envoy-proxy-1.14.6-bp153.3.4.1

- Update to 1.14.6 (CVE-2020-35471 boo#1180121)

- Fix path in find command, bsc#1167073

- add workaround-for-big-endian.patch - fix build for s390x

- Use golang-* packages for openSUSE Tumbleweed and use sources of
  Go deps for Leap and SLE.
- Add the following patches for Go deps:
  * com_github_golang_protobuf-gazelle.patch
  * com_github_golang_protobuf-extras.patch
  * org_golang_x_tools-gazelle.patch
  * org_golang_x_tools-extras.patch

- Update _constraints for backports

- Double memory limits for dwz.

- Relax constraints on aarch64

- Update to 1.14.4 (bsc#1173559, CVE-2020-12605, CVE-2020-8663, CVE-2020-12603, CVE-2020-12604)
  * Release notes: https://www.envoyproxy.io/docs/envoy/v1.14.4/intro/version_history
- Remove patches which were either released upstream or are not
  relevant anymore:
  * 0001-server-add-getTransportSocketFactoryContext-to-Filte.patch
  * 0002-test-Fix-mocks.patch
  * 0003-test-Fix-format.patch
  * 0004-server-Add-comments-pointing-out-implementation-deta.patch
  * 0005-server-Move-setInitManager-to-TransportSocketFactory.patch
  * 0006-fix-format.patch
  * 0007-lua-Handle-the-default-case-in-scriptLog.patch
- Add patches which fix the offline build of the new version:
  * 0001-build-Use-Go-from-host.patch
  * 0002-build-update-several-go-dependencies-11581.patch
  * 0003-build-Add-explicit-requirement-on-rules_cc.patch
- We are switching back to BoringSSL, because it's supported by the
  Envoy upstream. Compatibility with OpenSSL was done by using an
  additional compatibility layer (https://github.com/envoyproxy/envoy-openssl/)
  which is not following upstream releases and packaging it is hard
  to maintain. Security team has already approved BoringSSL as a
  legitimate SSL/TLS library and it's already used the Envoy package
  related to Istio (cilium-istio-proxy).

- Add patch which fixes the error occuring for spdlog 1.6.1:
  * 0007-lua-Handle-the-default-case-in-scriptLog.patch

-  limit build resources for ppc64le to avoid Out of Memory error

- Add ppc64/ppc64le in _constraints to use worker with max memory

- add big-endian-support.patch to fix build on s390x:
  * backport of an already upstream patch at https://github.com/envoyproxy/envoy/pull/10250

- Fix the include dir of moonjit.

- Add bazel-rules-python as a build requirement.

- Remove nanopb from requirements.

- Add patches which allow an access to TransportSocketFactoryContext
  from a Filter context. Needed for cilium-proxy to work properly:
  * 0001-server-add-getTransportSocketFactoryContext-to-Filte.patch
  * 0002-test-Fix-mocks.patch
  * 0003-test-Fix-format.patch
  * 0004-server-Add-comments-pointing-out-implementation-deta.patch
  * 0005-server-Move-setInitManager-to-TransportSocketFactory.patch
  * 0006-fix-format.patch

- Update to version 1.12.2+git.20200109:
  * http: fixed CVE-2019-18801 by allocating sufficient memory for
    request headers.
  * http: fixed CVE-2019-18802 by implementing stricter validation
    of HTTP/1 headers.
  * http: trim LWS at the end of header keys, for correct HTTP/1.1
    header parsing.
  * http: added strict authority checking. This can be reversed
    temporarily by setting the runtime feature
    envoy.reloadable_features.strict_authority_validation to false.
  * route config: fixed CVE-2019-18838 by checking for presence of
    host/path headers.
  * listener: fixed CVE-2019-18836 by clearing accept filters
    before connection creation.
- Switch from Maistra to envoy-openssl as the way of replacing
  BoringSSL with OpenSSL.
- Add source package to build cilium-proxy separately, with
  envoy-proxy-source as a build depencency.
- Add patch which fixes dynamic linking of OpenSSL:
  * bazel-Fix-optional-dynamic-linking-of-OpenSSL.patch
- Add patch which adds backwards compatibility with TLS 1.2 and
  OpenSSL 1.1.0:
  * compatibility-with-TLS-1.2-and-OpenSSL-1.1.0.patch
- Add patch for compatibility with fmt 6.1.0 and spdlog 1.5.0:
  * logger-Use-spdlog-memory_buf_t-instead-of-fmt-memory.patch
- Remove patches which are not needed anymore:
  * 0001-bazel-Update-protobuf-and-other-needed-dependencies.patch
  * 0002-bazel-Update-grpc-to-1.23.0.patch
  * 0003-tracing-update-googleapis-use-SetName-for-operation-.patch

- Replace lua51-luajit with moonjit.

- Do not bundle any dependencies, move everything to separate
  packages.
- Add patch which makes envoy-proxy compatible with newer
  googleapis:
  * 0003-tracing-update-googleapis-use-SetName-for-operation-.patch

- Do not use global optflags (temporarily) - enabling them causes
  linker errors.

- Disable incompatible_bzl_disallow_load_after_statement check in
  Bazel - some dependencies still do not pass it.

- Remove obsolete Groups tag (fate#326485)

- Remove duplicate tarball of golang-org-x-tools and unneeded
  tarballs of msgpack and http-parser.

- Update to version 1.11.1:
  * http: added mitigation of client initiated attacks that result
    in flooding of the downstream HTTP/2 connections. Those attacks
    can be logged at the ?warning? level when the runtime feature
    http.connection_manager.log_flood_exception is enabled. The
    runtime setting defaults to disabled to avoid log spam when
    under attack.
  * http: added inbound_empty_frames_flood counter stat to the
    HTTP/2 codec stats, for tracking number of connections
    terminated for exceeding the limit on consecutive inbound
    frames with an empty payload and no end stream flag. The limit
    is configured by setting the
    max_consecutive_inbound_frames_with_empty_payload config
    setting.
  * http: added inbound_priority_frames_flood counter stat to the
    HTTP/2 codec stats, for tracking number of connections
    terminated for exceeding the limit on inbound PRIORITY frames.
    The limit is configured by setting the
    max_inbound_priority_frames_per_stream config setting.
  * http: added inbound_window_update_frames_flood counter stat
    to the HTTP/2 codec stats, for tracking number of connections
    terminated for exceeding the limit on inbound WINDOW_UPDATE
    frames.
  * http: added outbound_flood counter stat to the HTTP/2 codec
    stats, for tracking number of connections terminated for
    exceeding the outbound queue limit.
  * http: added outbound_control_flood counter stat to the HTTP/2
    codec stats, for tracking number of connections terminated
    for exceeding the outbound queue limit for PING, SETTINGS and
    RST_STREAM frames.
  * http: enabled strict validation of HTTP/2 messaging. Previous
    behavior can be restored using
    stream_error_on_invalid_http_messaging config setting.
- Add sources of envoy-openssl project which makes use of OpenSSL
  instead of BoringSSL.
- Add patches which makes Envoy compatible with versions of
  libraries available in openSUSE:
  * 0001-bazel-Update-protobuf-and-other-needed-dependencies.patch
  * 0002-bazel-Update-grpc-to-1.23.0.patch
- Remove patches which are not needed anymore:
  * 0001-Remove-deprecated-Blaze-PACKAGE_NAME-macro-5330.patch
  * 0001-Upgrade-gabime-spdlog-dependency-to-1.3.0-5604.patch
  * 0001-bazel-transport-sockets-Update-grpc-to-1.19.1.patch