1.9.1 (Apr 2, 2019)

Changes

  • http: fixed CVE-2019-9900 by rejecting HTTP/1.x headers with embedded NUL characters.

  • http: fixed CVE-2019-9901 by normalizing HTTP paths prior to routing or L7 data plane processing. This defaults off and is configurable via either HTTP connection manager normalize_path or the runtime.