[release/v1.35] repo: Release v1.35.2 (#40955)

Created by Envoy publish bot for @yanavlasov




**Summary of changes**:

* Security fixes:
- Fix for OAuth cookie issue
[CVE-2025-55162](GHSA-95j4-hw7f-v2rh).
- Fix UAF in DNS resolution
[CVE-2025-54588](GHSA-g9vw-6pvx-7gmw).

**Docker images**:
    https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.35.2
**Docs**:
    https://www.envoyproxy.io/docs/envoy/v1.35.2/
**Release notes**:

https://www.envoyproxy.io/docs/envoy/v1.35.2/version_history/v1.35/v1.35.2
**Full changelog**:
    v1.35.1...v1.35.2

Co-authored-by: publish-envoy[bot] <140627008+publish-envoy[bot]@users.noreply.github.com>

Author: publish-envoy[bot]

VERSION.txt

@@ -1 +1 @@
-1.35.2-dev
+1.35.2

changelogs/1.32.11.yaml

@@ -0,0 +1,7 @@
+date: September 2, 2025
+
+bug_fixes:
+- area: oauth2
+  change: |
+    Fixed an issue where cookies prefixed with ``__Secure-`` or ``__Host-`` were not receiving a
+    Secure attribute (`CVE-2025-55162 <https://github.com/envoyproxy/envoy/security/advisories/GHSA-95j4-hw7f-v2rh>`_).

changelogs/1.33.8.yaml

@@ -0,0 +1,7 @@
+date: September 2, 2025
+
+bug_fixes:
+- area: oauth2
+  change: |
+    Fixed an issue where cookies prefixed with ``__Secure-`` or ``__Host-`` were not receiving a
+    Secure attribute.

changelogs/1.34.6.yaml

@@ -0,0 +1,11 @@
+date: September 2, 2025
+
+bug_fixes:
+- area: oauth2
+  change: |
+    Fixed an issue where cookies prefixed with ``__Secure-`` or ``__Host-`` were not receiving a
+    Secure attribute.
+- area: dns
+  change: |
+    Fixed an UAF in DNS cache that can occur when the Host header is modified between the Dynamic Forwarding and Router
+    filters.

changelogs/current.yaml

@@ -1,13 +1,6 @@
-date: Pending
-
-behavior_changes:
-# *Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required*
-
-minor_behavior_changes:
-# *Changes that may cause incompatibilities for some users, but should not for most*
+date: September 3, 2025
 
 bug_fixes:
-# *Changes expected to improve the state of the world and are unlikely to have negative effects*
 - area: oauth2
   change: |
     Fixed an issue where cookies prefixed with ``__Secure-`` or ``__Host-`` were not receiving a
@@ -22,10 +15,3 @@ bug_fixes:
     ``cluster.<cluster_name>.ssl.certificate.<cert_name>.<metric_name>``
     and ``listener.<address>.ssl.certificate.<cert_name>.<metric_name>``
     was not being properly extracted in the final prometheus stat name.
-
-removed_config_or_runtime:
-# *Normally occurs at the end of the* :ref:`deprecation period <deprecated>`
-
-new_features:
-
-deprecated:

docs/inventories/v1.32/objects.inv

@@ -25,7 +25,7 @@
 "1.29": 1.29.12
 "1.30": 1.30.11
 "1.31": 1.31.10
-"1.32": 1.32.10
-"1.33": 1.33.7
-"1.34": 1.34.5
-"1.35": 1.35.0
+"1.32": 1.32.11
+"1.33": 1.33.8
+"1.34": 1.34.6
+"1.35": 1.35.1