diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
index 7019c22ad94b..912be56035bf 100644
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -1,6 +1,6 @@
 {
   "name": "istio build-tools",
-  "image": "gcr.io/istio-testing/build-tools:release-1.22-02098ccc0766fde1c577cf9f9258fb43a08ec8c8",
+  "image": "gcr.io/istio-testing/build-tools:release-1.22-70caecf3832f7f72fccfc9aaa536acb3a69bdc6a",
   "privileged": true,
   "remoteEnv": {
     "USE_GKE_GCLOUD_AUTH_PLUGIN": "True",
diff --git a/Makefile.core.mk b/Makefile.core.mk
index 9872fd85b70e..8d2edb662832 100644
--- a/Makefile.core.mk
+++ b/Makefile.core.mk
@@ -49,7 +49,7 @@ endif
 export VERSION
 
 # Base version of Istio image to use
-BASE_VERSION ?= 1.22-2024-09-17T19-00-54
+BASE_VERSION ?= 1.22-2024-11-26T19-01-41
 ISTIO_BASE_REGISTRY ?= gcr.io/istio-release
 
 export GO111MODULE ?= on
diff --git a/common/.commonfiles.sha b/common/.commonfiles.sha
index 4a1565379696..452450a312fd 100644
--- a/common/.commonfiles.sha
+++ b/common/.commonfiles.sha
@@ -1 +1 @@
-2f988bb7f975a3426624f4d9e92ea26d542b1b6f
+2c0d7e2143bb1e1f698b4ec4c2d586340a8d21b9
diff --git a/common/scripts/setup_env.sh b/common/scripts/setup_env.sh
index 604671c1b134..3409c24b07c9 100755
--- a/common/scripts/setup_env.sh
+++ b/common/scripts/setup_env.sh
@@ -75,7 +75,7 @@ fi
 TOOLS_REGISTRY_PROVIDER=${TOOLS_REGISTRY_PROVIDER:-gcr.io}
 PROJECT_ID=${PROJECT_ID:-istio-testing}
 if [[ "${IMAGE_VERSION:-}" == "" ]]; then
-  IMAGE_VERSION=release-1.22-02098ccc0766fde1c577cf9f9258fb43a08ec8c8
+  IMAGE_VERSION=release-1.22-70caecf3832f7f72fccfc9aaa536acb3a69bdc6a
 fi
 if [[ "${IMAGE_NAME:-}" == "" ]]; then
   IMAGE_NAME=build-tools
diff --git a/go.mod b/go.mod
index 832949058d6a..5b24a8ae9c6c 100644
--- a/go.mod
+++ b/go.mod
@@ -106,8 +106,8 @@ require (
 	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.1
 	helm.sh/helm/v3 v3.14.3
-	istio.io/api v1.22.4-0.20240808015337-e0ff1ca45c33
-	istio.io/client-go v1.22.4-0.20240808020015-3d90011dbcfe
+	istio.io/api v1.22.7-0.20241205190107-5d7b98128323
+	istio.io/client-go v1.22.7-0.20241205190906-f1b3ac5102a8
 	k8s.io/api v0.30.0
 	k8s.io/apiextensions-apiserver v0.30.0
 	k8s.io/apimachinery v0.30.0
diff --git a/go.sum b/go.sum
index 6587288280b4..eb9f94ac3fd4 100644
--- a/go.sum
+++ b/go.sum
@@ -1102,10 +1102,10 @@ helm.sh/helm/v3 v3.14.3/go.mod h1:v6myVbyseSBJTzhmeE39UcPLNv6cQK6qss3dvgAySaE=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
-istio.io/api v1.22.4-0.20240808015337-e0ff1ca45c33 h1:/IeYCiL05FL8ZxndwibKznhLsrZRDH0xaHwsk/roU7I=
-istio.io/api v1.22.4-0.20240808015337-e0ff1ca45c33/go.mod h1:S3l8LWqNYS9yT+d4bH+jqzH2lMencPkW7SKM1Cu9EyM=
-istio.io/client-go v1.22.4-0.20240808020015-3d90011dbcfe h1:8E+07PR3a1LypFLxNksDYcTwyMPB06797cavwK5zWds=
-istio.io/client-go v1.22.4-0.20240808020015-3d90011dbcfe/go.mod h1:pCCBfkXZVAxptGlL5gdGIonPxFsNQZ+iBxvYIUF9z7c=
+istio.io/api v1.22.7-0.20241205190107-5d7b98128323 h1:Rxuq0NqDMqBsfagJzNV5Ts+tQ2QE6isnoUYKARA3YI4=
+istio.io/api v1.22.7-0.20241205190107-5d7b98128323/go.mod h1:S3l8LWqNYS9yT+d4bH+jqzH2lMencPkW7SKM1Cu9EyM=
+istio.io/client-go v1.22.7-0.20241205190906-f1b3ac5102a8 h1:z2yB/AZIE1ND+gjlfoMuhFslRE2DI3nvVLPoLTlSBNc=
+istio.io/client-go v1.22.7-0.20241205190906-f1b3ac5102a8/go.mod h1:noO8SoyMxLwni3w+yGK67aydi2klExjmiqnXyeRS/00=
 k8s.io/api v0.18.2/go.mod h1:SJCWI7OLzhZSvbY7U8zwNl9UA4o1fizoug34OV/2r78=
 k8s.io/api v0.18.4/go.mod h1:lOIQAKYgai1+vz9J7YcDZwC26Z0zQewYOGWdyIPUUQ4=
 k8s.io/api v0.30.0 h1:siWhRq7cNjy2iHssOB9SCGNCl2spiF1dO3dABqZ8niA=
diff --git a/istio.deps b/istio.deps
index 60d7ed5d9fad..0727c858faf6 100644
--- a/istio.deps
+++ b/istio.deps
@@ -4,13 +4,13 @@
     "name": "PROXY_REPO_SHA",
     "repoName": "proxy",
     "file": "",
-    "lastStableSHA": "59080172cb101a90727fb6fbf829bf514d63cb53"
+    "lastStableSHA": "d17e607ff67ff7b6eccbf396d370d7a2c53a5238"
   },
   {
     "_comment": "",
     "name": "ZTUNNEL_REPO_SHA",
     "repoName": "ztunnel",
     "file": "",
-    "lastStableSHA": "2eaa669fecf8505c9abb9676b64ff6a50f124a37"
+    "lastStableSHA": "2a6c8147207af15724336c0b6191149f6d1a8ca9"
   }
 ]
diff --git a/pilot/pkg/networking/core/cluster_builder_test.go b/pilot/pkg/networking/core/cluster_builder_test.go
index 36870b166d2f..148075da73b8 100644
--- a/pilot/pkg/networking/core/cluster_builder_test.go
+++ b/pilot/pkg/networking/core/cluster_builder_test.go
@@ -2090,6 +2090,18 @@ func TestShouldH2Upgrade(t *testing.T) {
 			},
 			upgrade: false,
 		},
+		{
+			name:        "mesh upgrade - dr useClientProtocol",
+			clusterName: "bar",
+			port:        &model.Port{Protocol: protocol.HTTP},
+			mesh:        &meshconfig.MeshConfig{H2UpgradePolicy: meshconfig.MeshConfig_UPGRADE},
+			connectionPool: &networking.ConnectionPoolSettings{
+				Http: &networking.ConnectionPoolSettings_HTTPSettings{
+					UseClientProtocol: true,
+				},
+			},
+			upgrade: false,
+		},
 		{
 			name:        "non-http",
 			clusterName: "bar",
diff --git a/pilot/pkg/networking/core/cluster_traffic_policy.go b/pilot/pkg/networking/core/cluster_traffic_policy.go
index 2bd0bca38a01..28847b7f8943 100644
--- a/pilot/pkg/networking/core/cluster_traffic_policy.go
+++ b/pilot/pkg/networking/core/cluster_traffic_policy.go
@@ -195,6 +195,12 @@ func shouldH2Upgrade(clusterName string, port *model.Port, mesh *meshconfig.Mesh
 	// Upgrade if tls.GetMode() == networking.TLSSettings_ISTIO_MUTUAL
 	if connectionPool != nil && connectionPool.Http != nil {
 		override := connectionPool.Http.H2UpgradePolicy
+		// If useClientProtocol is set, do not upgrade
+		if connectionPool.Http.UseClientProtocol {
+			log.Debugf("Not upgrading cluster because useClientProtocol is set: %v (%v %v)",
+				clusterName, mesh.H2UpgradePolicy, override)
+			return false
+		}
 		// If user wants an upgrade at destination rule/port level that means he is sure that
 		// it is a Http port - upgrade in such case. This is useful incase protocol sniffing is
 		// enabled and user wants to upgrade/preserve http protocol from client.
diff --git a/pilot/pkg/networking/core/route/route.go b/pilot/pkg/networking/core/route/route.go
index 7d7a272b6f8d..edb01730af40 100644
--- a/pilot/pkg/networking/core/route/route.go
+++ b/pilot/pkg/networking/core/route/route.go
@@ -781,7 +781,12 @@ func ApplyRedirect(out *route.Route, redirect *networking.HTTPRedirect, port int
 		action.Redirect.ResponseCode = route.RedirectAction_PERMANENT_REDIRECT
 	default:
 		log.Warnf("Redirect Code %d is not yet supported", redirect.RedirectCode)
-		action = nil
+		// Can't just set action to nil here because the proto marshaller will still see
+		// the Route_Redirect type of the variable and assume that the value is set
+		// (and panic because it's not). What we need to do is set out.Action directly to
+		// (a typeless) nil so that type assertions to Route_Redirect will fail.
+		out.Action = nil
+		return
 	}
 
 	out.Action = action
diff --git a/pilot/pkg/networking/core/route/route_test.go b/pilot/pkg/networking/core/route/route_test.go
index c57d1b868e4a..9773d20b16a4 100644
--- a/pilot/pkg/networking/core/route/route_test.go
+++ b/pilot/pkg/networking/core/route/route_test.go
@@ -943,6 +943,19 @@ func TestBuildHTTPRoutes(t *testing.T) {
 		g.Expect(redirectAction.Redirect.ResponseCode).To(Equal(envoyroute.RedirectAction_PERMANENT_REDIRECT))
 	})
 
+	t.Run("for invalid redirect code", func(t *testing.T) {
+		g := NewWithT(t)
+		cg := core.NewConfigGenTest(t, core.TestOptions{})
+
+		routes, err := route.BuildHTTPRoutesForVirtualService(node(cg), virtualServiceWithInvalidRedirect, serviceRegistry,
+			nil, 8080, gatewayNames, route.RouteOptions{})
+		g.Expect(err).NotTo(HaveOccurred())
+		g.Expect(len(routes)).To(Equal(1))
+
+		_, ok := routes[0].Action.(*envoyroute.Route_Redirect)
+		g.Expect(ok).To(BeFalse())
+	})
+
 	t.Run("for path prefix redirect", func(t *testing.T) {
 		g := NewWithT(t)
 		cg := core.NewConfigGenTest(t, core.TestOptions{})
@@ -1872,6 +1885,26 @@ var virtualServiceWithRedirect = config.Config{
 	},
 }
 
+var virtualServiceWithInvalidRedirect = config.Config{
+	Meta: config.Meta{
+		GroupVersionKind: gvk.VirtualService,
+		Name:             "acme",
+	},
+	Spec: &networking.VirtualService{
+		Hosts:    []string{},
+		Gateways: []string{"some-gateway"},
+		Http: []*networking.HTTPRoute{
+			{
+				Redirect: &networking.HTTPRedirect{
+					Uri:          "example.org",
+					Authority:    "some-authority.default.svc.cluster.local",
+					RedirectCode: 317,
+				},
+			},
+		},
+	},
+}
+
 var virtualServiceWithRedirectPathPrefix = config.Config{
 	Meta: config.Meta{
 		GroupVersionKind: gvk.VirtualService,