fix(deps): update module github.com/cilium/cilium to v1.14.16 [security]

[renovate[bot]]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
github.com/cilium/cilium	v1.14.6 -> v1.14.16

---

[!WARNING] Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2024-28248

Impact

Cilium's HTTP policies are not consistently applied to all traffic in the scope of the policies, leading to HTTP traffic being incorrectly and intermittently forwarded when it should be dropped.

Patches

This issue affects:

• Cilium v1.13 between v1.13.9 and v1.13.12 inclusive
• Cilium v1.14 between v1.14.0 and v1.14.7 inclusive
• Cilium v1.15.0 and v1.15.1

This issue has been patched in:

• Cilium v1.15.2
• Cilium v1.14.8
• Cilium v1.13.13

Workarounds

There is no workaround for this issue – affected users are strongly encouraged to upgrade.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @​romikps for discovering and reporting this issue, and @​sayboras and @​jrajahalme for preparing the fix.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at security@cilium.io. This is a private mailing list for the Cilium internal security team, and your report will be treated as top priority.

CVE-2024-28249

Impact

In Cilium clusters with IPsec enabled and traffic matching Layer 7 policies:

• Traffic that should be IPsec-encrypted between a node's Envoy proxy and pods on other nodes is sent unencrypted
• Traffic that should be IPsec-encrypted between a node's DNS proxy and pods on other nodes is sent unencrypted

Note: For clusters running in native routing mode, IPsec encryption is not applied to connections which are selected by a L7 Egress Network Policy or a DNS Policy. This is a known limitation of Cilium's IPsec encryption which will continue to apply after upgrading to the latest Cilium versions described below.

Patches

This issue affects:

• Cilium v1.15 before v1.15.2
• Cilium v1.14 before v1.14.8
• Cilium v1.13 before v1.13.13
• Cilium v1.4 to v1.12 inclusive

This issue has been resolved in:

• Cilium v1.15.2
• Cilium v1.14.8
• Cilium v1.13.13

Workarounds

There is no workaround to this issue.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @​jschwinger233, @​julianwiedmann, @​giorio94, and @​jrajahalme for their work in triaging and resolving this issue.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability in Cilium, we strongly encourage you to report it to our private security mailing list at security@cilium.io. This is a private mailing list that only members of the Cilium internal security team are subscribed to, and your report will be treated as top priority.

CVE-2024-28250

Impact

In Cilium clusters with WireGuard enabled and traffic matching Layer 7 policies:

• Traffic that should be WireGuard-encrypted is sent unencrypted between a node's Envoy proxy and pods on other nodes.
• Traffic that should be WireGuard-encrypted is sent unencrypted between a node's DNS proxy and pods on other nodes.

Patches

This issue affects:

• In native routing mode (routingMode=native):
  • Cilium v1.14 versions before v1.14.8
  • Cilium v1.15 versions before v1.15.2
• In tunneling mode (routingMode=tunnel):
  • Cilium v1.14 versions before v1.14.4
  • Cilium v1.14.4 if encryption.wireguard.encapsulate is set to false (default).

This issue has been resolved in:

• In native routing mode (routingMode=native):
  • Cilium v1.14.8
  • Cilium v1.15.2
• In tunneling mode (routingMode=tunnel):
  • Cilium v1.14.4. NOTE encryption.wireguard.encapsulate must be set to true.

Workarounds

There is no workaround to this issue.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @​brb, @​giorio94, @​gandro and @​jschwinger233 for their work on triaging and remediating this issue.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you found a related vulnerability, we strongly encourage you to report security vulnerabilities to our private security mailing list at security@cilium.io. This is a private mailing list where only members of the Cilium internal security team are subscribed to, and your report will be treated as top priority.

CVE-2024-28860

Impact

Users of IPsec transparent encryption in Cilium may be vulnerable to cryptographic attacks that render the transparent encryption ineffective.

In particular, Cilium is vulnerable to the following attacks by a man-in-the-middle attacker:

• Chosen plaintext attacks
• Key recovery attacks
• Replay attacks

These attacks are possible due to an ESP sequence number collision when multiple nodes are configured with the same key. Fixed versions of Cilium use unique keys for each IPsec tunnel established between nodes, resolving all of the above attacks.

Important: After upgrading, users must perform a key rotation using the instructions here to ensure that they are no longer vulnerable to this issue. Please note that the key rotation instructions have recently been updated, and users must use the new instructions to properly establish secure IPsec tunnels. To validate that the new instructions have been followed properly, ensure that the IPsec Kubernetes secret contains a "+" sign.

Patches

All prior versions of Cilium that support IPsec transparent encryption (Cilium 1.4 onwards) are affected by this issue.

Patched versions:

• Cilium 1.15.3
• Cilium 1.14.9
• Cilium 1.13.14

Workarounds

There is no workaround to this issue. IPsec transparent encryption users are strongly encouraged to upgrade.

Acknowledgements

The Cilium community has worked together with members of Cure53 and Isovalent to prepare these mitigations. Special thanks to @​NikAleksandrov and @​pchaigno for their work on remediating the issue. Thanks to Marsh Ray, Senior Software Developer at Microsoft, for input and guidance on the fix.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

As usual, if you think you found a related vulnerability, we strongly encourage you to report security vulnerabilities to our private security mailing list: security@cilium.io - first, before disclosing them in any public forums. This is a private mailing list where only members of the Cilium internal security team are subscribed to, and is treated as top priority.

CVE-2024-37307

Impact

The output of cilium-bugtool can contain sensitive data when the tool is run (with the --envoy-dump flag set) against Cilium deployments with the Envoy proxy enabled.

Users of the following features are affected:

• TLS inspection
• Ingress with TLS termination
• Gateway API with TLS termination
• Kafka network policies with API key filtering

The sensitive data includes:

• The CA certificate, certificate chain, and private key used by Cilium HTTP Network Policies, and when using Ingress/Gateway API
• The API keys used in Kafka-related network policy

cilium-bugtool is a debugging tool that is typically invoked manually and does not run during the normal operation of a Cilium cluster.

Patches

This issue affects:

• Cilium v1.13 between v1.13.0 and v1.13.16 inclusive
• Cilium v1.14 between v1.14.0 and v1.14.11 inclusive
• Cilium v1.15 between v1.15.0 and v1.15.5 inclusive

This issue has been patched in:

• Cilium v1.15.6
• Cilium v1.14.12
• Cilium v1.13.17

Workarounds

There is no workaround to this issue.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @​sayboras for their work on triaging and remediating this issue.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at security@cilium.io. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.

CVE-2024-25630

Impact

For Cilium users who are using CRDs to store Cilium state (the default configuration) and Wireguard transparent encryption, responses from pods to the Ingress and health endpoints are not encrypted. Traffic from the Ingress and health endpoints to pods is not affected by this issue. The health endpoint is only used for Cilium's internal health checks.

Patches

This issue affects Cilium v1.14 before v1.14.7.

This issue has been patched in Cilium v1.14.7.

Workarounds

There is no workaround to this issue - affected users are encouraged to upgrade.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @​gandro for their work on triaging and remediating this issue.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at security@cilium.io. This is a private mailing list where only members of the Cilium internal security team are subscribed to, and your report will be treated as top priority.

CVE-2024-25631

Impact

For Cilium users who have enabled an external kvstore and Wireguard transparent encryption, traffic between pods in the affected cluster is not encrypted.

Patches

This issue affects Cilium v1.14 before v1.14.7.

This issue has been patched in Cilium v1.14.7.

Workarounds

There is no workaround to this issue - affected users are encouraged to upgrade.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @​giorio94 and @​gandro for their work on triaging and remediating this issue.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you found a related vulnerability, we strongly encourage you to report security vulnerabilities to our private security mailing list at security@cilium.io. This is a private mailing list where only members of the Cilium internal security team are subscribed to, and your report will be treated as top priority.

CVE-2024-42488

Impact

A race condition in the Cilium agent can cause the agent to ignore labels that should be applied to a node. This could in turn cause CiliumClusterwideNetworkPolicies intended for nodes with the ignored label to not apply, leading to policy bypass.

Patches

This issue was fixed in https://github.com/cilium/cilium/pull/33511.

This issue affects:

• All versions of Cilium before v1.14.14
• Cilium v1.15 between v1.15.0 and v1.15.7 inclusive

This issue has been patched in:

• Cilium v1.14.14
• Cilium v1.15.8

Workarounds

As the underlying issue depends on a race condition, users unable to upgrade can restart the Cilium agent on affected nodes until the affected policies are confirmed to be working as expected.

Acknowledgements

The Cilium community has worked together with members of Google and Isovalent to prepare these mitigations. Special thanks to @​skmatti for raising and resolving this issue.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at security@cilium.io. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.

CVE-2024-47825

Impact

A policy rule denying a prefix that is broader than /32 may be ignored if there is

• A policy rule referencing a more narrow prefix (CIDRSet or toFQDN) and
• This narrower policy rule specifies either enableDefaultDeny: false or - toEntities: all

Note that a rule specifying toEntities: world or toEntities: 0.0.0.0/0 is insufficient, it must be to entity all.

As an example, given the below policies, traffic is allowed to 1.1.1.2, when it should be denied:

apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
  name: block-scary-range
spec:
  endpointSelector: {}
  egressDeny:
  - toCIDRSet:
    - cidr: 1.0.0.0/8

---

apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: evade-deny
spec:
  endpointSelector: {}
  egress:
  - toCIDR:
    - 1.1.1.2/32
  - toEntities:
    - all

Patches

This issue affects:

• Cilium v1.14 between v1.14.0 and v1.14.15 inclusive
• Cilium v1.15 between v1.15.0 and v1.15.9 inclusive

This issue has been patched in:

• Cilium v1.14.16
• Cilium v1.15.10

Workarounds

Users with policies using enableDefaultDeny: false can work around this issue by removing this configuration option and explicitly defining any allow rules required.

No workaround is available to users with egress policies that explicitly specify toEntities: all.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @​squeed, @​christarazi, and @​jrajahalme for their work in triaging and resolving this issue.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at security@cilium.io. This is a private mailing list for the Cilium security team, and your report will be treated with top priority.

---

Release Notes

cilium/cilium (github.com/cilium/cilium)

### [`v1.14.16`](https://redirect.github.com/cilium/cilium/releases/tag/v1.14.16): 1.14.16 [Compare Source](https://redirect.github.com/cilium/cilium/compare/1.14.15...1.14.16) ## Summary of Changes **Bugfixes:** - datapath: Fix redirect from from L3 netdev to tunnel (Backport PR [#​35265](https://redirect.github.com/cilium/cilium/issues/35265), Upstream PR [#​33421](https://redirect.github.com/cilium/cilium/issues/33421), [@​brb](https://redirect.github.com/brb)) - Fixed bug in tracking policy changes that could have resulted in revert not woking in failure cases as expected. (Backport PR [#​35279](https://redirect.github.com/cilium/cilium/issues/35279), Upstream PR [#​35109](https://redirect.github.com/cilium/cilium/issues/35109), [@​jrajahalme](https://redirect.github.com/jrajahalme)) - Fixed bug where service id allocator would loop infinity when out of service ids (Backport PR [#​35279](https://redirect.github.com/cilium/cilium/issues/35279), Upstream PR [#​35033](https://redirect.github.com/cilium/cilium/issues/35033), [@​WeeNews](https://redirect.github.com/WeeNews)) - Fixes startup fatal error when updating CiliumNode resource. (Backport PR [#​34916](https://redirect.github.com/cilium/cilium/issues/34916), Upstream PR [#​34862](https://redirect.github.com/cilium/cilium/issues/34862), [@​harsimran-pabla](https://redirect.github.com/harsimran-pabla)) **CI Changes:** - .github/lint-build-commits: fix workflow for push events (Backport PR [#​35279](https://redirect.github.com/cilium/cilium/issues/35279), Upstream PR [#​35264](https://redirect.github.com/cilium/cilium/issues/35264), [@​aanm](https://redirect.github.com/aanm)) - .github: create cache directories on cache miss (Backport PR [#​35176](https://redirect.github.com/cilium/cilium/issues/35176), Upstream PR [#​35088](https://redirect.github.com/cilium/cilium/issues/35088), [@​aanm](https://redirect.github.com/aanm)) - .github: do not push floating tag from PRs (Backport PR [#​35229](https://redirect.github.com/cilium/cilium/issues/35229), Upstream PR [#​35227](https://redirect.github.com/cilium/cilium/issues/35227), [@​aanm](https://redirect.github.com/aanm)) - .github: install golang action after checkout (Backport PR [#​35176](https://redirect.github.com/cilium/cilium/issues/35176), Upstream PR [#​34843](https://redirect.github.com/cilium/cilium/issues/34843), [@​aanm](https://redirect.github.com/aanm)) - .github: re-enable configurations in e2e-upgrade (Backport PR [#​35176](https://redirect.github.com/cilium/cilium/issues/35176), Upstream PR [#​34800](https://redirect.github.com/cilium/cilium/issues/34800), [@​aanm](https://redirect.github.com/aanm)) - .github: specify cache-dependency-path in lint-workflows (Backport PR [#​35176](https://redirect.github.com/cilium/cilium/issues/35176), Upstream PR [#​34845](https://redirect.github.com/cilium/cilium/issues/34845), [@​aanm](https://redirect.github.com/aanm)) - ci: conformance-\[gateway-api|ginkgo|ingress] wait for images before matrix generation (Backport PR [#​34916](https://redirect.github.com/cilium/cilium/issues/34916), Upstream PR [#​34820](https://redirect.github.com/cilium/cilium/issues/34820), [@​aanm](https://redirect.github.com/aanm)) - fix: repository nil value handled on workflow_dispatch context for renovate updates (Backport PR [#​34916](https://redirect.github.com/cilium/cilium/issues/34916), Upstream PR [#​34902](https://redirect.github.com/cilium/cilium/issues/34902), [@​Artyop](https://redirect.github.com/Artyop)) **Misc Changes:** - .github: add cache to cilium-cli and hubble-cli build workflows (Backport PR [#​35176](https://redirect.github.com/cilium/cilium/issues/35176), Upstream PR [#​34847](https://redirect.github.com/cilium/cilium/issues/34847), [@​aanm](https://redirect.github.com/aanm)) - .github: clean up disk for lint-build workflow (Backport PR [#​35176](https://redirect.github.com/cilium/cilium/issues/35176), Upstream PR [#​35141](https://redirect.github.com/cilium/cilium/issues/35141), [@​aanm](https://redirect.github.com/aanm)) - .github: fix build image process to commit changes (Backport PR [#​35279](https://redirect.github.com/cilium/cilium/issues/35279), Upstream PR [#​35262](https://redirect.github.com/cilium/cilium/issues/35262), [@​aanm](https://redirect.github.com/aanm)) - .github: fix lvh-kind warnings (Backport PR [#​35176](https://redirect.github.com/cilium/cilium/issues/35176), Upstream PR [#​34811](https://redirect.github.com/cilium/cilium/issues/34811), [@​aanm](https://redirect.github.com/aanm)) - .github: fix runtime image digests (Backport PR [#​35119](https://redirect.github.com/cilium/cilium/issues/35119), Upstream PR [#​35107](https://redirect.github.com/cilium/cilium/issues/35107), [@​aanm](https://redirect.github.com/aanm)) - .github: push floating tag for push events for stable branches ([#​35234](https://redirect.github.com/cilium/cilium/issues/35234), [@​aanm](https://redirect.github.com/aanm)) - \[v1.14] contrib/scripts: set 755 permissions for builder.sh ([#​35266](https://redirect.github.com/cilium/cilium/issues/35266), [@​aanm](https://redirect.github.com/aanm)) - Change GH runners to GH's default (Backport PR [#​35176](https://redirect.github.com/cilium/cilium/issues/35176), Upstream PR [#​33451](https://redirect.github.com/cilium/cilium/issues/33451), [@​aanm](https://redirect.github.com/aanm)) - chart: define the envoy image variable in the makefile (Backport PR [#​35113](https://redirect.github.com/cilium/cilium/issues/35113), Upstream PR [#​27725](https://redirect.github.com/cilium/cilium/issues/27725), [@​weizhoublue](https://redirect.github.com/weizhoublue)) - chore(deps): update all github action dependencies (v1.14) ([#​35029](https://redirect.github.com/cilium/cilium/issues/35029), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.14) ([#​35087](https://redirect.github.com/cilium/cilium/issues/35087), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.14) ([#​35252](https://redirect.github.com/cilium/cilium/issues/35252), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.14) ([#​35028](https://redirect.github.com/cilium/cilium/issues/35028), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.16.18 (v1.14) ([#​35001](https://redirect.github.com/cilium/cilium/issues/35001), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.16.19 (v1.14) ([#​35204](https://redirect.github.com/cilium/cilium/issues/35204), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/hubble to v1.16.2 (v1.14) ([#​35242](https://redirect.github.com/cilium/cilium/issues/35242), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.22.7 docker digest to [`ddad330`](https://redirect.github.com/cilium/cilium/commit/ddad330) (v1.14) ([#​35093](https://redirect.github.com/cilium/cilium/issues/35093), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update go to v1.22.8 (v1.14) ([#​35205](https://redirect.github.com/cilium/cilium/issues/35205), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1727272937-c0c0c5f38d338b330d891b304ab5ed6c6d7bcec4 (v1.14) ([#​35085](https://redirect.github.com/cilium/cilium/issues/35085), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1727272937-c0c0c5f38d338b330d891b304ab5ed6c6d7bcec4 (v1.14) ([#​35108](https://redirect.github.com/cilium/cilium/issues/35108), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1727997080-b094128ed01b784b63ada19b54f8c7fdc3042e6e (v1.14) ([#​35220](https://redirect.github.com/cilium/cilium/issues/35220), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update quay.io/cilium/cilium-envoy docker tag to v1.29.9-1728346947-0d05e48bfbb8c4737ec40d5781d970a550ed2bbd (v1.14) ([#​35285](https://redirect.github.com/cilium/cilium/issues/35285), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - helm: set key usages for hubble certificates with cert-manager (Backport PR [#​35038](https://redirect.github.com/cilium/cilium/issues/35038), Upstream PR [#​34946](https://redirect.github.com/cilium/cilium/issues/34946), [@​kaworu](https://redirect.github.com/kaworu)) - images/builder: get rid of annoying git ownership warnings (Backport PR [#​35279](https://redirect.github.com/cilium/cilium/issues/35279), Upstream PR [#​31538](https://redirect.github.com/cilium/cilium/issues/31538), [@​ti-mo](https://redirect.github.com/ti-mo)) - Improve speed on lint commits GH workflow (Backport PR [#​35176](https://redirect.github.com/cilium/cilium/issues/35176), Upstream PR [#​34848](https://redirect.github.com/cilium/cilium/issues/34848), [@​aanm](https://redirect.github.com/aanm)) - Re-write GitHub cache usages across workflows (Backport PR [#​35176](https://redirect.github.com/cilium/cilium/issues/35176), Upstream PR [#​34866](https://redirect.github.com/cilium/cilium/issues/34866), [@​aanm](https://redirect.github.com/aanm)) **Other Changes:** - \[v1.14] image: Update runtime, builder images ([#​35097](https://redirect.github.com/cilium/cilium/issues/35097), [@​sayboras](https://redirect.github.com/sayboras)) - install: Update image digests for v1.14.15 ([#​35050](https://redirect.github.com/cilium/cilium/issues/35050), [@​cilium-release-bot](https://redirect.github.com/cilium-release-bot)\[bot]) #### Docker Manifests ##### cilium `docker.io/cilium/cilium:v1.14.16@​sha256:8a31c16a4b3fcd0fbfdbfe3348710bfb766a5bcc8225ee5c4057d3a7cbcbafb2` `quay.io/cilium/cilium:v1.14.16@​sha256:8a31c16a4b3fcd0fbfdbfe3348710bfb766a5bcc8225ee5c4057d3a7cbcbafb2` ##### clustermesh-apiserver `docker.io/cilium/clustermesh-apiserver:v1.14.16@​sha256:19c1318e555d8ee9dbec9d86fe8e7e6c43a2dd7eeb29eb88ea7af28d21971186` `quay.io/cilium/clustermesh-apiserver:v1.14.16@​sha256:19c1318e555d8ee9dbec9d86fe8e7e6c43a2dd7eeb29eb88ea7af28d21971186` ##### docker-plugin `docker.io/cilium/docker-plugin:v1.14.16@​sha256:ccb1aee7af60693fe434924b0bbbb0a625382335ca2767d485a0bc855df5943d` `quay.io/cilium/docker-plugin:v1.14.16@​sha256:ccb1aee7af60693fe434924b0bbbb0a625382335ca2767d485a0bc855df5943d` ##### hubble-relay `docker.io/cilium/hubble-relay:v1.14.16@​sha256:ba715eaa50036c45ac39b2e4d08ee1794ac8dbfe6af339c48dba1402416da8f9` `quay.io/cilium/hubble-relay:v1.14.16@​sha256:ba715eaa50036c45ac39b2e4d08ee1794ac8dbfe6af339c48dba1402416da8f9` ##### kvstoremesh `docker.io/cilium/kvstoremesh:v1.14.16@​sha256:c22860631b97e671d08a21524da5283322ec6b7750760e78df5718169a987fa0` `quay.io/cilium/kvstoremesh:v1.14.16@​sha256:c22860631b97e671d08a21524da5283322ec6b7750760e78df5718169a987fa0` ##### operator-alibabacloud `docker.io/cilium/operator-alibabacloud:v1.14.16@​sha256:a647eae904c9210c3fa566a540c28bc6de525a92fd5049de1a3331c0b224d8b7` `quay.io/cilium/operator-alibabacloud:v1.14.16@​sha256:a647eae904c9210c3fa566a540c28bc6de525a92fd5049de1a3331c0b224d8b7` ##### operator-aws `docker.io/cilium/operator-aws:v1.14.16@​sha256:013da30c41a2ca04c56b3b4b51ebda57bac2aec8a0107031e445d636e913dca1` `quay.io/cilium/operator-aws:v1.14.16@​sha256:013da30c41a2ca04c56b3b4b51ebda57bac2aec8a0107031e445d636e913dca1` ##### operator-azure `docker.io/cilium/operator-azure:v1.14.16@​sha256:91b811091e98456543b4b7569039213bef954881a079a9796481275430994448` `quay.io/cilium/operator-azure:v1.14.16@​sha256:91b811091e98456543b4b7569039213bef954881a079a9796481275430994448` ##### operator-generic `docker.io/cilium/operator-generic:v1.14.16@​sha256:21243c0dcbc3d505ddf661835fc9a6aa6393e439893cbfd86c20b381c709d2b8` `quay.io/cilium/operator-generic:v1.14.16@​sha256:21243c0dcbc3d505ddf661835fc9a6aa6393e439893cbfd86c20b381c709d2b8` ##### operator `docker.io/cilium/operator:v1.14.16@​sha256:d5f68e5238d9fa608537f05abfa1296c188715439329128a9f78a7d0f6c078ef` `quay.io/cilium/operator:v1.14.16@​sha256:d5f68e5238d9fa608537f05abfa1296c188715439329128a9f78a7d0f6c078ef` ### [`v1.14.15`](https://redirect.github.com/cilium/cilium/releases/tag/v1.14.15): 1.14.15 [Compare Source](https://redirect.github.com/cilium/cilium/compare/1.14.14...1.14.15) We are happy to release Cilium v1.14.15! This release brings us upstream filter chains for L7 LB policy enforcement, bugfixes, CI fixes and many many more! See summary of changes below! ## Summary of Changes **Minor Changes:** - cilium-envoy now uses upstream filter chains for L7 LB policy enforcement. (Backport PR [#​34458](https://redirect.github.com/cilium/cilium/issues/34458), Upstream PR [#​32119](https://redirect.github.com/cilium/cilium/issues/32119), [@​jrajahalme](https://redirect.github.com/jrajahalme)) - docs: Update examples for CNP L7 Host (Backport PR [#​34646](https://redirect.github.com/cilium/cilium/issues/34646), Upstream PR [#​34578](https://redirect.github.com/cilium/cilium/issues/34578), [@​sayboras](https://redirect.github.com/sayboras)) **Bugfixes:** - config: fix disabling config 'Debug' (Backport PR [#​34471](https://redirect.github.com/cilium/cilium/issues/34471), Upstream PR [#​34401](https://redirect.github.com/cilium/cilium/issues/34401), [@​mhofstetter](https://redirect.github.com/mhofstetter)) - envoy: fix log level mapping when changing log level via API (Backport PR [#​34459](https://redirect.github.com/cilium/cilium/issues/34459), Upstream PR [#​34400](https://redirect.github.com/cilium/cilium/issues/34400), [@​mhofstetter](https://redirect.github.com/mhofstetter)) - ipcache: Yet another refcounting fix with mix of APIs (Backport PR [#​34713](https://redirect.github.com/cilium/cilium/issues/34713), Upstream PR [#​34715](https://redirect.github.com/cilium/cilium/issues/34715), [@​gandro](https://redirect.github.com/gandro)) **CI Changes:** - .github: change nick-invision/retry -> nick-fields/retry. ([#​34737](https://redirect.github.com/cilium/cilium/issues/34737), [@​michi-covalent](https://redirect.github.com/michi-covalent)) - ci: clean disk only on ubuntu-latest runners (Backport PR [#​34829](https://redirect.github.com/cilium/cilium/issues/34829), Upstream PR [#​34711](https://redirect.github.com/cilium/cilium/issues/34711), [@​marseel](https://redirect.github.com/marseel)) - ci: Confromance E2E wait for images before matrix generation (Backport PR [#​34829](https://redirect.github.com/cilium/cilium/issues/34829), Upstream PR [#​34707](https://redirect.github.com/cilium/cilium/issues/34707), [@​marseel](https://redirect.github.com/marseel)) - ci: multi pool run tests concurrently (Backport PR [#​34364](https://redirect.github.com/cilium/cilium/issues/34364), Upstream PR [#​33945](https://redirect.github.com/cilium/cilium/issues/33945), [@​viktor-kurchenko](https://redirect.github.com/viktor-kurchenko)) - ci: Wait for images before generating test matrix (Backport PR [#​34829](https://redirect.github.com/cilium/cilium/issues/34829), Upstream PR [#​34727](https://redirect.github.com/cilium/cilium/issues/34727), [@​marseel](https://redirect.github.com/marseel)) - Fix: push PR changes when renovate build images under the workflow_call context (Backport PR [#​34829](https://redirect.github.com/cilium/cilium/issues/34829), Upstream PR [#​34650](https://redirect.github.com/cilium/cilium/issues/34650), [@​Artyop](https://redirect.github.com/Artyop)) - gha: Add disk cleanup step for build and test workflow (Backport PR [#​34364](https://redirect.github.com/cilium/cilium/issues/34364), Upstream PR [#​34339](https://redirect.github.com/cilium/cilium/issues/34339), [@​sayboras](https://redirect.github.com/sayboras)) - gha: Free up Github runner disk space (Backport PR [#​34364](https://redirect.github.com/cilium/cilium/issues/34364), Upstream PR [#​34247](https://redirect.github.com/cilium/cilium/issues/34247), [@​sayboras](https://redirect.github.com/sayboras)) - gha: Remove ci-aks workflow ([#​34606](https://redirect.github.com/cilium/cilium/issues/34606), [@​sayboras](https://redirect.github.com/sayboras)) **Misc Changes:** - \[v1.14] hive: prevent goleak error due to race condition ([#​34658](https://redirect.github.com/cilium/cilium/issues/34658), [@​marseel](https://redirect.github.com/marseel)) - Add source IP visibility info to Ingress and Gateway API docs (Backport PR [#​34369](https://redirect.github.com/cilium/cilium/issues/34369), Upstream PR [#​34137](https://redirect.github.com/cilium/cilium/issues/34137), [@​youngnick](https://redirect.github.com/youngnick)) - Add source IP visibility info to Ingress and Gateway API docs (Backport PR [#​34459](https://redirect.github.com/cilium/cilium/issues/34459), Upstream PR [#​34137](https://redirect.github.com/cilium/cilium/issues/34137), [@​youngnick](https://redirect.github.com/youngnick)) - chore(deps): update all github action dependencies (v1.14) ([#​34572](https://redirect.github.com/cilium/cilium/issues/34572), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.14) ([#​34763](https://redirect.github.com/cilium/cilium/issues/34763), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.16.15 (v1.14) ([#​34120](https://redirect.github.com/cilium/cilium/issues/34120), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.16.16 (v1.14) ([#​34508](https://redirect.github.com/cilium/cilium/issues/34508), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.16.17 (v1.14) ([#​34885](https://redirect.github.com/cilium/cilium/issues/34885), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/hubble to v1.16.1 (v1.14) ([#​34854](https://redirect.github.com/cilium/cilium/issues/34854), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/alpine docker tag to v3.18.9 (v1.14) ([#​34762](https://redirect.github.com/cilium/cilium/issues/34762), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/golang:1.22.7 docker digest to [`4594271`](https://redirect.github.com/cilium/cilium/commit/4594271) (v1.14) ([#​34901](https://redirect.github.com/cilium/cilium/issues/34901), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update docker.io/library/ubuntu:22.04 docker digest to [`adbb901`](https://redirect.github.com/cilium/cilium/commit/adbb901) (v1.14) ([#​34697](https://redirect.github.com/cilium/cilium/issues/34697), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.5.16 (v1.14) ([#​34905](https://redirect.github.com/cilium/cilium/issues/34905), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update go to v1.22.7 (v1.14) ([#​34734](https://redirect.github.com/cilium/cilium/issues/34734), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update kindest/node docker tag to v1.27.16 (v1.14) ([#​34509](https://redirect.github.com/cilium/cilium/issues/34509), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore: Avoid docker warning due to casing (Backport PR [#​34859](https://redirect.github.com/cilium/cilium/issues/34859), Upstream PR [#​34125](https://redirect.github.com/cilium/cilium/issues/34125), [@​sayboras](https://redirect.github.com/sayboras)) - cilium-dbg: add Envoy admin commands (Backport PR [#​34495](https://redirect.github.com/cilium/cilium/issues/34495), Upstream PR [#​34398](https://redirect.github.com/cilium/cilium/issues/34398), [@​mhofstetter](https://redirect.github.com/mhofstetter)) - docs: Avoid using wildcard TLS certificate (Backport PR [#​34829](https://redirect.github.com/cilium/cilium/issues/34829), Upstream PR [#​34609](https://redirect.github.com/cilium/cilium/issues/34609), [@​sayboras](https://redirect.github.com/sayboras)) - docs: Improve Ingress documentation (Backport PR [#​34369](https://redirect.github.com/cilium/cilium/issues/34369), Upstream PR [#​33698](https://redirect.github.com/cilium/cilium/issues/33698), [@​youngnick](https://redirect.github.com/youngnick)) - docs: Improve Ingress documentation (Backport PR [#​34459](https://redirect.github.com/cilium/cilium/issues/34459), Upstream PR [#​33698](https://redirect.github.com/cilium/cilium/issues/33698), [@​youngnick](https://redirect.github.com/youngnick)) - Documentation: Update readthedocs configuration (Backport PR [#​34364](https://redirect.github.com/cilium/cilium/issues/34364), Upstream PR [#​34190](https://redirect.github.com/cilium/cilium/issues/34190), [@​joestringer](https://redirect.github.com/joestringer)) - fix: base image update workflow will now be triggered on renovate branches with a workflow_call event type (Backport PR [#​34459](https://redirect.github.com/cilium/cilium/issues/34459), Upstream PR [#​34372](https://redirect.github.com/cilium/cilium/issues/34372), [@​Artyop](https://redirect.github.com/Artyop)) - images: fix path script (Backport PR [#​34766](https://redirect.github.com/cilium/cilium/issues/34766), Upstream PR [#​34764](https://redirect.github.com/cilium/cilium/issues/34764), [@​aanm](https://redirect.github.com/aanm)) - ipsec: Document a new cause of XfrmInStateProtoError (Backport PR [#​34495](https://redirect.github.com/cilium/cilium/issues/34495), Upstream PR [#​34221](https://redirect.github.com/cilium/cilium/issues/34221), [@​jschwinger233](https://redirect.github.com/jschwinger233)) **Other Changes:** - \[v1.14] CODEOWNERS: switch cilium/tophat to cilium/committers ([#​34888](https://redirect.github.com/cilium/cilium/issues/34888), [@​julianwiedmann](https://redirect.github.com/julianwiedmann)) - \[v1.14] envoy: Bump envoy version from v1.29.7 to v1.29.9 ([#​34963](https://redirect.github.com/cilium/cilium/issues/34963), [@​sayboras](https://redirect.github.com/sayboras)) - \[v1.14] envoy: Switch to image with timestamp tag ([#​34393](https://redirect.github.com/cilium/cilium/issues/34393), [@​sayboras](https://redirect.github.com/sayboras)) - envoy: Bump golang version ([#​34329](https://redirect.github.com/cilium/cilium/issues/34329), [@​sayboras](https://redirect.github.com/sayboras)) - install: Update image digests for v1.14.14 ([#​34377](https://redirect.github.com/cilium/cilium/issues/34377), [@​cilium-release-bot](https://redirect.github.com/cilium-release-bot)\[bot]) #### Docker Manifests ##### cilium `docker.io/cilium/cilium:v1.14.15@​sha256:9a7977e8a685ac8ef8477c6be76a10d2aabf680bfe13916fa8ba7fec4429705d` `quay.io/cilium/cilium:v1.14.15@​sha256:9a7977e8a685ac8ef8477c6be76a10d2aabf680bfe13916fa8ba7fec4429705d` ##### clustermesh-apiserver `docker.io/cilium/clustermesh-apiserver:v1.14.15@​sha256:1254404bd6a9c9cd0702727f5fe9bf26477a3dac3fa6cb144a57c84b328d079b` `quay.io/cilium/clustermesh-apiserver:v1.14.15@​sha256:1254404bd6a9c9cd0702727f5fe9bf26477a3dac3fa6cb144a57c84b328d079b` ##### docker-plugin `docker.io/cilium/docker-plugin:v1.14.15@​sha256:5d123a4fd747b42a5ea3153930b23b93b0803ea881a6dbac26531deeb926cb9f` `quay.io/cilium/docker-plugin:v1.14.15@​sha256:5d123a4fd747b42a5ea3153930b23b93b0803ea881a6dbac26531deeb926cb9f` ##### hubble-relay `docker.io/cilium/hubble-relay:v1.14.15@​sha256:f104b07f38d0fa206bc41d5bd7a02ea42e32b18de7022f8401492bad35bbedc7` `quay.io/cilium/hubble-relay:v1.14.15@​sha256:f104b07f38d0fa206bc41d5bd7a02ea42e32b18de7022f8401492bad35bbedc7` ##### kvstoremesh `docker.io/cilium/kvstoremesh:v1.14.15@​sha256:93d81162805edf7145a9b6f2b22790c51a730f439f7644399d55cfc083c665e0` `quay.io/cilium/kvstoremesh:v1.14.15@​sha256:93d81162805edf7145a9b6f2b22790c51a730f439f7644399d55cfc083c665e0` ##### operator-alibabacloud `docker.io/cilium/operator-alibabacloud:v1.14.15@​sha256:db526ebf79874a0376c37fa987a820ff572a5a9b9c23697c393ab5d8721a20dd` `quay.io/cilium/operator-alibabacloud:v1.14.15@​sha256:db526ebf79874a0376c37fa987a820ff572a5a9b9c23697c393ab5d8721a20dd` ##### operator-aws `docker.io/cilium/operator-aws:v1.14.15@​sha256:e17ee0a65edf75f13e9fb380ef2dc4c80096d8a08581f8b8a65386e35589a175` `quay.io/cilium/operator-aws:v1.14.15@​sha256:e17ee0a65edf75f13e9fb380ef2dc4c80096d8a08581f8b8a65386e35589a175` ##### operator-azure `docker.io/cilium/operator-azure:v1.14.15@​sha256:e4ce4f4bce9431493efc59aba38277dd831836c3112af34e48e97c3d6bf4d668` `quay.io/cilium/operator-azure:v1.14.15@​sha256:e4ce4f4bce9431493efc59aba38277dd831836c3112af34e48e97c3d6bf4d668` ##### operator-generic `docker.io/cilium/operator-generic:v1.14.15@​sha256:233c4ab72cd6a06e8b4c8bed4991d625df8389e6225b27bc72f088c10036b870` `quay.io/cilium/operator-generic:v1.14.15@​sha256:233c4ab72cd6a06e8b4c8bed4991d625df8389e6225b27bc72f088c10036b870` ##### operator `docker.io/cilium/operator:v1.14.15@​sha256:064d2449a4ceaaf8bab2f14fb49544061bb4a9d508d78ea3596b3be03c20b82f` `quay.io/cilium/operator:v1.14.15@​sha256:064d2449a4ceaaf8bab2f14fb49544061bb4a9d508d78ea3596b3be03c20b82f` ### [`v1.14.14`](https://redirect.github.com/cilium/cilium/releases/tag/v1.14.14): 1.14.14 [Compare Source](https://redirect.github.com/cilium/cilium/compare/1.14.13...1.14.14) ## Security Advisories This release addresses https://github.com/cilium/cilium/security/advisories/GHSA-q7w8-72mr-vpgw. ## Summary of Changes **Bugfixes:** - DNS Proxy: Allow SO_LINGER to be set to the socket to upstream (Backport PR [#​33815](https://redirect.github.com/cilium/cilium/issues/33815), Upstream PR [#​33592](https://redirect.github.com/cilium/cilium/issues/33592), [@​gandro](https://redirect.github.com/gandro)) - Fix bug causing etcd upsertion/deletion events to be potentially missed during the initial synchronization, when Cilium operates in KVStore mode, or Cluster Mesh is enabled. (Backport PR [#​34184](https://redirect.github.com/cilium/cilium/issues/34184), Upstream PR [#​34091](https://redirect.github.com/cilium/cilium/issues/34091), [@​giorio94](https://redirect.github.com/giorio94)) - Fix rare race condition afflicting clustermesh while stopping the retrieval of the remote cluster configuration, possibly causing a deadlock (Backport PR [#​33815](https://redirect.github.com/cilium/cilium/issues/33815), Upstream PR [#​33735](https://redirect.github.com/cilium/cilium/issues/33735), [@​giorio94](https://redirect.github.com/giorio94)) - pkg/metrics: fix data race warning on metrics init hook. (Backport PR [#​33963](https://redirect.github.com/cilium/cilium/issues/33963), Upstream PR [#​33823](https://redirect.github.com/cilium/cilium/issues/33823), [@​tommyp1ckles](https://redirect.github.com/tommyp1ckles)) - Report the correct drop reason when a packet is dropped by the bpf_lxc program. (Backport PR [#​31735](https://redirect.github.com/cilium/cilium/issues/31735), Upstream PR [#​33551](https://redirect.github.com/cilium/cilium/issues/33551), [@​julianwiedmann](https://redirect.github.com/julianwiedmann)) - The cilium agent will now recover from stale nodeID mappings which could occur in clusters with high node churn, possibly manifesting itself in dropped IPsec traffic. (Backport PR [#​34150](https://redirect.github.com/cilium/cilium/issues/34150), Upstream PR [#​33666](https://redirect.github.com/cilium/cilium/issues/33666), [@​bimmlerd](https://redirect.github.com/bimmlerd)) **CI Changes:** - \[v1.14] ci/ipsec: add missing config for patch-upgrade test with 6.6 kernel ([#​33737](https://redirect.github.com/cilium/cilium/issues/33737), [@​julianwiedmann](https://redirect.github.com/julianwiedmann)) - gha: Add http client timeout in Ingress (Backport PR [#​33815](https://redirect.github.com/cilium/cilium/issues/33815), Upstream PR [#​33683](https://redirect.github.com/cilium/cilium/issues/33683), [@​sayboras](https://redirect.github.com/sayboras)) - gha: add spot input to setup-eks-cluster action ([#​33848](https://redirect.github.com/cilium/cilium/issues/33848), [@​giorio94](https://redirect.github.com/giorio94)) - gha: don't fail if all cloud provider matrix entries are filtered out (Backport PR [#​33963](https://redirect.github.com/cilium/cilium/issues/33963), Upstream PR [#​33819](https://redirect.github.com/cilium/cilium/issues/33819), [@​giorio94](https://redirect.github.com/giorio94)) - gha: ensure that helm values.schema.json is not accidentally backported (Backport PR [#​33963](https://redirect.github.com/cilium/cilium/issues/33963), Upstream PR [#​33845](https://redirect.github.com/cilium/cilium/issues/33845), [@​giorio94](https://redirect.github.com/giorio94)) - gha: lint absence of trailing spaces in workflow files (Backport PR [#​34150](https://redirect.github.com/cilium/cilium/issues/34150), Upstream PR [#​33908](https://redirect.github.com/cilium/cilium/issues/33908), [@​giorio94](https://redirect.github.com/giorio94)) - gha: simplify the call-backport-label-updater workflow (Backport PR [#​33963](https://redirect.github.com/cilium/cilium/issues/33963), Upstream PR [#​33934](https://redirect.github.com/cilium/cilium/issues/33934), [@​giorio94](https://redirect.github.com/giorio94)) - test: use cgr.dev/chainguard/busybox:latest instead of docker.io image. (Backport PR [#​34150](https://redirect.github.com/cilium/cilium/issues/34150), Upstream PR [#​34004](https://redirect.github.com/cilium/cilium/issues/34004), [@​tommyp1ckles](https://redirect.github.com/tommyp1ckles)) - workflow: Use per-tunnel keys for the IPsec upgrade test (Backport PR [#​34150](https://redirect.github.com/cilium/cilium/issues/34150), Upstream PR [#​33769](https://redirect.github.com/cilium/cilium/issues/33769), [@​pchaigno](https://redirect.github.com/pchaigno)) **Misc Changes:** - \[v1.14] Update Docker dependency ([#​34189](https://redirect.github.com/cilium/cilium/issues/34189), [@​ferozsalam](https://redirect.github.com/ferozsalam)) - chore(deps): update all github action dependencies (v1.14) ([#​34054](https://redirect.github.com/cilium/cilium/issues/34054), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update all github action dependencies (v1.14) ([#​34171](https://redirect.github.com/cilium/cilium/issues/34171), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.14) ([#​33651](https://redirect.github.com/cilium/cilium/issues/33651), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update all-dependencies (v1.14) ([#​34052](https://redirect.github.com/cilium/cilium/issues/34052), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update cilium/little-vm-helper action to v0.0.19 (v1.14) ([#​33800](https://redirect.github.com/cilium/cilium/issues/33800), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/cilium-cli to v0.16.13 (v1.14) ([#​33801](https://redirect.github.com/cilium/cilium/issues/33801), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update dependency cilium/hubble to v1 (v1.14) ([#​34055](https://redirect.github.com/cilium/cilium/issues/34055), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - chore(deps): update go to v1.22.6 (v1.14) ([#​34264](https://redirect.github.com/cilium/cilium/issues/34264), [@​cilium-renovate](https://redirect.github.com/cilium-renovate)\[bot]) - daemon/ipam: don't swallow parse error of CIDR (Backport PR [#​33815](https://redirect.github.com/cilium/cilium/issues/33815), Upstream PR [#​33283](https://redirect.github.com/cilium/cilium/issues/33283), [@​bimmlerd](https://redirect.github.com/bimmlerd)) - doc: update slack channel reference (Backport PR [#​34150](https://redirect.github.com/cilium/cilium/issues/34150), Upstream PR [#​34044](https://redirect.github.com/cilium/cilium/issues/34044), [@​Huweicai](https://redirect.github.com/Huweicai)) - docs,LRP: Add steps to restart agent and operator pods and update feature roadmap status (Backport PR [#​33815](https://redirect.github.com/cilium/cilium/issues/33815), Upstream PR [#​33655](https://redirect.github.com/cilium/cilium/issues/33655), [@​aditighag](https://redirect.github.com/aditighag)) - docs: Extend LRP guide with troubleshooting section (Backport PR [#​33815](https://redirect.github.com/cilium/cilium/issues/33815), Upstream PR [#​33373](https://redirect.github.com/cilium/cilium/issues/33373), [@​aditighag](https://redirect.github.com/aditighag)) - docs: remove mention of outdated clustermesh + L7 policies + tunnel limitation (Backport PR [#​33815](https://redirect.github.com/cilium/cilium/issues/33815), Upstream PR [#​33626](https://redirect.github.com/cilium/cilium/issues/33626), [@​giorio94](https://redirect.github.com/giorio94)) - docs: Update LVH VM image pull instructions (Backport PR [#​33815](https://redirect.github.com/cilium/cilium/issues/33815), Upstream PR [#​33621](https://redirect.github.com/cilium/cilium/issues/33621), [@​brb](https://redirect.github.com/brb)) - Documentation: Add --set cni.exclusive=false for Azure Chain Mode (Backport PR [#​33815](https://redirect.github.com/cilium/cilium/issues/33815), Upstream PR [#​33708](https://redirect.github.com/cilium/cilium/issues/33708), [@​Mais316](https://redirect.github.com/Mais316)) - helm: Allow socket linger timeout to be set to zero (Backport PR [#​33963](https://redirect.github.com/cilium/cilium/issues/33963), Upstream PR [#​33887](https://redirect.github.com/cilium/cilium/issues/33887), [@​gandro](https://redirect.github.com/gandro)) - renovate: onboard etcd image used in integration tests (Backport PR [#​33815](https://redirect.github.com/cilium/cilium/issues/33815), Upstream PR [#​33679](https://redirect.github.com/cilium/cilium/issues/33679), [@​giorio94](https://redirect.github.com/giorio94)) **Other Changes:** - \[v1.14] ci: use base and head SHAs from context in lint-build-commits workflow ([#​34268](https://redirect.github.com/cilium/cilium/issues/34268), [@​tklauser](https://redirect.github.com/tklauser)) - \[v1.14] Revert "docs: Update LRP feature status" ([#​34239](https://redirect.github.com/cilium/cilium/issues/34239), [@​ysksuzuki](https://redirect.github.com/ysksuzuki)) - chore(deps): update go to v1.22.5 ([#​34073](https://redirect.github.com/cilium/cilium/issues/34073), [@​YutaroHayakawa](https://redirect.github.com/YutaroHayakawa)) - Fix IPSec XfrmInStateProtoError errors on agent restart in cluster pool IPAM mode ([#​34030](https://redirect.github.com/cilium/cilium/issues/34030), [@​dylandreimerink](https://redirect.github.com/dylandreimerink)) - install: Update image digests for v1.14.13 ([#​33746](https://redirect.github.com/cilium/cilium/issues/33746), [@​cilium-release-bot](https://redirect.github.com/cilium-release-bot)\[bot]) #### Docker Manifests ##### cilium `docker.io/cilium/cilium:v1.14.14@​sha256:43d664501afbf35496e494dae0c5a7f8680a51ed9084997bea9c64bf4451a637` `quay.io/cilium/cilium:v1.14.14@​sha256:43d664501afbf35496e494dae0c5a7f8680a51ed9084997bea9c64bf4451a637` ##### clustermesh-apiserver `docker.io/cilium/clustermesh-apiserver:v1.14.14@​sha256:43171d3f988ffa7b5ef58b7f329bab77a5382c620b56ed9a64909e4358174135` `quay.io/cilium/clustermesh-apiserver:v1.14.14@​sha256:43171d3f988ffa7b5ef58b7f329bab77a5382c620b56ed9a64909e4358174135` ##### docker-plugin `docker.io/cilium/docker-plugin:v1.14.14@​sha256:8f4722b3fc3b64438065eeb8d4a003f8166032bf2bc1bad0480495cd7f9feef2` `quay.io/cilium/docker-plugin:v1.14.14@​sha256:8f4722b3fc3b64438065eeb8d4a003f8166032bf2bc1bad0480495cd7f9feef2` ##### hubble-relay `docker.io/cilium/hubble-relay:v1.14.14@​sha256:6fdad9d7ce64efbb966745005a2060223d9677cc4407177171b865691ab00aac` `quay.io/cilium/hubble-relay:v1.14.14@​sha256:6fdad9d7ce64efbb966745005a2060223d9677cc4407177171b865691ab00aac` ##### kvstoremesh `docker.io/cilium/kvstoremesh:v1.14.14@​sha256:ac7b4ddc38abfa0a27a503c7453dc8a8d4b3b1b1e785b02fda3ccbe613987c41` `quay.io/cilium/kvstoremesh:v1.14.14@​sha256:ac7b4ddc38abfa0a27a503c7453dc8a8d4b3b1b1e785b02fda3ccbe613987c41` ##### operator-alibabacloud `docker.io/cilium/operator-alibabacloud:v1.14.14@​sha256:2a88642e1c76548a0c4d8e8fe2facaed5f6955040bdd4729a6d1090eafde5e49` `quay.io/cilium/operator-alibabacloud:v1.14.14@​sha256:2a88642e1c76548a0c4d8e8fe2facaed5f6955040bdd4729a6d1090eafde5e49` ##### operator-aws `docker.io/cilium/operator-aws:v1.14.14@​sha256:adb1ea6a98b2715c5bed74ba4ab9fab89f6862aff462a5a05acd0d8c39d3af80` `quay.io/cilium/operator-aws:v1.14.14@​sha256:adb1ea6a98b2715c5bed74ba4ab9fab89f6862aff462a5a05acd0d8c39d3af80` ##### operator-azure `docker.io/cilium/operator-azure:v1.14.14@​sha256:4a88010d124b70ca1b1df90e0ca40bd79a99e344f72bfc821b9ef490421d0f51` `quay.io/cilium/operator-azure:v1.14.14@​sha256:4a88010d124b70ca1b1df90e0ca40bd79a99e344f72bfc821b9ef490421d0f51` ##### operator-generic `docker.io/cilium/operator-generic:v1.14.14@​sha256:0f2c8178bd20189fc9aeaa71224e6becdf71b42642209610b57390f7b798aae2` `quay.io/cilium/operator-generic:v1.14.14@​sha256:0f2c8178bd20189fc9aeaa71224e6becdf71b42642209610b57390f7b798aae2` ##### operator `docker.io/cilium/operator:v1.14.14@​sha256:8d1445bb129ccc56e6f2410369e0c9bacbb3ae9b7fde522c76734f01005e9ded` `quay.io/cilium/operator:v1.14.14@​sha256:8d1445bb129ccc56e6f2410369e0c9bacbb3ae9b7fde522c76734f01005e9ded` ### [`v1.14.13`](https://redirect.github.com/cilium/cilium/releases/tag/v1.14.13): 1.14.13 [Compare Source](https://redirect.github.com/cilium/cilium/compare/1.14.12...1.14.13) ## Summary of Changes We are pleased to release Cilium v1.14.13, which includes and updated Hubble UI, as well as stability and bug fixes. Thanks to all contributors, reviewers, testers, and users! **Minor Changes:** - ui: v0.13.1 release (Backport PR [#​33227](https://redirect.github.com/cilium/cilium/issues/33227), Upstream PR [#​32852](https://redirect.github.com/cilium/cilium/issues/32852), [@​geakstr](https://redirect.github.com/geakstr)) **Bugfixes:** - envoy: Avoid short circuit backend filtering (Backport PR [#​33534](https://redirect.github.com/cilium/cilium/issues/33534), Upstream PR [#​33403](https://redirect.github.com/cilium/cilium/issues/33403), [@​sayboras](https://redirect.github.com/sayboras)) - Fix service connection to terminating backend, when the serv

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate[bot]]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 19 additional dependencies were updated

Details:

Package	Change
github.com/distribution/reference	v0.5.0 -> v0.6.0
github.com/go-jose/go-jose/v3	v3.0.1 -> v3.0.3
github.com/go-logr/logr	v1.4.1 -> v1.4.2
github.com/opencontainers/image-spec	v1.1.0-rc4 -> v1.1.0
go.opentelemetry.io/otel	v1.24.0 -> v1.28.0
go.opentelemetry.io/otel/metric	v1.24.0 -> v1.28.0
go.opentelemetry.io/otel/sdk	v1.21.0 -> v1.28.0
go.opentelemetry.io/otel/trace	v1.24.0 -> v1.28.0
golang.org/x/crypto	v0.23.0 -> v0.25.0
golang.org/x/mod	v0.17.0 -> v0.19.0
golang.org/x/net	v0.25.0 -> v0.27.0
golang.org/x/sys	v0.20.0 -> v0.22.0
golang.org/x/term	v0.20.0 -> v0.22.0
golang.org/x/text	v0.15.0 -> v0.16.0
golang.org/x/tools	v0.20.0 -> v0.23.0
google.golang.org/genproto/googleapis/api	v0.0.0-20240415180920-8c6c420018be -> v0.0.0-20240701130421-f6361c86f094
google.golang.org/genproto/googleapis/rpc	v0.0.0-20240429193739-8cf5692501f6 -> v0.0.0-20240701130421-f6361c86f094
google.golang.org/grpc	v1.63.2 -> v1.64.0
google.golang.org/protobuf	v1.34.1 -> v1.34.2