com:datawire/envoy-private.git,https://github.com/datawire/envoy.git)
-  # rebase/release/v1.26.3
-  ENVOY_COMMIT ?= 3480b07639bbfcc41b7c3030091eda48fa6f699b
+  # https://github.com/datawire/envoy/tree/rebase/release/v1.26.4
+  ENVOY_COMMIT ?= bbda92fc3e3d430bd2114aa3458d3191205c9c0e
   ENVOY_COMPILATION_MODE ?= opt
   # Increment BASE_ENVOY_RELVER on changes to `docker/base-envoy/Dockerfile`, or Envoy recipes.
   # You may reset BASE_ENVOY_RELVER when adjusting ENVOY_COMMIT.
diff --git a/docs/releaseNotes.yml b/docs/releaseNotes.yml
index e87a0ff5b7..4643971016 100644
--- a/docs/releaseNotes.yml
+++ b/docs/releaseNotes.yml
@@ -32,6 +32,16 @@
 
 changelog: https://github.com/emissary-ingress/emissary/blob/$branch$/CHANGELOG.md
 items:
+  - version: 3.7.2
+    prevVersion: 3.7.1
+    date: '2023-07-25'
+    notes:
+      - title: Upgrade to Envoy 1.26.4
+        type: security
+        body: >-
+          This upgrades $productName$ to be built on Envoy v1.26.4 which includes a security fixes for 
+          CVE-2023-35942, CVE-2023-35943,  VE-2023-35944.
+
   - version: 3.7.1
     prevVersion: 3.7.0
     date: '2023-07-13'