.. _version_history_1.18.4:

1.18.4 (August 24, 2021)
=========================





Minor behavior changes
----------------------

*Changes that may cause incompatibilities for some users, but should not for most*



* **http**: disable the integration between :ref:`ExtensionWithMatcher
  <v1.18:envoy_v3_api_msg_extensions.common.matching.v3.ExtensionWithMatcher>` and HTTP filters by default to reflects its
  experimental status. This feature can be enabled by seting ``envoy.reloadable_features.experimental_matching_api`` to
  true.
* **http**: reject requests with \#fragment in the URI path. The fragment is not allowed to be part of request URI according to
  RFC3986 (3.5), RFC7230 (5.1) and RFC 7540 (8.1.2.3). Rejection of requests can be changed to stripping the \#fragment
  instead by setting the runtime guard ``envoy.reloadable_features.http_reject_path_with_fragment`` to false. This
  behavior can further be changed to the deprecated behavior of keeping the fragment by setting the runtime guard
  ``envoy.reloadable_features.http_strip_fragment_from_path_unsafe_if_disabled``. This runtime guard must only be set to
  false when existing non-compliant traffic relies on \#fragment in URI. When this option is enabled, Envoy request
  authorization extensions may be bypassed. This override and its associated behavior will be decommissioned after the
  standard deprecation period.
* **http**: stop processing pending H/2 frames if connection transitioned to a closed state. This behavior can be temporarily
  reverted by setting the ``envoy.reloadable_features.skip_dispatching_frames_for_closed_connection`` to false.



Bug fixes
---------

*Changes expected to improve the state of the world and are unlikely to have negative effects*



* **ext_authz**: fix the ext_authz filter to correctly merge multiple same headers using the ``,`` as separator in the check request to
  the external authorization service.
* **http**: limit use of deferred resets in the http2 codec to server-side connections. Use of deferred reset for client connections
  can result in incorrect behavior and performance problems.
* **jwt_authn**: unauthorized responses now correctly include a ``www-authenticate`` header.




New features
------------


* **listener**: added an option when balancing across active listeners and wildcard matching is used to return the listener that matches
  the IP family type associated with the listener's socket address. It is off by default, but is turned on by default in
  v1.19. To set change the runtime guard ``envoy.reloadable_features.listener_wildcard_match_ip_family`` to true.