From 78d2f779ef507ea4305dccfb9695c7b374418aeb Mon Sep 17 00:00:00 2001
From: Chris Thain <32781396+cthain@users.noreply.github.com>
Date: Mon, 23 Oct 2023 15:13:40 -0700
Subject: [PATCH] release/1.3.x - Update Envoy (#3118)

---
 .changelog/3118.txt       | 3 +++
 charts/consul/Chart.yaml  | 2 +-
 charts/consul/values.yaml | 4 ++--
 3 files changed, 6 insertions(+), 3 deletions(-)
 create mode 100644 .changelog/3118.txt

diff --git a/.changelog/3118.txt b/.changelog/3118.txt
new file mode 100644
index 0000000000..7a38debb7d
--- /dev/null
+++ b/.changelog/3118.txt
@@ -0,0 +1,3 @@
+```release-note:security
+Update Envoy version to 1.25.11 to address [CVE-2023-44487](https://github.com/envoyproxy/envoy/security/advisories/GHSA-jhv4-f7mr-xx76)
+```
diff --git a/charts/consul/Chart.yaml b/charts/consul/Chart.yaml
index 933efaf30b..cc174f7206 100644
--- a/charts/consul/Chart.yaml
+++ b/charts/consul/Chart.yaml
@@ -22,7 +22,7 @@ annotations:
     - name: consul-dataplane
       image: docker.mirror.hashicorp.services/hashicorppreview/consul-dataplane:1.3-dev
     - name: envoy
-      image: envoyproxy/envoy:v1.26.2
+      image: envoyproxy/envoy:v1.25.11
   artifacthub.io/license: MPL-2.0
   artifacthub.io/links: |
     - name: Documentation
diff --git a/charts/consul/values.yaml b/charts/consul/values.yaml
index bcb39bd8a7..3b4d708308 100644
--- a/charts/consul/values.yaml
+++ b/charts/consul/values.yaml
@@ -3233,7 +3233,7 @@ terminatingGateways:
   gateways:
     - name: terminating-gateway
 
-# [DEPRECATED] Use connectInject.apiGateway instead. This stanza will be removed with the release of Consul 1.17
+# [DEPRECATED] Use connectInject.apiGateway instead.
 # Configuration settings for the Consul API Gateway integration
 apiGateway:
   # When true the helm chart will install the Consul API Gateway controller
@@ -3248,7 +3248,7 @@ apiGateway:
   # The name (and tag) of the Envoy Docker image used for the
   # apiGateway. For other Consul compoenents, imageEnvoy has been replaced with Consul Dataplane.
   # @default: envoyproxy/envoy:<latest supported version>
-  imageEnvoy: "envoyproxy/envoy:v1.25.1"
+  imageEnvoy: "envoyproxy/envoy:v1.25.11"
 
   # Override global log verbosity level for api-gateway-controller pods. One of "debug", "info", "warn", or "error".
   # @type: string