- buffer: force copy when appending small slices to OwnedImpl buffer to avoid fragmentation.
- http: added HTTP/1.1 flood protection. Can be temporarily disabled using the runtime feature envoy.reloadable_features.http1_flood_protection.
- listeners: fixed issue where :ref:`TLS inspector listener filter <config_listener_filters_tls_inspector>` could have been bypassed by a client using only TLS 1.3.
- rbac: added :ref:`url_path <envoy_api_field_config.rbac.v2.Permission.url_path>` for matching URL path without the query and fragment string.
- sds: fixed the SDS vulnerability that TLS validation context (e.g., subject alt name or hash) cannot be effectively validated in some cases.