1.25.9 (July 25, 2023)
Minor behavior changes
Changes that may cause incompatibilities for some users, but should not for most
http: Envoy will now lower case scheme values by default. This behaviorial change can be temporarily reverted by setting runtime guard
envoy.reloadable_features.lowercase_scheme
tofalse
.
Bug fixes
Changes expected to improve the state of the world and are unlikely to have negative effects
cors: Fix a use-after-free bug that occurs in the CORS filter if the
origin
header is removed between request header decoding and response header encoding.Fix CVE-2023-35943.
http: Switched Envoy internal scheme checks from case sensitive to case insensitive. This behaviorial change can be temporarily reverted by setting runtime guard
envoy.reloadable_features.handle_uppercase_scheme
tofalse
.Fix CVE-2023-35944.
oauth2: Fixed a cookie validator bug that HMAC calculation could be same for different payloads.
This prevents malicious clients from constructing credentials with permanent validity in some specific scenarios.
Fix CVE-2023-35941.
opentelemetry/grpc/access log: Fixed a bug in the open telemetry access logger. This logger now uses the server scope for stats instead of the listener’s global scope. This fixes a use-after-free that can occur if the listener is drained but the cached gRPC access logger uses the listener’s global scope for stats.
Fix CVE-2023-35942.
New features
tls: Added FIPS compliant build for arm64.