From 0dcdd6fddbb9fb0f4d282a3d3dbfb5616a686e01 Mon Sep 17 00:00:00 2001
From: Eric Van Norman <ericvn@us.ibm.com>
Date: Wed, 13 May 2020 20:15:43 -0500
Subject: [PATCH] Manual cherry-pick of release files #7285 #7294 #7296 (#7305)

---
 .spelling                                     |  2 ++
 .../releases/1.4.x/announcing-1.4.9/index.md  | 26 ++++++++++++++
 .../releases/1.5.x/announcing-1.5.3/index.md  | 30 ++++++++++++++++
 .../releases/1.5.x/announcing-1.5.4/index.md  | 22 ++++++++++++
 .../security/istio-security-2020-005/index.md | 36 +++++++++++++++++++
 5 files changed, 116 insertions(+)
 create mode 100644 content/en/news/releases/1.4.x/announcing-1.4.9/index.md
 create mode 100644 content/en/news/releases/1.5.x/announcing-1.5.3/index.md
 create mode 100644 content/en/news/releases/1.5.x/announcing-1.5.4/index.md
 create mode 100644 content/en/news/security/istio-security-2020-005/index.md

diff --git a/.spelling b/.spelling
index e5ee30b713..a1c570dde9 100644
--- a/.spelling
+++ b/.spelling
@@ -191,6 +191,7 @@ CVE-2020-8659
 CVE-2020-8660
 CVE-2020-8661
 CVE-2020-8664
+CVE-2020-10739
 CVEs
 cves
 cvss
@@ -338,6 +339,7 @@ ISTIO-SECURITY-2020-001
 ISTIO-SECURITY-2020-002
 ISTIO-SECURITY-2020-003
 ISTIO-SECURITY-2020-004
+ISTIO-SECURITY-2020-005
 istio-system
 istio.io
 istio.io.
diff --git a/content/en/news/releases/1.4.x/announcing-1.4.9/index.md b/content/en/news/releases/1.4.x/announcing-1.4.9/index.md
new file mode 100644
index 0000000000..816c68dfcb
--- /dev/null
+++ b/content/en/news/releases/1.4.x/announcing-1.4.9/index.md
@@ -0,0 +1,26 @@
+---
+title: Announcing Istio 1.4.9
+linktitle: 1.4.9
+subtitle: Patch Release
+description: Istio 1.4.9 patch release.
+publishdate: 2020-05-12
+release: 1.4.9
+aliases:
+    - /news/announcing-1.4.9
+---
+
+This release contains bug fixes to improve robustness and fixes for the security vulnerabilities described in [our May 12th, 2020 news post](/news/security/istio-security-2020-005). This release note describes what's different between Istio 1.4.9 and Istio 1.4.8.
+
+{{< relnote >}}
+
+## Security update
+
+- **ISTIO-SECURITY-2020-005** Denial of Service with Telemetry V2 enabled.
+
+__[CVE-2020-10739](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10739)__: By sending a specially crafted packet, an attacker could trigger a Null Pointer Exception resulting in a Denial of Service. This could be sent to the ingress gateway or a sidecar.
+
+## Bug Fixes
+
+- **Fixed** the Helm installer to install Kiali using an dynamically generated signing key.
+- **Fixed** Citadel to ignore namespaces that are not part of the mesh.
+- **Fixed** the Istio operator installer to print the name of any resources that are not ready when an installation timeout occurs.
diff --git a/content/en/news/releases/1.5.x/announcing-1.5.3/index.md b/content/en/news/releases/1.5.x/announcing-1.5.3/index.md
new file mode 100644
index 0000000000..adbc80df3b
--- /dev/null
+++ b/content/en/news/releases/1.5.x/announcing-1.5.3/index.md
@@ -0,0 +1,30 @@
+---
+title: Announcing Istio 1.5.3
+linktitle: 1.5.3
+subtitle: Patch Release
+description: Istio 1.5.3 security release.
+publishdate: 2020-05-12
+release: 1.5.3
+aliases:
+    - /news/announcing-1.5.3
+---
+
+{{< warning >}}
+DO NOT USE this release. USE release 1.5.4 instead.
+{{< /warning >}}
+
+Due to a publishing error, the 1.5.3 images do not contain the fix for CVE-2020-10739 as claimed in the original announcement.
+
+This release contains bug fixes to improve robustness.
+This release note describes what's different between Istio 1.5.3 and Istio 1.5.2.
+
+{{< relnote >}}
+
+## Changes
+
+- **Fixed** the Helm installer to install Kiali using a dynamically generated signing key.
+- **Fixed** overlaying the generated Kubernetes resources for addon components with user-defined overlays
+ [(Issue 23048)](https://github.com/istio/istio/issues/23048)
+- **Fixed** `istio-sidecar.deb` failing to start on Debian buster with `iptables` default `nftables` setting  [(Issue 23279)](https://github.com/istio/istio/issues/23279)
+- **Fixed** the corresponding hash policy not being updated after the header name specified in `DestinationRule.trafficPolicy.loadBalancer.consistentHash.httpHeaderName` is changed  [(Issue 23434)](https://github.com/istio/istio/issues/23434)
+- **Fixed** traffic routing when deployed in a namespace other than istio-system  [(Issue 23401)](https://github.com/istio/istio/issues/23401)
diff --git a/content/en/news/releases/1.5.x/announcing-1.5.4/index.md b/content/en/news/releases/1.5.x/announcing-1.5.4/index.md
new file mode 100644
index 0000000000..adec54be18
--- /dev/null
+++ b/content/en/news/releases/1.5.x/announcing-1.5.4/index.md
@@ -0,0 +1,22 @@
+---
+title: Announcing Istio 1.5.4
+linktitle: 1.5.4
+subtitle: Patch Release
+description: Istio 1.5.4 security release.
+publishdate: 2020-05-13
+release: 1.5.4
+aliases:
+    - /news/announcing-1.5.4
+---
+
+This release fixes the security vulnerability described in [our May 12th, 2020 news post](/news/security/istio-security-2020-005).
+
+This release note describes what's different between Istio 1.5.4 and Istio 1.5.3.
+
+{{< relnote >}}
+
+## Security update
+
+- **ISTIO-SECURITY-2020-005** Denial of Service with Telemetry V2 enabled.
+
+__[CVE-2020-10739](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10739)__: By sending a specially crafted packet, an attacker could trigger a Null Pointer Exception resulting in a Denial of Service. This could be sent to the ingress gateway or a sidecar.
diff --git a/content/en/news/security/istio-security-2020-005/index.md b/content/en/news/security/istio-security-2020-005/index.md
new file mode 100644
index 0000000000..b5fc9aa7ab
--- /dev/null
+++ b/content/en/news/security/istio-security-2020-005/index.md
@@ -0,0 +1,36 @@
+---
+title: ISTIO-SECURITY-2020-005
+subtitle: Security Bulletin
+description:
+cves: [CVE-2020-10739]
+cvss: "7.5"
+vector: "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+releases: ["1.4 to 1.4.8", "1.5 to 1.5.3"]
+publishdate: 2020-05-12
+keywords: [CVE]
+skip_seealso: true
+---
+
+{{< security_bulletin >}}
+
+Istio 1.4 with telemetry v2 enabled and Istio 1.5 contain the following vulnerability when telemetry v2 is enabled:
+
+* __[CVE-2020-10739](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10739)__:
+By sending a specially crafted packet, an attacker could trigger a Null Pointer Exception resulting in a Denial of Service. This could be sent to the ingress gateway or a sidecar.
+    * CVSS Score: 7.5 [AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N&version=3.1)
+
+## Mitigation
+
+* For Istio 1.4.x deployments: update to [Istio 1.4.9](/news/releases/1.4.x/announcing-1.4.9) or later.
+* For Istio 1.5.x deployments: update to [Istio 1.5.4](/news/releases/1.5.x/announcing-1.5.4) or later.
+* Workaround: Alternatively, you can disable telemetry v2 by running the following:
+
+{{< text bash >}}
+$ istioctl manifest apply --set values.telemetry.v2.enabled=false
+{{< /text >}}
+
+## Credit
+
+We'd like to thank `Joren Zandstra` for the original bug report.
+
+{{< boilerplate "security-vulnerability" >}}