1.11.2 (October 8, 2019)

Changes

• http: fixed CVE-2019-15226 by adding a cached byte size in HeaderMap.

• http: added max headers count for http connections. The default limit is 100.

• upstream: runtime feature envoy.reloadable_features.max_response_headers_count overrides the default limit for upstream max headers count

• http: added common_http_protocol_options Runtime feature envoy.reloadable_features.max_request_headers_count overrides the default limit for downstream max headers count

• regex: backported safe regex matcher fix for CVE-2019-15225.

Deprecated

• Use of idle_timeout is deprecated. Use common_http_protocol_options instead.