repo: Release v1.37.1

**Summary of changes**:

* Security fixes:
  - [CVE-2026-26330](GHSA-c23c-rp3m-vpg3): ratelimit: fix a bug where response phase limit may result in crash
  - [CVE-2026-26308](GHSA-ghc4-35x6-crw5): fix multivalue header bypass in rbac
  - [CVE-2026-26310](GHSA-3cw6-2j68-868p): network: fix crash in getAddressWithPort() when called with a scoped IPv6 address
  - [CVE-2026-26309](GHSA-56cj-wgg3-x943): json: fixed an off-by-one write that could corrupted the string null terminator
  - [CVE-2026-26311](GHSA-84xm-r438-86px): http: ensure decode* methods are blocked after a downstream reset

* Bug fixes:
  - oauth2: Fixed OAuth2 refresh requests so host rewriting no longer overrides the original `Host` header value.
  - ext_proc: Fixed a bug to support two ext_proc filters configured in the chain.
  - ext_proc: Fixed message-valued CEL attribute serialization to use protobuf text format instead of debug string output, restoring compatibility with protobuf 30+.
  - ext_authz: Fixed headers from denied authorization responses (non-200) not being properly propagated to the client.
  - ext_authz: Fixed the HTTP ext_authz client to respect `status_on_error` configuration when the authorization server returns a 5xx error or when HTTP call failures occur.
  - access_log: Fixed a crash on listener removal with a process-level access log rate limiter.

* Other changes:
  - release: Published contrib binaries now include the `-contrib` suffix in their version string and fixed distroless-contrib images.
  - dynamic modules: Introduced extended ABI forward compatibility mechanism for dynamic modules.

* Dependency updates:
  - Migrated googleurl source to GitHub (`google/gurl`).
  - Updated Kafka test binary to 3.9.2.
  - Updated Docker base images.

**Docker images**:
    https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.37.1
**Docs**:
    https://www.envoyproxy.io/docs/envoy/v1.37.1/
**Release notes**:
    https://www.envoyproxy.io/docs/envoy/v1.37.1/version_history/v1.37/v1.37.1
**Full changelog**:
    v1.37.0...v1.37.1

Author: publish-envoy[bot]

VERSION.txt

@@ -1 +1 @@
-1.37.1-dev
+1.37.1

changelogs/1.34.13.yaml

@@ -0,0 +1,24 @@
+date: March 10, 2026
+
+bug_fixes:
+- area: oauth2
+  change: |
+    Fixed OAuth2 refresh requests so host rewriting no longer overrides the original Host value.
+- area: http
+  change: |
+    Fixed an issue where filter chain execution could continue on HTTP streams that had been reset but not yet
+    destroyed. This could cause use-after-free conditions when filter callbacks were invoked on filters that
+    had already received ``onDestroy()``. The fix ensures that ``decodeHeaders()``, ``decodeData()``,
+    ``decodeTrailers()``, and ``decodeMetadata()`` are blocked after a downstream reset.
+- area: json
+  change: |
+    Fixed an off-by-one write in ``JsonEscaper::escapeString()`` that could corrupt the string null terminator
+    when the input string ends with a control character.
+- area: network
+  change: |
+    Fixed a crash in ``Utility::getAddressWithPort`` when called with a scoped IPv6 address (e.g., ``fe80::1%eth0``).
+- area: rbac
+  change: |
+    Fixed RBAC header matcher to validate each header value individually instead of concatenating multiple header values
+    into a single string. This prevents potential bypasses when requests contain multiple values for the same header.
+    The new behavior is enabled by the runtime guard ``envoy.reloadable_features.rbac_match_headers_individually``.

changelogs/1.35.9.yaml

@@ -0,0 +1,24 @@
+date: March 10, 2026
+
+bug_fixes:
+- area: oauth2
+  change: |
+    Fixed OAuth2 refresh requests so host rewriting no longer overrides the original Host value.
+- area: http
+  change: |
+    Fixed an issue where filter chain execution could continue on HTTP streams that had been reset but not yet
+    destroyed. This could cause use-after-free conditions when filter callbacks were invoked on filters that
+    had already received ``onDestroy()``. The fix ensures that ``decodeHeaders()``, ``decodeData()``,
+    ``decodeTrailers()``, and ``decodeMetadata()`` are blocked after a downstream reset.
+- area: json
+  change: |
+    Fixed an off-by-one write in ``JsonEscaper::escapeString()`` that could corrupt the string null terminator
+    when the input string ends with a control character.
+- area: network
+  change: |
+    Fixed a crash in ``Utility::getAddressWithPort`` when called with a scoped IPv6 address (e.g., ``fe80::1%eth0``).
+- area: rbac
+  change: |
+    Fixed RBAC header matcher to validate each header value individually instead of concatenating multiple header values
+    into a single string. This prevents potential bypasses when requests contain multiple values for the same header.
+    The new behavior is enabled by the runtime guard ``envoy.reloadable_features.rbac_match_headers_individually``.

changelogs/1.36.5.yaml

@@ -0,0 +1,30 @@
+date: March 10, 2026
+
+bug_fixes:
+- area: oauth2
+  change: |
+    Fixed OAuth2 refresh requests so host rewriting no longer overrides the original Host value.
+- area: http
+  change: |
+    Fixed an issue where filter chain execution could continue on HTTP streams that had been reset but not yet
+    destroyed. This could cause use-after-free conditions when filter callbacks were invoked on filters that
+    had already received ``onDestroy()``. The fix ensures that ``decodeHeaders()``, ``decodeData()``,
+    ``decodeTrailers()``, and ``decodeMetadata()`` are blocked after a downstream reset.
+- area: ratelimit
+  change: |
+    Fixed a bug in the gRPC rate limit client where the client could get into a bad state if the
+    callbacks were not properly released after a request completion, leading to potential use-after-free
+    issues. The fix ensures that callbacks and request references are cleared after completion, and adds
+    assertions to enforce correct usage patterns.
+- area: json
+  change: |
+    Fixed an off-by-one write in ``JsonEscaper::escapeString()`` that could corrupt the string null terminator
+    when the input string ends with a control character.
+- area: network
+  change: |
+    Fixed a crash in ``Utility::getAddressWithPort`` when called with a scoped IPv6 address (e.g., ``fe80::1%eth0``).
+- area: rbac
+  change: |
+    Fixed RBAC header matcher to validate each header value individually instead of concatenating multiple header values
+    into a single string. This prevents potential bypasses when requests contain multiple values for the same header.
+    The new behavior is enabled by the runtime guard ``envoy.reloadable_features.rbac_match_headers_individually``.

changelogs/current.yaml

@@ -1,13 +1,6 @@
-date: Pending
-
-behavior_changes:
-# *Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required*
-
-minor_behavior_changes:
-# *Changes that may cause incompatibilities for some users, but should not for most*
+date: March 11, 2026
 
 bug_fixes:
-# *Changes expected to improve the state of the world and are unlikely to have negative effects*
 - area: oauth2
   change: |
     Fixed OAuth2 refresh requests so host rewriting no longer overrides the original ``Host`` header value.
@@ -64,15 +57,10 @@ bug_fixes:
     into a single string. This prevents potential bypasses when requests contain multiple values for the same header.
     The new behavior is enabled by the runtime guard ``envoy.reloadable_features.rbac_match_headers_individually``.
 
-removed_config_or_runtime:
-# *Normally occurs at the end of the* :ref:`deprecation period <deprecated>`
-
 new_features:
 - area: dynamic modules
   change: |
     Introduced the extended ABI forward compatibility mechanism for dynamic modules
     where modules built with a SDK version can be loaded by Envoy
     binaries of the next Envoy version. For example, A module built with the v1.38 SDK
     can now be loaded by an Envoy binary of v1.39.
-
-deprecated:

docs/inventories/v1.34/objects.inv

@@ -27,6 +27,7 @@
 "1.31": 1.31.10
 "1.32": 1.32.13
 "1.33": 1.33.14
-"1.34": 1.34.12
-"1.35": 1.35.8
-"1.36": 1.36.4
+"1.34": 1.34.13
+"1.35": 1.35.9
+"1.36": 1.36.5
+"1.37": 1.37.0