1.27.4 (April 4, 2024)

Incompatible behavior changes

Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required

• http2: Discard the Host header if the :authority header was received to bring Envoy into compliance with https://www.rfc-editor.org/rfc/rfc9113#section-8.3.1 This behavioral change can be reverted by setting runtime flag envoy.reloadable_features.http2_discard_host_header to false.

Bug fixes

Changes expected to improve the state of the world and are unlikely to have negative effects

• http2: Update nghttp2 to resolve CVE-2024-30255 (https://github.com/envoyproxy/envoy/security/advisories/GHSA-j654-3ccm-vfmm).

New features

• google_grpc: Added an off-by-default runtime flag envoy.reloadable_features.google_grpc_disable_tls_13 to disable TLSv1.3 usage by gRPC SDK for google_grpc services.