.. _version_history_1.24.10:

1.24.10 (July 25, 2023)
========================





Minor behavior changes
----------------------

*Changes that may cause incompatibilities for some users, but should not for most*



* **http**: Envoy will now lower case scheme values by default. This behaviorial change can be temporarily reverted
  by setting runtime guard ``envoy.reloadable_features.lowercase_scheme`` to ``false``.



Bug fixes
---------

*Changes expected to improve the state of the world and are unlikely to have negative effects*



* **cors**: Fix a use-after-free bug that occurs in the CORS filter if the ``origin`` header is removed between
  request header decoding and response header encoding.

  Fix `CVE-2023-35943 <https://github.com/envoyproxy/envoy/security/advisories/GHSA-mc6h-6j9x-v3gq>`_.
* **http**: Switched Envoy internal scheme checks from case sensitive to case insensitive. This behaviorial change can be temporarily
  reverted by setting runtime guard ``envoy.reloadable_features.handle_uppercase_scheme`` to ``false``.

  Fix `CVE-2023-35944 <https://github.com/envoyproxy/envoy/security/advisories/GHSA-pvgm-7jpg-pw5g>`_.
* **oauth2**: Fixed a cookie validator bug that HMAC caluation could be same for different payloads.

  This prevents malicious clients from constructing credentials with permanent validity in some specific scenarios.

  Fix `CVE-2023-35941 <https://github.com/envoyproxy/envoy/security/advisories/GHSA-7mhv-gr67-hq55>`_.
* **opentelemetry/grpc/access log**: Fixed a bug in the open telemetry access logger. This logger now uses the
  server scope for stats instead of the listener's global scope. This fixes a
  use-after-free that can occur if the listener is drained but the cached
  gRPC access logger uses the listener's global scope for stats.

  Fix `CVE-2023-35942 <https://github.com/envoyproxy/envoy/security/advisories/GHSA-69vr-g55c-v2v4>`_.




New features
------------


* **tls**: Added FIPS compliant build for arm64.