Skip to content

chore(deps): bump github.com/projectcontour/contour from 1.33.2 to 1.33.4#2

Open
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/go_modules/github.com/projectcontour/contour-1.33.4
Open

chore(deps): bump github.com/projectcontour/contour from 1.33.2 to 1.33.4#2
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/go_modules/github.com/projectcontour/contour-1.33.4

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github Apr 24, 2026

Bumps github.com/projectcontour/contour from 1.33.2 to 1.33.4.

Release notes

Sourced from github.com/projectcontour/contour's releases.

v1.33.4

We are delighted to present version v1.33.4 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

All Changes

Security fix for CVE-2026-41246

This release fixes CVE-2026-41246, a Lua code injection vulnerability in Contour's Cookie Rewriting feature.

An attacker with RBAC permissions to create or modify HTTPProxy resources could craft a malicious cookieRewritePolicies[].pathRewrite.value that results in arbitrary code execution in the Envoy proxy. Since Envoy runs as shared infrastructure, the injected code could read Envoy's xDS client credentials from the filesystem or cause denial of service for other tenants sharing the Envoy instance.

The fix removes the use of text/template for generating Lua code entirely. User-provided values are now passed as structured data via Envoy's filterContext and read by a static Lua script at runtime.

Note: This release requires Envoy 1.35.0 or later.

Other Changes

Installing and Upgrading

For a fresh install of Contour, consult the getting started documentation.

To upgrade an existing Contour installation, please consult the upgrade documentation.

Compatible Kubernetes Versions

Contour v1.33.4 is tested against Kubernetes 1.32 through 1.34.

Are you a Contour user? We would love to know!

If you're using Contour and want to add your organization to our adopters list, please visit this page. If you prefer to keep your organization name anonymous but still give us feedback into your usage and scenarios for Contour, please post on this GitHub thread.

Contour v1.33.3

We are delighted to present version v1.33.3 of Contour, our layer 7 HTTP reverse proxy for Kubernetes clusters.

All Changes

  • Bumps to Envoy v1.35.9 to address security vulnerabilities.
  • Updates google.golang.org/grpc to v1.79.3, which addresses CVE-2026-33186 (Contour is not affected).
  • Removes Envoy metrics hostPort: 8002 from example manifests. (#7476)

Installing and Upgrading

... (truncated)

Commits
  • 6eb0daf Update Contour Docker image to v1.33.4.
  • d1e24f0 release-1.33: Bump to Envoy v1.35.10
  • 72793e0 remove templating from misdirected request Lua script
  • 2d1c174 refactor to common cookie rewrite script
  • 3b70727 Adjust solution to avoid templating
  • 0ee9f20 build(deps): bump codecov/codecov-action from 5.5.3 to 5.5.4 (#7503)
  • 434fb2b build(deps): bump codecov/codecov-action from 5.5.2 to 5.5.3 (#7477)
  • 33278ce Update Contour Docker image to v1.33.3.
  • 8678cda build(deps): bump the k8s-dependencies group with 4 updates (#7478)
  • 5dca6f0 Remove envoy stats hostport from example manifests (#7476) (#7487)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps): bump github.com/projectcontour/contour
994a26f 
Bumps [github.com/projectcontour/contour](https://github.com/projectcontour/contour) from 1.33.2 to 1.33.4.
- [Release notes](https://github.com/projectcontour/contour/releases)
- [Changelog](https://github.com/projectcontour/contour/blob/main/RELEASES.md)
- [Commits](projectcontour/contour@v1.33.2...v1.33.4)

---
updated-dependencies:
- dependency-name: github.com/projectcontour/contour
  dependency-version: 1.33.4
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file go Pull requests that update go code labels Apr 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file go Pull requests that update go code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants