Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required
Changes that may cause incompatibilities for some users, but should not for most
Changes expected to improve the state of the world and are unlikely to have negative effects
- data plane: fix crash when internal redirect selects a route configured with direct response or redirect actions.
- jwt_authn: fixed the crash when a CONNECT request is sent to JWT filter configured with regex match on the Host header.
- tcp_proxy: fix a crash that occurs when configured for :ref:`upstream tunneling <v1.20:envoy_v3_api_field_extensions.filters.network.tcp_proxy.v3.TcpProxy.tunneling_config>` and the downstream connection disconnects while the the upstream connection or http/2 stream is still being established.
- upstream: fix stack overflow when a cluster with large number of idle connections is removed.
Normally occurs at the end of the :ref:`deprecation period <v1.20:deprecated>`
+* tls: added support for :ref:`match_typed_subject_alt_names <v1.21:envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` for subject alternative names to enforce specifying the subject alternative name type for the matcher to prevent matching against an unintended type in the certificate.
+* tls: :ref:`match_subject_alt_names <v1.21:envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_subject_alt_names>` has been deprecated in favor of the :ref:`match_typed_subject_alt_names <v1.21:envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`.