Contour
v1.31.5Networking & MessagingContour v1.31.5 is a security/stability patch: Envoy bumped to v1.34.13, grpc-go updated to patch CVE-2026-33186 (Contour itself unaffected), and a minor manifest cleanup.
securityUpgrade for Envoy security fixes — don't wait on this one
Envoy v1.34.13 carries security vulnerability fixes. The release notes don't enumerate specific CVEs, but Envoy patches at the .13 point release level are serious. Upgrade Contour to pull in the new Envoy image. If you run a heavily customized Envoy config, verify behavior in staging first, but don't sit on this.
securityCVE-2026-33186 in grpc-go: patched, Contour not affected — no emergency action needed
The grpc-go update closes CVE-2026-33186, but Contour's own code doesn't hit the vulnerable path. You still benefit from upgrading since the dependency is bundled in the Contour binary. No emergency rollout required, but include this in your next maintenance window.
breakingCheck custom manifests if you rely on Envoy metrics hostPort 8002
The example manifests no longer expose hostPort: 8002 for Envoy metrics. If you copy or base your deployment manifests on Contour's examples and depend on host-level metrics scraping via that port, update your scrape configs and manifests accordingly. Production installs using the operator or Helm are unlikely to be affected unless you explicitly templated this.
主な変更 (3)
- Envoy updated to v1.34.13 to address security vulnerabilities and improve stability
- grpc-go updated to v1.79.3, patching CVE-2026-33186 (Contour is not in the affected code path)
- Removed hostPort: 8002 from Envoy metrics in example manifests