Contour v1.33.5 is a security patch: it closes a JWT verification bypass that was possible when fallback certificates were combined with JWT-protected HTTPProxy routes.
Key changes (4)
- Patches GHSA-g3xr-5w5j-w4q4: HTTPProxy configs combining a fallback certificate with JWT verification could let requests without SNI, or with unrecognized SNI, skip JWT verification
- Contour now rejects this invalid fallback-certificate-plus-JWT configuration outright instead of silently allowing the bypass
- Tested against Kubernetes 1.32 through 1.34
- No other functional changes in this release