[NET-7948] Bump Envoy version on 1.15.x (LTS) to address multiple CVEs (#20590)

security: Bump Envoy versions to address CVEs

.changelog/20590.txt

@@ -0,0 +1,3 @@
+```release-note:security
+mesh: Update Envoy versions to 1.28.1, 1.27.3, and 1.26.7 to address [CVE-2024-23324](https://github.com/envoyproxy/envoy/security/advisories/GHSA-gq3v-vvhj-96j6), [CVE-2024-23325](https://github.com/envoyproxy/envoy/security/advisories/GHSA-5m7c-mrwr-pm26), [CVE-2024-23322](https://github.com/envoyproxy/envoy/security/advisories/GHSA-6p83-mfmh-qv38), [CVE-2024-23323](https://github.com/envoyproxy/envoy/security/advisories/GHSA-x278-4w4x-r7ch), [CVE-2024-23327](https://github.com/envoyproxy/envoy/security/advisories/GHSA-4h5x-x9vh-m29j), and [CVE-2023-44487](https://github.com/envoyproxy/envoy/security/advisories/GHSA-jhv4-f7mr-xx76)
+```

.github/workflows/test-integrations.yml

@@ -270,9 +270,9 @@ jobs:
           # this is further going to multiplied in envoy-integration tests by the
           # other dimensions in the matrix.  Currently TOTAL_RUNNERS would be
           # multiplied by 8 based on these values:
-          # envoy-version: ["1.22.11", "1.23.12", "1.24.12", "1.25.11"]
+          # envoy-version: ["1.25.11", "1.26.7", "1.27.3", "1.28.1"]
           # xds-target: ["server", "client"]
-          TOTAL_RUNNERS: 4
+          TOTAL_RUNNERS: 8
           JQ_SLICER: '[ inputs ] | [_nwise(length / $runnercount | floor)]'
         run: |
           NUM_RUNNERS=$TOTAL_RUNNERS
@@ -305,7 +305,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        envoy-version: ["1.25.11"]
+        envoy-version: ["1.25.11", "1.26.7", "1.27.3", "1.28.1"]
         xds-target: ["server", "client"]
         test-cases: ${{ fromJSON(needs.generate-envoy-job-matrices.outputs.envoy-matrix) }}
     env:

envoyextensions/xdscommon/envoy_versioning_test.go

@@ -143,9 +143,9 @@ func TestDetermineSupportedProxyFeaturesFromString(t *testing.T) {
 		"1.23.0", "1.23.1", "1.23.2", "1.23.3", "1.23.4", "1.23.5", "1.23.6", "1.23.7", "1.23.8", "1.23.9", "1.23.10", "1.23.11", "1.23.12",
 		"1.24.0", "1.24.1", "1.24.2", "1.24.3", "1.24.4", "1.24.5", "1.24.6", "1.24.7", "1.24.8", "1.24.9", "1.24.10", "1.24.11", "1.24.12",
 		"1.25.0", "1.25.1", "1.25.2", "1.25.3", "1.25.4", "1.25.5", "1.25.6", "1.25.7", "1.25.8", "1.25.9", "1.25.10", "1.25.11",
-		"1.26.0", "1.26.1", "1.26.2", "1.26.3", "1.26.4", "1.26.5", "1.26.6",
+		"1.26.0", "1.26.1", "1.26.2", "1.26.3", "1.26.4", "1.26.5", "1.26.6", "1.26.7",
-		"1.27.0", "1.27.1", "1.27.2",
+		"1.27.0", "1.27.1", "1.27.2", "1.27.3",
-		"1.28.0",
+		"1.28.0", "1.28.1",
 	} {
 		cases[v] = testcase{expect: SupportedProxyFeatures{}}
 	}

envoyextensions/xdscommon/proxysupport.go

@@ -12,9 +12,9 @@ import "strings"
 //
 // see: https://www.consul.io/docs/connect/proxies/envoy#supported-versions
 var EnvoyVersions = []string{
-	"1.28.0",
+	"1.28.1",
-	"1.27.2",
+	"1.27.3",
-	"1.26.6",
+	"1.26.7",
 	"1.25.11",
 	"1.24.12",
 	"1.23.12",

website/content/docs/connect/proxies/envoy.mdx

@@ -39,7 +39,7 @@ Consul supports **four major Envoy releases** at the beginning of each major Con
 
 | Consul Version      | Compatible Envoy Versions                                                          |
 | ------------------- | -----------------------------------------------------------------------------------|
-| 1.15.x              | 1.28.0, 1.27.2, 1.26.6, 1.25.11, 1.24.12, 1.23.12, 1.22.11                         |
+| 1.15.x              | 1.28.1, 1.27.3, 1.26.7, 1.25.11, 1.24.12, 1.23.12, 1.22.11                         |
 | 1.14.x              | 1.24.12, 1.23.12, 1.22.11, 1.21.6                                                  |
 | 1.13.x              | 1.23.1, 1.22.5, 1.21.5, 1.20.7                                                     |