1.23.12 (July 25, 2023)

Minor behavior changes

Changes that may cause incompatibilities for some users, but should not for most

• http: Envoy will now lower case scheme values by default. This behaviorial change can be temporarily reverted by setting runtime guard envoy.reloadable_features.lowercase_scheme to false.

Bug fixes

Changes expected to improve the state of the world and are unlikely to have negative effects

• cors: Fix a use-after-free bug that occurs in the CORS filter if the origin header is removed between request header decoding and response header encoding.

  Fix CVE-2023-35943.

• http: Switched Envoy internal scheme checks from case sensitive to case insensitive. This behaviorial change can be temporarily reverted by setting runtime guard envoy.reloadable_features.handle_uppercase_scheme to false.

  Fix CVE-2023-35944.

• oauth2: Fixed a cookie validator bug that meant the HMAC calculation could be the same for different payloads.

  This prevents malicious clients from constructing credentials with permanent validity in some specific scenarios.

  Fix CVE-2023-35941.

• opentelemetry/grpc/access log: Fixed a bug in the open telemetry access logger. This logger now uses the server scope for stats instead of the listener’s global scope. This fixes a use-after-free that can occur if the listener is drained but the cached gRPC access logger uses the listener’s global scope for stats.

  Fix CVE-2023-35942.