Bug Fixes
- okhttp: Improve certificate handling by rejecting non-ASCII subject alternative names and hostnames as seen in CVE-2021-0341 (#11749) (a0982ca). Hostnames are considered trusted and CAs are required to use punycode for non-ASCII hostnames, so this is expected to provide defense-in-depth. See also the related GoSecure blog post and the AOSP fix
- xds: Preserve nonce when unsubscribing last watcher of a particular type so that new discovery requests of that type are handled correctly (1cf1927). This (along with 1cf1927) fixes a nonce-handling regression introduced in 1.66.0 that could cause resources to appear to not exist until re-creating the ADS stream. Triggering the behavior required specific config changes. It is easiest to trigger when clusters use EDS and routes are changed from one cluster to another. The error “found 0 leaf (logical DNS or EDS) clusters for root cluster” might then be seen
- xds: Remember nonces for unknown types (6c12c2b)
- xds: Unexpected types in the bootstrap’s server_features should be ignored (e8ff6da). They were previously required to be strings
- xds: Fixed unsupported unsigned 32 bits issue for circuit breaker (#11735) (f8f6139). This fixes clients treating large max_requests as “no requests” and failing all requests