1.26.4 (July 26, 2023)
Minor behavior changes
Changes that may cause incompatibilities for some users, but should not for most
http: Envoy will now lower case scheme values by default. This behaviorial change can be temporarily reverted by setting runtime guard
Changes expected to improve the state of the world and are unlikely to have negative effects
cors: Fix a use-after-free bug that occurs in the CORS filter if the
originheader is removed between request header decoding and response header encoding.
http: Switched Envoy internal scheme checks from case sensitive to case insensitive. This behaviorial change can be temporarily reverted by setting runtime guard
oauth2: Fixed a cookie validator bug that meant that the HMAC calculation could be same for different payloads.
This prevents malicious clients from constructing credentials with permanent validity in some specific scenarios.
opentelemetry/grpc/access log: Fixed a bug in the open telemetry access logger. This logger now uses the server scope for stats instead of the listener’s global scope. This fixes a use-after-free that can occur if the listener is drained but the cached gRPC access logger uses the listener’s global scope for stats.
tls: Added FIPS compliant build for arm64.