repo: Release v1.33.13

publish-envoy[bot] · phlax · commit b2670bbebda0 · 2025-12-03T19:40:33.000Z
* Security fixes: - CVE-2025-64527: Envoy crashes when JWT authentication is configured with the remote JWKS fetching - CVE-2025-66220: TLS certificate matcher for `match_typed_subject_alt_names` may incorrectly treat certificates containing an embedded null byte - CVE-2025-64763: Potential request smuggling from early data after the CONNECT upgrade **Docker images**: https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.33.13 **Docs**: https://www.envoyproxy.io/docs/envoy/v1.33.13/ **Release notes**: https://www.envoyproxy.io/docs/envoy/v1.33.13/version_history/v1.33/v1.33.13 **Full changelog**: v1.33.12...v1.33.13
diff --git a/VERSION.txt b/VERSION.txt
@@ -1 +1 @@
-1.33.13-dev
+1.33.13
diff --git a/changelogs/current.yaml b/changelogs/current.yaml
@@ -1,29 +1,17 @@
-date: Pending
+date: December 3, 2025
 
 behavior_changes:
-# *Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required*
 - area: http
   change: |
     Added runtime flag ``envoy.reloadable_features.reject_early_connect_data`` to reject ``CONNECT`` requests
     that receive data before Envoy sent a ``200`` response to the client. While this is not a strictly compliant behavior
     it is very common as a latency reducing measure. As such the option is disabled by default.
 
-minor_behavior_changes:
-# *Changes that may cause incompatibilities for some users, but should not for most*
-
 bug_fixes:
-# *Changes expected to improve the state of the world and are unlikely to have negative effects*
 - area: tls
   change: |
     Fixed an issue where SANs of type ``OTHERNAME`` in a TLS cert were truncated if there was
     an embedded null octet, leading to incorrect SAN validation.
 - area: http
   change: |
     Fixed a remote ``jwt_auth`` token fetch crash with two or more auth headers when ``allow_missing_or_failed`` is set.
-
-removed_config_or_runtime:
-# *Normally occurs at the end of the* :ref:`deprecation period <deprecated>`
-
-new_features:
-
-deprecated:
diff --git a/docs/inventories/v1.33/objects.inv b/docs/inventories/v1.33/objects.inv
diff --git a/docs/versions.yaml b/docs/versions.yaml
@@ -26,4 +26,4 @@
 "1.30": 1.30.11
 "1.31": 1.31.10
 "1.32": 1.32.13
-"1.33": 1.33.11
+"1.33": 1.33.12
