1.28.2 (April 4, 2024)
Incompatible behavior changes
Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required
http2: Discard the
Host
header if the:authority
header was received to bring Envoy into compliance with https://www.rfc-editor.org/rfc/rfc9113#section-8.3.1 This behavioral change can be reverted by setting runtime flagenvoy.reloadable_features.http2_discard_host_header
to false.
Minor behavior changes
Changes that may cause incompatibilities for some users, but should not for most
http: Enable obsolete line folding in BalsaParser (for behavior parity with http-parser, the previously used HTTP/1 parser).
Bug fixes
Changes expected to improve the state of the world and are unlikely to have negative effects
http2: Update nghttp2 to resolve CVE-2024-30255 (https://github.com/envoyproxy/envoy/security/advisories/GHSA-j654-3ccm-vfmm).
jwt_authn: Fixed JWT extractor, which concatenated headers with a comma, resultig in invalid tokens.
New features
google_grpc: Added an off-by-default runtime flag
envoy.reloadable_features.google_grpc_disable_tls_13
to disable TLSv1.3 usage by gRPC SDK forgoogle_grpc
services.