envoyproxy · jwendell · Sep 9, 2025 · Sep 4, 2025 · Sep 4, 2025 · Sep 4, 2025
diff --git a/VERSION.txt b/VERSION.txt
@@ -1 +1 @@
-1.32.11
+1.32.13-dev
diff --git a/changelogs/1.32.11.yaml b/changelogs/1.32.11.yaml
@@ -0,0 +1,7 @@
+date: September 2, 2025
+
+bug_fixes:
+- area: oauth2
+  change: |
+    Fixed an issue where cookies prefixed with ``__Secure-`` or ``__Host-`` were not receiving a
+    Secure attribute (`CVE-2025-55162 <https://github.com/envoyproxy/envoy/security/advisories/GHSA-95j4-hw7f-v2rh>`_).
diff --git a/changelogs/1.32.12.yaml b/changelogs/1.32.12.yaml
@@ -0,0 +1,6 @@
+date: September 4, 2025
+
+bug_fixes:
+- area: release
+  change: |
+    Fix distroless image to ensure nonroot.
diff --git a/changelogs/current.yaml b/changelogs/current.yaml
@@ -1,7 +1,17 @@
-date: September 2, 2025
+date: Pending
+
+behavior_changes:
+# *Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required*
+
+minor_behavior_changes:
+# *Changes that may cause incompatibilities for some users, but should not for most*
 
 bug_fixes:
-- area: oauth2
-  change: |
-    Fixed an issue where cookies prefixed with ``__Secure-`` or ``__Host-`` were not receiving a
-    Secure attribute (`CVE-2025-55162 <https://github.com/envoyproxy/envoy/security/advisories/GHSA-95j4-hw7f-v2rh>`_).
+# *Changes expected to improve the state of the world and are unlikely to have negative effects*
+
+removed_config_or_runtime:
+# *Normally occurs at the end of the* :ref:`deprecation period <deprecated>`
+
+new_features:
+
+deprecated:
diff --git a/changelogs/summary.md b/changelogs/summary.md
@@ -1,4 +1,4 @@
 **Summary of changes**:
 
-* Security fixes:
-  - Fix for OAuth cookie issue [CVE-2025-55162](https://github.com/envoyproxy/envoy/security/advisories/GHSA-95j4-hw7f-v2rh).
+* Docker images:
+  - Fix for distroless images to ensure nonroot.
diff --git a/distribution/docker/Dockerfile-envoy b/distribution/docker/Dockerfile-envoy
@@ -59,7 +59,7 @@ COPY --chown=0:0 --chmod=755 \
 
 
 # STAGE: envoy-distroless
-FROM gcr.io/distroless/base-nossl-debian12:nonroot@sha256:6fe9fd551fab9d442b7ee7096b8fcf286047ff91bac31bc577270bb77afa0184 AS envoy-distroless
+FROM gcr.io/distroless/base-nossl-debian12:nonroot@sha256:8981b63f968e829d21351ea9d28cc21127e5f034707f1d8483d2993d9577be0b AS envoy-distroless
 EXPOSE 10000
 ENTRYPOINT ["/usr/local/bin/envoy"]
 CMD ["-c", "/etc/envoy/envoy.yaml"]

diff --git a/docs/inventories/v1.32/objects.inv b/docs/inventories/v1.32/objects.inv
diff --git a/docs/versions.yaml b/docs/versions.yaml
@@ -25,4 +25,4 @@
 "1.29": 1.29.12
 "1.30": 1.30.11
 "1.31": 1.31.10
-"1.32": 1.32.10
+"1.32": 1.32.11