istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Manual cherry-pick of release files #7285 #7294 #7296 (#7305)

This commit is contained in:
Eric Van Norman 2020-05-13 20:15:43 -05:00 committed by GitHub
parent 85f4d1d97b
commit 0dcdd6fddb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 116 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.spelling
View File

@ -191,6 +191,7 @@ CVE-2020-8659
CVE-2020-8660
CVE-2020-8661
CVE-2020-8664
CVE-2020-10739
CVEs
cves
cvss
@ -338,6 +339,7 @@ ISTIO-SECURITY-2020-001
ISTIO-SECURITY-2020-002
ISTIO-SECURITY-2020-003
ISTIO-SECURITY-2020-004
ISTIO-SECURITY-2020-005
istio-system
istio.io
istio.io.

26
content/en/news/releases/1.4.x/announcing-1.4.9/index.md Normal file
View File

@ -0,0 +1,26 @@
---
title: Announcing Istio 1.4.9
linktitle: 1.4.9
subtitle: Patch Release
description: Istio 1.4.9 patch release.
publishdate: 2020-05-12
release: 1.4.9
aliases:
- /news/announcing-1.4.9
---
This release contains bug fixes to improve robustness and fixes for the security vulnerabilities described in [our May 12th, 2020 news post](/news/security/istio-security-2020-005). This release note describes what's different between Istio 1.4.9 and Istio 1.4.8.
{{< relnote >}}
## Security update
- **ISTIO-SECURITY-2020-005** Denial of Service with Telemetry V2 enabled.
__[CVE-2020-10739](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10739)__: By sending a specially crafted packet, an attacker could trigger a Null Pointer Exception resulting in a Denial of Service. This could be sent to the ingress gateway or a sidecar.
## Bug Fixes
- **Fixed** the Helm installer to install Kiali using an dynamically generated signing key.
- **Fixed** Citadel to ignore namespaces that are not part of the mesh.
- **Fixed** the Istio operator installer to print the name of any resources that are not ready when an installation timeout occurs.

30
content/en/news/releases/1.5.x/announcing-1.5.3/index.md Normal file
View File

@ -0,0 +1,30 @@
---
title: Announcing Istio 1.5.3
linktitle: 1.5.3
subtitle: Patch Release
description: Istio 1.5.3 security release.
publishdate: 2020-05-12
release: 1.5.3
aliases:
- /news/announcing-1.5.3
---
{{< warning >}}
DO NOT USE this release. USE release 1.5.4 instead.
{{< /warning >}}
Due to a publishing error, the 1.5.3 images do not contain the fix for CVE-2020-10739 as claimed in the original announcement.
This release contains bug fixes to improve robustness.
This release note describes what's different between Istio 1.5.3 and Istio 1.5.2.
{{< relnote >}}
## Changes
- **Fixed** the Helm installer to install Kiali using a dynamically generated signing key.
- **Fixed** overlaying the generated Kubernetes resources for addon components with user-defined overlays
[(Issue 23048)](https://github.com/istio/istio/issues/23048)
- **Fixed** `istio-sidecar.deb` failing to start on Debian buster with `iptables` default `nftables` setting [(Issue 23279)](https://github.com/istio/istio/issues/23279)
- **Fixed** the corresponding hash policy not being updated after the header name specified in `DestinationRule.trafficPolicy.loadBalancer.consistentHash.httpHeaderName` is changed [(Issue 23434)](https://github.com/istio/istio/issues/23434)
- **Fixed** traffic routing when deployed in a namespace other than istio-system [(Issue 23401)](https://github.com/istio/istio/issues/23401)

22
content/en/news/releases/1.5.x/announcing-1.5.4/index.md Normal file
View File

@ -0,0 +1,22 @@
---
title: Announcing Istio 1.5.4
linktitle: 1.5.4
subtitle: Patch Release
description: Istio 1.5.4 security release.
publishdate: 2020-05-13
release: 1.5.4
aliases:
- /news/announcing-1.5.4
---
This release fixes the security vulnerability described in [our May 12th, 2020 news post](/news/security/istio-security-2020-005).
This release note describes what's different between Istio 1.5.4 and Istio 1.5.3.
{{< relnote >}}
## Security update
- **ISTIO-SECURITY-2020-005** Denial of Service with Telemetry V2 enabled.
__[CVE-2020-10739](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10739)__: By sending a specially crafted packet, an attacker could trigger a Null Pointer Exception resulting in a Denial of Service. This could be sent to the ingress gateway or a sidecar.

36
content/en/news/security/istio-security-2020-005/index.md Normal file
View File

@ -0,0 +1,36 @@
---
title: ISTIO-SECURITY-2020-005
subtitle: Security Bulletin
description:
cves: [CVE-2020-10739]
cvss: "7.5"
vector: "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
releases: ["1.4 to 1.4.8", "1.5 to 1.5.3"]
publishdate: 2020-05-12
keywords: [CVE]
skip_seealso: true
---
{{< security_bulletin >}}
Istio 1.4 with telemetry v2 enabled and Istio 1.5 contain the following vulnerability when telemetry v2 is enabled:
* __[CVE-2020-10739](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10739)__:
By sending a specially crafted packet, an attacker could trigger a Null Pointer Exception resulting in a Denial of Service. This could be sent to the ingress gateway or a sidecar.
* CVSS Score: 7.5 [AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N&version=3.1)
## Mitigation
* For Istio 1.4.x deployments: update to [Istio 1.4.9](/news/releases/1.4.x/announcing-1.4.9) or later.
* For Istio 1.5.x deployments: update to [Istio 1.5.4](/news/releases/1.5.x/announcing-1.5.4) or later.
* Workaround: Alternatively, you can disable telemetry v2 by running the following:
{{< text bash >}}
$ istioctl manifest apply --set values.telemetry.v2.enabled=false
{{< /text >}}
## Credit
We'd like to thank `Joren Zandstra` for the original bug report.
{{< boilerplate "security-vulnerability" >}}