repo: Release v1.36.3

* Security fixes:
  - CVE-2025-64527: Envoy crashes when JWT authentication is configured with the remote JWKS fetching
  - CVE-2025-66220: TLS certificate matcher for `match_typed_subject_alt_names` may incorrectly treat certificates containing an embedded null byte
  - CVE-2025-64763: Potential request smuggling from early data after the CONNECT upgrade

**Docker images**:
    https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.36.3
**Docs**:
    https://www.envoyproxy.io/docs/envoy/v1.36.3/
**Release notes**:
    https://www.envoyproxy.io/docs/envoy/v1.36.3/version_history/v1.36/v1.36.3
**Full changelog**:
    v1.36.2...v1.36.3

Author: publish-envoy[bot]

VERSION.txt

@@ -1 +1 @@
-1.36.3-dev
+1.36.3

changelogs/1.33.13.yaml

@@ -0,0 +1,17 @@
+date: December 3, 2025
+
+behavior_changes:
+- area: http
+  change: |
+    Added runtime flag ``envoy.reloadable_features.reject_early_connect_data`` to reject ``CONNECT`` requests
+    that receive data before Envoy sent a ``200`` response to the client. While this is not a strictly compliant behavior
+    it is very common as a latency reducing measure. As such the option is disabled by default.
+
+bug_fixes:
+- area: tls
+  change: |
+    Fixed an issue where SANs of type ``OTHERNAME`` in a TLS cert were truncated if there was
+    an embedded null octet, leading to incorrect SAN validation.
+- area: http
+  change: |
+    Fixed a remote ``jwt_auth`` token fetch crash with two or more auth headers when ``allow_missing_or_failed`` is set.

changelogs/1.34.11.yaml

@@ -0,0 +1,28 @@
+date: December 3, 2025
+
+behavior_changes:
+- area: dynamic modules
+  change: |
+    The dynamic module ABI has been updated to support streaming body manipulation. This change also
+    fixed potential incorrect behavior when access or modify the request or response body. See
+    https://github.com/envoyproxy/envoy/issues/40918 for more details.
+- area: http
+  change: |
+    Added runtime flag ``envoy.reloadable_features.reject_early_connect_data`` to reject ``CONNECT`` requests
+    that receive data before Envoy sent a ``200`` response to the client. While this is not a strictly compliant behavior
+    it is very common as a latency reducing measure. As such the option is disabled by default.
+
+bug_fixes:
+- area: tcp_proxy
+  change: |
+    Fixed a connection leak in the TCP proxy when the ``receive_before_connect`` feature is enabled and the
+    downstream connection closes before the upstream connection is established.
+
+deprecated:
+- area: tls
+  change: |
+    Fixed an issue where SANs of type ``OTHERNAME`` in a TLS cert were truncated if there was
+    an embedded null octet, leading to incorrect SAN validation.
+- area: http
+  change: |
+    Fixed a remote ``jwt_auth`` token fetch crash with two or more auth headers when ``allow_missing_or_failed`` is set.

changelogs/1.35.7.yaml

@@ -0,0 +1,32 @@
+date: December 4, 2025
+
+behavior_changes:
+- area: dynamic modules
+  change: |
+    The dynamic module ABI has been updated to support streaming body manipulation. This change also
+    fixed potential incorrect behavior when access or modify the request or response body. See
+    https://github.com/envoyproxy/envoy/issues/40918 for more details.
+- area: http
+  change: |
+    Added runtime flag ``envoy.reloadable_features.reject_early_connect_data`` to reject ``CONNECT`` requests
+    that receive data before Envoy sent a ``200`` response to the client. While this is not a strictly compliant behavior
+    it is very common as a latency reducing measure. As such the option is disabled by default.
+
+bug_fixes:
+- area: tcp_proxy
+  change: |
+    Fixed a connection leak in the TCP proxy when the ``receive_before_connect`` feature is enabled and the
+    downstream connection closes before the upstream connection is established.
+- area: tls
+  change: |
+    Fixed an issue where SANs of type ``OTHERNAME`` in a TLS cert were truncated if there was
+    an embedded null octet, leading to incorrect SAN validation.
+- area: http
+  change: |
+    Fixed a remote ``jwt_auth`` token fetch crash with two or more auth headers when ``allow_missing_or_failed`` is set.
+
+new_features:
+- area: dynamic modules
+  change: |
+    Added support for loading dynamic modules globally by setting :ref:`load_globally
+    <envoy_v3_api_field_extensions.dynamic_modules.v3.DynamicModuleConfig.load_globally>` to true.

changelogs/current.yaml

@@ -1,7 +1,6 @@
-date: Pending
+date: December 4, 2025
 
 behavior_changes:
-# *Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required*
 - area: dynamic modules
   change: |
     The dynamic module ABI has been updated to support streaming body manipulation. This change also
@@ -13,11 +12,7 @@ behavior_changes:
     that receive data before Envoy sent a ``200`` response to the client. While this is not a strictly compliant behavior
     it is very common as a latency reducing measure. As such the option is disabled by default.
 
-minor_behavior_changes:
-# *Changes that may cause incompatibilities for some users, but should not for most*
-
 bug_fixes:
-# *Changes expected to improve the state of the world and are unlikely to have negative effects*
 - area: bootstrap
   change: |
     Fixed an issue where the custom
@@ -35,9 +30,6 @@ bug_fixes:
   change: |
     Fixed a remote ``jwt_auth`` token fetch crash with two or more auth headers when ``allow_missing_or_failed`` is set.
 
-removed_config_or_runtime:
-# *Normally occurs at the end of the* :ref:`deprecation period <deprecated>`
-
 new_features:
 - area: overload management
   change: |
@@ -54,5 +46,3 @@ new_features:
   change: |
     Added support for loading dynamic modules globally by setting :ref:`load_globally
     <envoy_v3_api_field_extensions.dynamic_modules.v3.DynamicModuleConfig.load_globally>` to true.
-
-deprecated:

docs/inventories/v1.33/objects.inv

@@ -26,7 +26,7 @@
 "1.30": 1.30.11
 "1.31": 1.31.10
 "1.32": 1.32.13
-"1.33": 1.33.12
-"1.34": 1.34.10
-"1.35": 1.35.6
-"1.36": 1.36.1
+"1.33": 1.33.13
+"1.34": 1.34.11
+"1.35": 1.35.7
+"1.36": 1.36.2