1.24.10 (July 25, 2023)

Minor behavior changes

Changes that may cause incompatibilities for some users, but should not for most

http: Envoy will now lower case scheme values by default. This behaviorial change can be temporarily reverted by setting runtime guard envoy.reloadable_features.lowercase_scheme to false.

Changes expected to improve the state of the world and are unlikely to have negative effects

cors: Fix a use-after-free bug that occurs in the CORS filter if the origin header is removed between request header decoding and response header encoding.

Fix CVE-2023-35943.
http: Switched Envoy internal scheme checks from case sensitive to case insensitive. This behaviorial change can be temporarily reverted by setting runtime guard envoy.reloadable_features.handle_uppercase_scheme to false.

Fix CVE-2023-35944.
oauth2: Fixed a cookie validator bug that HMAC caluation could be same for different payloads.

This prevents malicious clients from constructing credentials with permanent validity in some specific scenarios.

Fix CVE-2023-35941.
opentelemetry/grpc/access log: Fixed a bug in the open telemetry access logger. This logger now uses the server scope for stats instead of the listener’s global scope. This fixes a use-after-free that can occur if the listener is drained but the cached gRPC access logger uses the listener’s global scope for stats.

Fix CVE-2023-35942.