.. _version_history_1.25.10:

1.25.10 (October 10, 2023)
===========================




Incompatible behavior changes
-----------------------------

*Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required*



* **http**: Add runtime flag ``http.max_requests_per_io_cycle`` for setting the limit on the number of HTTP requests processed
  from a single connection in a single I/O cycle. Requests over this limit are processed in subsequent I/O cycles. This
  mitigates CPU starvation by connections that simultaneously send high number of requests by allowing requests from other
  connections to make progress. This runtime value can be set to 1 in the presence of abusive HTTP/2 or HTTP/3 connections.
  By default this limit is disabled.
* **http**: Add runtime flag ``http.max_requests_per_io_cycle`` for setting the limit on the number of HTTP requests processed
  from a single connection in a single I/O cycle. Requests over this limit are processed in subsequent I/O cycles. This
  mitigates CPU starvation by connections that simultaneously send high number of requests by allowing requests from other
  connections to make progress. This runtime value can be set to 1 in the presence of abusive HTTP/2 or HTTP/3 connections.
  By default this limit is disabled.
* **http**: Close HTTP/2 and HTTP/3 connections that prematurely reset streams. The runtime key
  ``overload.premature_reset_min_stream_lifetime_seconds`` determines the interval where received stream
  reset is considered premature (with 1 second default). The runtime key ``overload.premature_reset_total_stream_count``,
  with the default value of 500, determines the number of requests received from a connection before the check for premature
  resets is applied. The connection is disconnected if more than 50% of resets are premature.
  Setting the runtime key ``envoy.restart_features.send_goaway_for_premature_rst_streams`` to ``false`` completely disables
  this check.




Bug fixes
---------

*Changes expected to improve the state of the world and are unlikely to have negative effects*



* **docker/publishing**: Update base images to resolve various glibc vulnerabilities.
* **tls**: fixed a bug where handshake may fail when both private key provider and cert validation are set.