fix(deps): update module github.com/cilium/cilium to v1.15.6 [security] (v1.1)

[cilium-renovate]

This PR contains the following updates:

Package	Type	Update	Change
github.com/cilium/cilium	require	patch	v1.15.4 -> v1.15.6

---

Cilium leaks sensitive information in cilium-bugtool

CVE-2024-37307 / GHSA-wh78-7948-358j

More information

Details

Impact

The output of cilium-bugtool can contain sensitive data when the tool is run (with the --envoy-dump flag set) against Cilium deployments with the Envoy proxy enabled.

Users of the following features are affected:

• TLS inspection
• Ingress with TLS termination
• Gateway API with TLS termination
• Kafka network policies with API key filtering

The sensitive data includes:

• The CA certificate, certificate chain, and private key used by Cilium HTTP Network Policies, and when using Ingress/Gateway API
• The API keys used in Kafka-related network policy

cilium-bugtool is a debugging tool that is typically invoked manually and does not run during the normal operation of a Cilium cluster.

Patches

This issue affects:

• Cilium v1.13 between v1.13.0 and v1.13.16 inclusive
• Cilium v1.14 between v1.14.0 and v1.14.11 inclusive
• Cilium v1.15 between v1.15.0 and v1.15.5 inclusive

This issue has been patched in:

• Cilium v1.15.6
• Cilium v1.14.12
• Cilium v1.13.17

Workarounds

There is no workaround to this issue.

Acknowledgements

The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @​sayboras for their work on triaging and remediating this issue.

For more information

If you have any questions or comments about this advisory, please reach out on Slack.

If you think you have found a vulnerability affecting Cilium, we strongly encourage you to report it to our security mailing list at security@cilium.io. This is a private mailing list for the Cilium security team, and your report will be treated as top priority.

Severity

• CVSS Score: 7.9 / 10 (High)
• Vector String: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

References

• https://github.com/cilium/cilium/security/advisories/GHSA-wh78-7948-358j
• https://nvd.nist.gov/vuln/detail/CVE-2024-37307
• https://github.com/cilium/cilium/commit/0191b1ebcfdd61cefd06da0315a0e7d504167407
• https://github.com/cilium/cilium/commit/224e288a5bf40d0bb0f16c9413693b319633431a
• https://github.com/cilium/cilium/commit/9299c0fd0024e33397cffc666ff851e82af28741
• https://github.com/cilium/cilium/commit/958d7b77274bf2c272d8cdfd812631d644250653
• https://github.com/cilium/cilium/commit/9eb25ba40391a9b035d7e66401b862818f4aac4b
• https://github.com/cilium/cilium/commit/bf9a1ae1b2d2b2c9cca329d7aa96aa4858032a61
• https://github.com/cilium/cilium

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

cilium/cilium (github.com/cilium/cilium)

v1.15.6: 1.15.6

Compare Source

We are pleased to release Cilium v1.15.6 that improves background resynchronization of nodes, improves the CLI to troubleshoot connectivity issues, lowers CPU consumption with IPsec for large clusters, and brings a number of additional fixes. Thanks to all contributors, reviewers, testers, and users! ❤️

Summary of Changes

Minor Changes:

• [v1.15] fqdn: Forward-compatibility with Cilium 1.16 FQDN identities (#​32872, @​gandro)
• Generate SBOMs using Syft instead of bom (Backport PR #​32691, Upstream PR #​32307, @​ferozsalam)
• Improved background resynchronization of nodes. Before all nodes were being updated at the same time, now we spread updates over time to average out CPU usage. (Backport PR #​32748, Upstream PR #​32577, @​marseel)
• Introduce CLI commands to troubleshoot connectivity issues to the etcd kvstore and clustermesh control plane (Backport PR #​32568, Upstream PR #​32336, @​giorio94)
• ipsec: Improve CPU usage of cilum-agent in large clusters (Backport PR #​32882, Upstream PR #​32588, @​marseel)
• KVStoreMesh: expose remote clusters information and introduce dedicated CLI command (Backport PR #​32568, Upstream PR #​32156, @​giorio94)

Bugfixes:

• .github/workflows: fix digests file creation (Backport PR #​32889, Upstream PR #​32860, @​aanm)
• [v1.15] iptables: Do not install NOTRACK rules if IPv4NativeRoutingCIDR is nil (#​32649, @​pippolo84)
• Add missing kvstore-max-consecutive-quorum-errors option to clustermesh-apiserver/kvstoremesh binaries (Backport PR #​32500, Upstream PR #​32117, @​giorio94)
• bgp: service eTP=local, withdraw route when last backend on the node goes in terminating state (Backport PR #​32691, Upstream PR #​32536, @​harsimran-pabla)
• Cilium BGPv1 Reconciler - Handle updated and deprecated Cidr fields for CiliumLoadBalancerIPPool (Backport PR #​32889, Upstream PR #​32694, @​dswaffordcw)
• cni: Reserve local ports for DNS proxy even if IPv6 is disabled (Backport PR #​32789, Upstream PR #​32725, @​gandro)
• egressgw: Let the EGW manager relax rp_filter on egress device (Backport PR #​32778, Upstream PR #​32679, @​ysksuzuki)
• Fix DNS proxy regression from Cilium 1.15 on IPv4 only nodes (Backport PR #​32789, Upstream PR #​31671, @​foyerunix)
• Fix indexing bug in the logic for picking NodePort addresses. In rare cases this may have caused wrong address to be selected for NodePort use, or an out-of-bounds access. (Backport PR #​32691, Upstream PR #​32506, @​joamaki)
• Fix PromQL query in Cilium Metrics dashboard (Backport PR #​32691, Upstream PR #​32017, @​mikemykhaylov)
• Fix rare race condition afflicting clustermesh when disconnecting from a remote cluster, possibly causing the agent to panic (Backport PR #​32691, Upstream PR #​32513, @​giorio94)
• Fixes accidentally ignoring the preflight.nodeSelector Helm value. (Backport PR #​32691, Upstream PR #​32548, @​squeed)
• Fixes unencrypted traffic among nodes when IPsec is used with L7 egress proxy. (Backport PR #​32932, Upstream PR #​32683, @​jschwinger233)
• ingress: Set the default value for max_stream_timeout (Backport PR #​32889, Upstream PR #​31514, @​tskinn)
• Introduce timeout when waiting for the initial synchronization from remote clusters, to avoid blocking forever necessary GC operations in case of clustermesh misconfigurations. (Backport PR #​32802, Upstream PR #​32671, @​giorio94)
• ipsec: Safely delete Xfrm state (Backport PR #​32691, Upstream PR #​32450, @​jschwinger233)
• proxy: Re-enable proxy rule installation in native-routing mode for CEC (Backport PR #​32481, Upstream PR #​32367, @​sayboras)
• Remove deprecated hubble.ui.securityContext.enabled from hubble-ui deployment template (Backport PR #​32889, Upstream PR #​32338, @​stelucz)

CI Changes:

• CI: Add job name validation (Backport PR #​32500, Upstream PR #​32462, @​brlbil)
• ci: Filter supported versions of EKS (Backport PR #​32889, Upstream PR #​32304, @​marseel)
• ci: Filter supported versions of GKE (Backport PR #​32691, Upstream PR #​32302, @​marseel)
• ci: l4lb: gather more infos about docker-in-docker issues (Backport PR #​32691, Upstream PR #​32570, @​mhofstetter)
• ci: l4lb: restart docker-in-docker container on failure (Backport PR #​32691, Upstream PR #​32600, @​mhofstetter)
• eks: Don't use spot instances (Backport PR #​32691, Upstream PR #​32553, @​michi-covalent)
• GCP OIDC instead of SA creds. (Backport PR #​32707, Upstream PR #​30809, @​viktor-kurchenko)
• gha: cover TLS auth mode in clustermesh upgrade/downgrade tests (Backport PR #​32789, Upstream PR #​32684, @​giorio94)
• gha: test certificate generation methods in conformance clustermesh (Backport PR #​32789, Upstream PR #​32654, @​giorio94)
• Modify GitHub Actions Workflows to echo the inputs they are given when triggered by a workflow_dispatch event. (Backport PR #​32500, Upstream PR #​31424, @​learnitall)
• Use GH_RUNNER_EXTRA_POWER for CI image workflow (Backport PR #​32500, Upstream PR #​32402, @​michi-covalent)
• workflows: ignore "No egress gateway found" drops (Backport PR #​32691, Upstream PR #​32564, @​jibi)
• workflows: Remove stale CodeQL workflow (Backport PR #​32691, Upstream PR #​32084, @​pchaigno)

Misc Changes:

• (v1.15) Bump go-jose (#​32869, @​ferozsalam)
• (v1.15) Bump golang.org/x/net (#​32793, @​ferozsalam)
• background-sync: fix bootstrap issue and edge-case with 1 node (Backport PR #​32748, Upstream PR #​32630, @​marseel)
• bpf: add ext_err for more callers of tail_call_internal() (Backport PR #​32332, Upstream PR #​30023, @​julianwiedmann)
• bpf: add improved helper for program-internal tail-call (Backport PR #​32332, Upstream PR #​30001, @​julianwiedmann)
• bpf: add multicast in MAX_OVERLAY_OPTIONS (Backport PR #​32332, Upstream PR #​32129, @​harsimran-pabla)
• bpf: convert ep_tail_call() to tail_call_internal() (Backport PR #​32332, Upstream PR #​30288, @​julianwiedmann)
• bpf: egw: delay SNAT for local client to actual egress interface (Backport PR #​32789, Upstream PR #​32428, @​julianwiedmann)
• bpf: hide dynamic/static variant for policy tail-call (Backport PR #​32332, Upstream PR #​32299, @​julianwiedmann)
• bpf: minor tail-call cleanups (Backport PR #​32332, Upstream PR #​31990, @​julianwiedmann)
• bump cni plugins to v1.5.0 (Backport PR #​32691, Upstream PR #​32629, @​antonipp)
• Bump timeout of lint-build-commits.yaml (Backport PR #​32789, Upstream PR #​32746, @​YutaroHayakawa)
• chore(deps): update all github action dependencies (v1.15) (#​32493, @​renovate[bot])
• chore(deps): update all github action dependencies (v1.15) (#​32632, @​renovate[bot])
• chore(deps): update all github action dependencies (v1.15) (#​32719, @​renovate[bot])
• chore(deps): update all github action dependencies (v1.15) (#​32841, @​renovate[bot])
• chore(deps): update all github action dependencies (v1.15) (#​32923, @​renovate[bot])
• chore(deps): update all github action dependencies (v1.15) (patch) (#​32633, @​renovate[bot])
• chore(deps): update cilium/cilium-cli action to v0.16.7 (v1.15) (#​32395, @​renovate[bot])
• chore(deps): update cilium/little-vm-helper action to v0.0.18 (v1.15) (#​32580, @​renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.16.8 (v1.15) (#​32780, @​renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.16.9 (v1.15) (#​32835, @​renovate[bot])
• chore(deps): update dependency cilium/hubble to v0.13.4 (v1.15) (#​32519, @​renovate[bot])
• chore(deps): update dependency cilium/hubble to v0.13.5 (v1.15) (#​32948, @​cilium-renovate[bot])
• chore(deps): update docker.io/library/ubuntu:22.04 docker digest to 19478ce (v1.15) (#​32922, @​renovate[bot])
• chore(deps): update gcr.io/etcd-development/etcd docker tag to v3.5.14 (v1.15) (#​32838, @​renovate[bot])
• chore(deps): update go (v1.15) (#​32623, @​renovate[bot])
• chore(deps): update go to v1.21.11 (v1.15) (#​32894, @​renovate[bot])
• chore(deps): update quay.io/cilium/hubble docker tag to v0.13.4 (v1.15) (#​32634, @​renovate[bot])
• chore(deps): update stable lvh-images (v1.15) (patch) (#​32635, @​renovate[bot])
• contrib: Remove CHARTS_PATH dependency (Backport PR #​32691, Upstream PR #​32328, @​joestringer)
• datapath: report distinct drop reason for missed endpoint policy tailcall (Backport PR #​32332, Upstream PR #​32151, @​julianwiedmann)
• docs: Add example for kube-apiserver entity policy (Backport PR #​32500, Upstream PR #​32278, @​joestringer)
• Docs: add note about AKS kube-apiserver entity (Backport PR #​32691, Upstream PR #​32464, @​darox)
• docs: ipsec: remove limitation for native-routing with L7 egress policy (Backport PR #​32955, Upstream PR #​32906, @​julianwiedmann)
• Miscellaneous improvements to the clustermesh troubleshooting guide (Backport PR #​32568, Upstream PR #​32552, @​giorio94)

Other Changes:

• [v1.15] bugtool: Avoid sensitive data in envoy config dump (#​32964, @​sayboras)
• [v1.15] envoy: Bump envoy version to v1.28.4 (#​32908, @​sayboras)
• Fix: LB service lookup for flow matching conntrack entry (#​32608, @​sypakine)
• install: Update image digests for v1.15.5 (#​32544, @​nebril)
• Revert golang image version of hubble-relay (#​32732, @​YutaroHayakawa)

v1.15.6

Docker Manifests

cilium

quay.io/cilium/cilium:v1.15.6@​sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def
quay.io/cilium/cilium:stable@sha256:6aa840986a3a9722cd967ef63248d675a87add7e1704740902d5d3162f0c0def

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.15.6@​sha256:6365c2fe8a038fc7adcdeb7ffb8d7a8a2cd3ee524687f35fff9df76fafeeb029
quay.io/cilium/clustermesh-apiserver:stable@sha256:6365c2fe8a038fc7adcdeb7ffb8d7a8a2cd3ee524687f35fff9df76fafeeb029

docker-plugin

quay.io/cilium/docker-plugin:v1.15.6@​sha256:5615f007989bdf878291417b571f753948200087f2dd483a594693e320520b5b
quay.io/cilium/docker-plugin:stable@sha256:5615f007989bdf878291417b571f753948200087f2dd483a594693e320520b5b

hubble-relay

quay.io/cilium/hubble-relay:v1.15.6@​sha256:a0863dd70d081b273b87b9b7ce7e2d3f99171c2f5e202cd57bc6691e51283e0c
quay.io/cilium/hubble-relay:stable@sha256:a0863dd70d081b273b87b9b7ce7e2d3f99171c2f5e202cd57bc6691e51283e0c

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.15.6@​sha256:7e1664bd18645b38fd41dc1c2decd334abeefe63d4d69bfbc65765806eb4a31f
quay.io/cilium/operator-alibabacloud:stable@sha256:7e1664bd18645b38fd41dc1c2decd334abeefe63d4d69bfbc65765806eb4a31f

operator-aws

quay.io/cilium/operator-aws:v1.15.6@​sha256:9656d44ee69817d156cc7d3797f92de2e534dfb991610c79c00e097b4dedd620
quay.io/cilium/operator-aws:stable@sha256:9656d44ee69817d156cc7d3797f92de2e534dfb991610c79c00e097b4dedd620

operator-azure

quay.io/cilium/operator-azure:v1.15.6@​sha256:386456c055c5d1380daf966d565fcafaed68467a4fe692679530764e3b56f170
quay.io/cilium/operator-azure:stable@sha256:386456c055c5d1380daf966d565fcafaed68467a4fe692679530764e3b56f170

operator-generic

quay.io/cilium/operator-generic:v1.15.6@​sha256:5789f0935eef96ad571e4f5565a8800d3a8fbb05265cf6909300cd82fd513c3d
quay.io/cilium/operator-generic:stable@sha256:5789f0935eef96ad571e4f5565a8800d3a8fbb05265cf6909300cd82fd513c3d

operator

quay.io/cilium/operator:v1.15.6@​sha256:f3ebc5eac9c0b37aabdf120e120a704ccd77d8c34191adec120e9ee021b8a875
quay.io/cilium/operator:stable@sha256:f3ebc5eac9c0b37aabdf120e120a704ccd77d8c34191adec120e9ee021b8a875

v1.15.5: 1.15.5

Compare Source

We are pleased to announce the release of Cilium v1.15.5.

This release fixes a lot of bugs, including fixes for conflicting ports with DNS proxy, clustermesh startup issues, and StatefulSet handling.

Security Advisories

This release addresses following security vulnerabilities:

• GHSA-3mh5-6q8v-25wj
• GHSA-5fq7-4mxc-535h

Summary of Changes

Minor Changes:

• envoy: Bump go version to 1.22.3 (#​32413, @​sayboras)
• labels: Add controller-uid into default ignore list (Backport PR #​32103, Upstream PR #​31964, @​sayboras)

Bugfixes:

• Agent: add kubeconfigPath to initContainers (Backport PR #​32230, Upstream PR #​32008, @​darox)
• Avoids drops with "No mapping for NAT masquerade" for ICMP messages by local service backends. (Backport PR #​32384, Upstream PR #​32155, @​julianwiedmann)
• cilium-cni: Reserve ports that can conflict with transparent DNS proxy (Backport PR #​32418, Upstream PR #​32128, @​gandro)
• cni: Use correct route MTU when ENI, Azure or Alibaba Cloud IPAM is enabled (Backport PR #​32384, Upstream PR #​32244, @​learnitall)
• dnsproxy: Fix bug where DNS request timed out too soon (Backport PR #​32230, Upstream PR #​31999, @​gandro)
• Envoy upstream connections are now unique for each downstream connection when using the original source address of a source pod. (Backport PR #​32312, Upstream PR #​32270, @​jrajahalme)
• envoy: pass idle timeout configuration option to cilium configmap (Backport PR #​32230, Upstream PR #​32203, @​mhofstetter)
• Fix failing service connections, when the service requests are transported via cilium's overlay network. (Backport PR #​32230, Upstream PR #​32116, @​julianwiedmann)
• Fix issue causing clustermesh-apiserver/kvstoremesh to not start when run with a non-root user (Backport PR #​31879, Upstream PR #​31539, @​giorio94)
• Fix service connection to terminating backend, when the service has no more backends available. (Backport PR #​32092, Upstream PR #​31840, @​julianwiedmann)
• Fix various bugs related to restart of StatefulSet pods that may result in connectivity issues (Backport PR #​32432, Upstream PR #​31605, @​christarazi)
• Fixes a bug where Cilium in chained mode removed the agent-not-ready taint too early if the primary network is slow in deploying. (Backport PR #​32230, Upstream PR #​32168, @​squeed)
• Fixes an (unlikely) bug where HostFirewall policies may miss updates to a node's labels. (Backport PR #​32384, Upstream PR #​30548, @​squeed)
• fqdn: fix memory leak in transparent mode when there was a moderately high number of parallel DNS requests (>100). (Backport PR #​32103, Upstream PR #​31959, @​marseel)
• Ingress/Gateway API: merge Envoy listeners for HTTP(S) and TLS passthrough (Backport PR #​32178, Upstream PR #​31646, @​mhofstetter)
• ipam: retry netlink.LinkList call when setting up ENI devices (Backport PR #​32230, Upstream PR #​32099, @​jasonaliyetti)
• loader: sanitize bpffs directory strings for netdevs (Backport PR #​32103, Upstream PR #​32090, @​rgo3)
• Prevent Cilium agents from incorrectly restarting an etcd watch against a different etcd instance. (#​32005, @​giorio94)
• tables: Sort node addresses also by public vs private IP (Backport PR #​32103, Upstream PR #​30579, @​joamaki)

CI Changes:

• alibabacloud/eni: avoid racing node mgr in test (Backport PR #​31967, Upstream PR #​31877, @​bimmlerd)
• ci: Filter supported versions of AKS (Backport PR #​32384, Upstream PR #​32303, @​marseel)
• ci: Increase timeout for images for l4lb test (Backport PR #​32230, Upstream PR #​32201, @​marseel)
• ci: Set hubble.relay.retryTimeout=5s (Backport PR #​32230, Upstream PR #​32066, @​chancez)
• enable kube cache mutation detector (Backport PR #​32230, Upstream PR #​32069, @​aanm)
• gha: bump post-upgrade timeout in clustermesh upgrade/downgrade tests (Backport PR #​32384, Upstream PR #​32347, @​giorio94)
• gha: configure fully-qualified DNS names as external targets (Backport PR #​32103, Upstream PR #​31510, @​giorio94)
• gha: drop double installation of Cilium CLI in conformance-eks (Backport PR #​32103, Upstream PR #​32042, @​giorio94)
• Miscellaneous improvements to the clustermesh upgrade/downgrade test (Backport PR #​32103, Upstream PR #​31958, @​giorio94)
• route: dedicated net ns for each subtest of runListRules (Backport PR #​32230, Upstream PR #​29916, @​mhofstetter)
• test: De-flake xds server_e2e_test (Backport PR #​32103, Upstream PR #​32004, @​jrajahalme)
• workflows: Fix CI jobs for push events on private forks (Backport PR #​32230, Upstream PR #​32085, @​pchaigno)

Misc Changes:

• bpf: host: simplify MARK_MAGIC_PROXY_EGRESS_EPID handling (Backport PR #​32384, Upstream PR #​29803, @​julianwiedmann)
• build(deps): bump pydantic from 2.3.0 to 2.4.0 in /Documentation (Backport PR #​32230, Upstream PR #​32176, @​dependabot[bot])
• chore(deps): update all github action dependencies (v1.15) (#​31954, @​renovate[bot])
• chore(deps): update all github action dependencies (v1.15) (#​32107, @​renovate[bot])
• chore(deps): update all github action dependencies (v1.15) (#​32366, @​renovate[bot])
• chore(deps): update all-dependencies (v1.15) (#​31993, @​renovate[bot])
• chore(deps): update all-dependencies (v1.15) (#​32238, @​renovate[bot])
• chore(deps): update azure/login action to v2.1.0 (v1.15) (#​31994, @​renovate[bot])
• chore(deps): update dependency cilium/cilium-cli to v0.16.6 (v1.15) (#​32365, @​renovate[bot])
• chore(deps): update docker.io/library/golang:1.21.9 docker digest to 81811f8 (v1.15) (#​31953, @​renovate[bot])
• chore(deps): update docker.io/library/golang:1.21.9 docker digest to d83472f (v1.15) (#​32257, @​renovate[bot])
• chore(deps): update docker.io/library/ubuntu:22.04 docker digest to a6d2b38 (v1.15) (#​32364, @​renovate[bot])
• chore(deps): update go to v1.21.10 (v1.15) (#​32417, @​renovate[bot])
• chore(deps): update golangci/golangci-lint-action action to v6 (v1.15) (#​32396, @​renovate[bot])
• chore(deps): update hubble cli to v0.13.3 (v1.15) (#​32108, @​renovate[bot])
• chore(deps): update stable lvh-images (v1.15) (patch) (#​31821, @​renovate[bot])
• CI: bump default FQDN datapath timeout from 100 to 250ms (Backport PR #​32230, Upstream PR #​31866, @​squeed)
• clustermesh: fix panic if the etcd client cannot be created (Backport PR #​32384, Upstream PR #​32225, @​giorio94)
• docs: Add annotation for Ingress endpoint (Backport PR #​32384, Upstream PR #​32284, @​sayboras)
• docs: add link to sig-policy meeting (Backport PR #​32384, Upstream PR #​32340, @​squeed)
• docs: Clean-up Host Firewall documentation, list known issues (Backport PR #​32384, Upstream PR #​32267, @​qmonnet)
• docs: Fix prometheus port regex (Backport PR #​32230, Upstream PR #​32030, @​JBodkin-Amphora)
• Docs: mark Tetragon as Stable (Backport PR #​31967, Upstream PR #​31886, @​sharlns)
• Document Cluster Mesh global services limitations when KPR=false (Backport PR #​31967, Upstream PR #​31798, @​giorio94)
• endpoint: Skip build queue warning log is context is canceled (Backport PR #​32230, Upstream PR #​32132, @​jrajahalme)
• Fix helm chart incompatible types for comparison (Backport PR #​32230, Upstream PR #​32025, @​lou-lan)
• fqdn: Change error log to warning (Backport PR #​32384, Upstream PR #​32333, @​jrajahalme)
• fqdn: Fix Upgrade Issue Between PortProto Versions (Backport PR #​32384, Upstream PR #​32325, @​nathanjsweet)
• golangci: Enable errorlint (Backport PR #​31783, Upstream PR #​31458, @​jrajahalme)
• images: Update bpftool, checkpatch images (Backport PR #​31896, Upstream PR #​31753, @​qmonnet)
• Improve release organization page (Backport PR #​32103, Upstream PR #​31970, @​joestringer)
• install/kubernetes: add AppArmor profile to Cilium Daemonset (Backport PR #​32384, Upstream PR #​32199, @​aanm)
• install/kubernetes: update nodeinit image to latest version (Backport PR #​32230, Upstream PR #​32181, @​tklauser)
• ipsec: Debug info for transient IPsec upgrade drops (Backport PR #​32384, Upstream PR #​32240, @​pchaigno)
• l7 policy: add possibility to configure Envoy proxy xff-num-trusted-hops (Backport PR #​32260, Upstream PR #​32200, @​mhofstetter)
• Remove aks-preview from AKS workflows (Backport PR #​32230, Upstream PR #​32118, @​marseel)
• Seamlessly downgrade bpf attachments from tcx to tc (Backport PR #​32337, Upstream PR #​32228, @​ti-mo)

Other Changes:

• [1.15] images: update cilium-{runtime,builder} (#​32444, @​nebril)
• [v1.15-backport] Introduce fromEgressProxyRule (#​31922, @​jschwinger233)
• [v1.15] cilium-dbg: remove section with unknown health status. (#​31905, @​tommyp1ckles)
• [v1.15] proxy: skip rule removal if address family is not supported (#​32007, @​rgo3)
• envoy: Bump envoy version to v1.27.5 (#​32077, @​sayboras)
• envoy: Update envoy 1.27.x to 1.28.3 (#​32149, @​sayboras)
• fix k8s versions tested in CI (#​31965, @​nbusseneau)
• install: Update image digests for v1.15.4 (#​31915, @​asauber)

v1.15.5

Docker Manifests

cilium

quay.io/cilium/cilium:v1.15.5@​sha256:4ce1666a73815101ec9a4d360af6c5b7f1193ab00d89b7124f8505dee147ca40
quay.io/cilium/cilium:stable@sha256:4ce1666a73815101ec9a4d360af6c5b7f1193ab00d89b7124f8505dee147ca40

clustermesh-apiserver

quay.io/cilium/clustermesh-apiserver:v1.15.5@​sha256:914549caf4376a844b5e7696019182dd2a655b89d6a3cad10f9d0f9821759fd7
quay.io/cilium/clustermesh-apiserver:stable@sha256:914549caf4376a844b5e7696019182dd2a655b89d6a3cad10f9d0f9821759fd7

docker-plugin

quay.io/cilium/docker-plugin:v1.15.5@​sha256:c301dc000eff2940a82fc51f4a937793fa3a7212d77000a5aa06ae6116032437
quay.io/cilium/docker-plugin:stable@sha256:c301dc000eff2940a82fc51f4a937793fa3a7212d77000a5aa06ae6116032437

hubble-relay

quay.io/cilium/hubble-relay:v1.15.5@​sha256:1d24b24e3477ccf9b5ad081827db635419c136a2bd84a3e60f37b26a38dd0781
quay.io/cilium/hubble-relay:stable@sha256:1d24b24e3477ccf9b5ad081827db635419c136a2bd84a3e60f37b26a38dd0781

operator-alibabacloud

quay.io/cilium/operator-alibabacloud:v1.15.5@​sha256:d76d45e308f23398b786f1f05504863759849046c20c741ebb64ad80613f8fd3
quay.io/cilium/operator-alibabacloud:stable@sha256:d76d45e308f23398b786f1f05504863759849046c20c741ebb64ad80613f8fd3

operator-aws

quay.io/cilium/operator-aws:v1.15.5@​sha256:f9c0eaea023ce5a75b3ed1fc4b783f390c5a3c7dc1507a2dc4dbc667b80d1bd9
quay.io/cilium/operator-aws:stable@sha256:f9c0eaea023ce5a75b3ed1fc4b783f390c5a3c7dc1507a2dc4dbc667b80d1bd9

operator-azure

quay.io/cilium/operator-azure:v1.15.5@​sha256:0a56f2cfdcdf13da21b7fdcc870e29fef82e71e599cd8dd74eb65c377e035522
quay.io/cilium/operator-azure:stable@sha256:0a56f2cfdcdf13da21b7fdcc870e29fef82e71e599cd8dd74eb65c377e035522

operator-generic

quay.io/cilium/operator-generic:v1.15.5@​sha256:f5d3d19754074ca052be6aac5d1ffb1de1eb5f2d947222b5f10f6d97ad4383e8
quay.io/cilium/operator-generic:stable@sha256:f5d3d19754074ca052be6aac5d1ffb1de1eb5f2d947222b5f10f6d97ad4383e8

operator

quay.io/cilium/operator:v1.15.5@​sha256:6f480128aa3d3b2c50a8dfa0bd5bc5121e48b1ee0bbc8eec9cae72e904bf10c3
quay.io/cilium/operator:stable@sha256:6f480128aa3d3b2c50a8dfa0bd5bc5121e48b1ee0bbc8eec9cae72e904bf10c3

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[cilium-renovate]

ℹ Artifact update notice

File name: pkg/k8s/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 1 additional dependency was updated

Details:

Package	Change
github.com/google/uuid	v1.5.0 -> v1.6.0

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 2 additional dependencies were updated

Details:

Package	Change
github.com/vishvananda/netlink	v1.2.1-beta.2.0.20231127184239-0ced8385386a -> v1.2.1-beta.2.0.20240524165444-4d4ba1473f21
github.com/cilium/dns	v1.1.51-0.20231120140355-729345173dc3 -> v1.1.51-0.20240416134107-d47d0dd702a1