repo: Release v1.36.5

**Summary of changes**:

* Security fixes:
  - [CVE-2026-26330](GHSA-c23c-rp3m-vpg3): ratelimit: fix a bug where response phase limit may result in crash
  - [CVE-2026-26308](GHSA-ghc4-35x6-crw5): fix multivalue header bypass in rbac
  - [CVE-2026-26310](GHSA-3cw6-2j68-868p): network: fix crash in getAddressWithPort() when called with a scoped IPv6 address
  - [CVE-2026-26309](GHSA-56cj-wgg3-x943): json: fixed an off-by-one write that could corrupted the string null terminator
  - [CVE-2026-26311](GHSA-84xm-r438-86px): http: ensure decode* methods are blocked after a downstream reset

* Bug fix:
  - Fixed OAuth2 refresh requests so host rewriting no longer overrides the original Host value.

* Dependency updates:
  - Migrated googleurl source to GitHub (`google/gurl`).
  - Updated Kafka test binary to 3.9.2.
  - Updated Docker base images.

**Docker images**:
    https://hub.docker.com/r/envoyproxy/envoy/tags?page=1&name=v1.36.5
**Docs**:
    https://www.envoyproxy.io/docs/envoy/v1.36.5/
**Release notes**:
    https://www.envoyproxy.io/docs/envoy/v1.36.5/version_history/v1.36/v1.36.5
**Full changelog**:
    v1.36.4...v1.36.5

Author: publish-envoy[bot]

VERSION.txt

@@ -1 +1 @@
-1.36.5-dev
+1.36.5

changelogs/1.34.13.yaml

@@ -0,0 +1,24 @@
+date: March 10, 2026
+
+bug_fixes:
+- area: oauth2
+  change: |
+    Fixed OAuth2 refresh requests so host rewriting no longer overrides the original Host value.
+- area: http
+  change: |
+    Fixed an issue where filter chain execution could continue on HTTP streams that had been reset but not yet
+    destroyed. This could cause use-after-free conditions when filter callbacks were invoked on filters that
+    had already received ``onDestroy()``. The fix ensures that ``decodeHeaders()``, ``decodeData()``,
+    ``decodeTrailers()``, and ``decodeMetadata()`` are blocked after a downstream reset.
+- area: json
+  change: |
+    Fixed an off-by-one write in ``JsonEscaper::escapeString()`` that could corrupt the string null terminator
+    when the input string ends with a control character.
+- area: network
+  change: |
+    Fixed a crash in ``Utility::getAddressWithPort`` when called with a scoped IPv6 address (e.g., ``fe80::1%eth0``).
+- area: rbac
+  change: |
+    Fixed RBAC header matcher to validate each header value individually instead of concatenating multiple header values
+    into a single string. This prevents potential bypasses when requests contain multiple values for the same header.
+    The new behavior is enabled by the runtime guard ``envoy.reloadable_features.rbac_match_headers_individually``.

changelogs/1.35.9.yaml

@@ -0,0 +1,24 @@
+date: March 10, 2026
+
+bug_fixes:
+- area: oauth2
+  change: |
+    Fixed OAuth2 refresh requests so host rewriting no longer overrides the original Host value.
+- area: http
+  change: |
+    Fixed an issue where filter chain execution could continue on HTTP streams that had been reset but not yet
+    destroyed. This could cause use-after-free conditions when filter callbacks were invoked on filters that
+    had already received ``onDestroy()``. The fix ensures that ``decodeHeaders()``, ``decodeData()``,
+    ``decodeTrailers()``, and ``decodeMetadata()`` are blocked after a downstream reset.
+- area: json
+  change: |
+    Fixed an off-by-one write in ``JsonEscaper::escapeString()`` that could corrupt the string null terminator
+    when the input string ends with a control character.
+- area: network
+  change: |
+    Fixed a crash in ``Utility::getAddressWithPort`` when called with a scoped IPv6 address (e.g., ``fe80::1%eth0``).
+- area: rbac
+  change: |
+    Fixed RBAC header matcher to validate each header value individually instead of concatenating multiple header values
+    into a single string. This prevents potential bypasses when requests contain multiple values for the same header.
+    The new behavior is enabled by the runtime guard ``envoy.reloadable_features.rbac_match_headers_individually``.

changelogs/current.yaml

@@ -1,13 +1,6 @@
-date: Pending
-
-behavior_changes:
-# *Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required*
-
-minor_behavior_changes:
-# *Changes that may cause incompatibilities for some users, but should not for most*
+date: March 10, 2026
 
 bug_fixes:
-# *Changes expected to improve the state of the world and are unlikely to have negative effects*
 - area: oauth2
   change: |
     Fixed OAuth2 refresh requests so host rewriting no longer overrides the original Host value.
@@ -35,10 +28,3 @@ bug_fixes:
     Fixed RBAC header matcher to validate each header value individually instead of concatenating multiple header values
     into a single string. This prevents potential bypasses when requests contain multiple values for the same header.
     The new behavior is enabled by the runtime guard ``envoy.reloadable_features.rbac_match_headers_individually``.
-
-removed_config_or_runtime:
-# *Normally occurs at the end of the* :ref:`deprecation period <deprecated>`
-
-new_features:
-
-deprecated:

docs/inventories/v1.34/objects.inv

@@ -27,6 +27,6 @@
 "1.31": 1.31.10
 "1.32": 1.32.13
 "1.33": 1.33.14
-"1.34": 1.34.12
-"1.35": 1.35.8
-"1.36": 1.36.3
+"1.34": 1.34.13
+"1.35": 1.35.9
+"1.36": 1.36.4