.. _version_history_1.28.2:

1.28.2 (April 4, 2024)
=======================




Incompatible behavior changes
-----------------------------

*Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required*



* **http2**: Discard the ``Host`` header if the ``:authority`` header was received to bring Envoy into compliance with
  https://www.rfc-editor.org/rfc/rfc9113#section-8.3.1 This behavioral change can be reverted by setting runtime flag
  ``envoy.reloadable_features.http2_discard_host_header`` to false.



Minor behavior changes
----------------------

*Changes that may cause incompatibilities for some users, but should not for most*



* **http**: Enable obsolete line folding in BalsaParser (for behavior parity with http-parser, the
  previously used HTTP/1 parser).



Bug fixes
---------

*Changes expected to improve the state of the world and are unlikely to have negative effects*



* **http2**: Update nghttp2 to resolve CVE-2024-30255 (https://github.com/envoyproxy/envoy/security/advisories/GHSA-j654-3ccm-vfmm).
* **jwt_authn**: Fixed JWT extractor, which concatenated headers with a comma, resultig in invalid tokens.




New features
------------


* **google_grpc**: Added an off-by-default runtime flag
  ``envoy.reloadable_features.google_grpc_disable_tls_13`` to disable TLSv1.3
  usage by gRPC SDK for ``google_grpc`` services.