1.26.4 (July 26, 2023)

Minor behavior changes

Changes that may cause incompatibilities for some users, but should not for most

http: Envoy will now lower case scheme values by default. This behaviorial change can be temporarily reverted by setting runtime guard envoy.reloadable_features.lowercase_scheme to false.

Changes expected to improve the state of the world and are unlikely to have negative effects

cors: Fix a use-after-free bug that occurs in the CORS filter if the origin header is removed between request header decoding and response header encoding.

Fix CVE-2023-35943.
http: Switched Envoy internal scheme checks from case sensitive to case insensitive. This behaviorial change can be temporarily reverted by setting runtime guard envoy.reloadable_features.handle_uppercase_scheme to false.

Fix CVE-2023-35944.
oauth2: Fixed a cookie validator bug that meant that the HMAC calculation could be same for different payloads.

This prevents malicious clients from constructing credentials with permanent validity in some specific scenarios.

Fix CVE-2023-35941.
opentelemetry/grpc/access log: Fixed a bug in the open telemetry access logger. This logger now uses the server scope for stats instead of the listener’s global scope. This fixes a use-after-free that can occur if the listener is drained but the cached gRPC access logger uses the listener’s global scope for stats.

Fix CVE-2023-35942.