Release docs for 2025-09-03 releases (#16841)

* Release docs for 2025-09-03 releases

Co-authored-by: Daniel Hawton <daniel@hawton.org>
Signed-off-by: mkralik3 <mkralik@redhat.com>

* Fix lint

Signed-off-by: mkralik3 <mkralik@redhat.com>

* Add latest fixes + sync order/wording across all release notes

Signed-off-by: mkralik3 <mkralik@redhat.com>

* Apply suggestions from code review

---------

Signed-off-by: mkralik3 <mkralik@redhat.com>
Co-authored-by: Daniel Hawton <daniel@hawton.org>
Co-authored-by: Daniel Hawton <daniel.hawton@solo.io>

.spelling

@@ -423,6 +423,8 @@ CVE-2024-53270
 CVE-2024-53271
 CVE-2025-30157
 CVE-2025-46821
+CVE-2025-54588
+CVE-2025-55162
 CVEs
 cves
 cvss
@@ -706,6 +708,7 @@ ISTIO-SECURITY-2023-003
 ISTIO-SECURITY-2023-004
 ISTIO-SECURITY-2024-006
 ISTIO-SECURITY-2024-007
+ISTIO-SECURITY-2025-001
 istio-system
 istio.io
 istio.io.
@@ -1189,6 +1192,7 @@ sidecar.env
 sidecar.istio.io
 Sidecarless
 SignalFX
+Signout
 sigstore
 sinkInfo
 SkyWalking
@@ -1377,6 +1381,7 @@ v2
 v2-mysql
 v2.0
 v3
+v3.18.5
 validatable
 validator
 ValueType

content/en/docs/releases/supported-releases/index.md

@@ -70,9 +70,9 @@ Please keep up-to-date and use a supported version.
 
 | Minor Releases | Patched versions with no known CVEs |
 |----------------|-------------------------------------|
-| 1.27.x         | 1.27.0+                             |
-| 1.26.x         | 1.26.0+                             |
-| 1.25.x         | 1.25.3+                             |
+| 1.27.x         | 1.27.1+                             |
+| 1.26.x         | 1.26.4+                             |
+| 1.25.x         | 1.25.5+                             |
 
 ## Supported Envoy Versions
 

content/en/news/releases/1.25.x/announcing-1.25.5/index.md

@@ -0,0 +1,30 @@
+---
+title: Announcing Istio 1.25.5
+linktitle: 1.25.5
+subtitle: Patch Release
+description: Istio 1.25.5 patch release.
+publishdate: 2025-09-03
+release: 1.25.5
+aliases:
+    - /news/announcing-1.25.5
+---
+
+This release contains bug fixes to improve robustness. This release note describes what’s different between Istio 1.25.4 and Istio 1.25.5.
+
+This release implements the security updates described in our 3rd of September post, [`ISTIO-SECURITY-2025-001`](/news/security/istio-security-2025-001).
+
+{{< relnote >}}
+
+## Changes
+
+- **Fixed** an issue where `istio-iptables` would sometimes ignore the IPv4 state in favor of the IPv6 state when deciding whether new iptables rules needed to be applied.
+  ([Issue #56587](https://github.com/istio/istio/issues/56587))
+
+- **Fixed** a bug where our tag watcher code didn't consider the default revision to be the same as the default tag. This would cause issues where Kubernetes gateways wouldn't be programmed.
+  ([Issue #56767](https://github.com/istio/istio/issues/56767))
+
+- **Fixed** an issue causing Gateway chart installation failures with Helm v3.18.5 due to a stricter JSON schema validator. The chart's schema has been updated to be compatible.
+  ([Issue #57354](https://github.com/istio/istio/issues/57354))
+
+- **Fixed** an issue where the `PreserveHeaderCase` option was overriding other HTTP/1.x protocol options, such as HTTP/1.0.
+  ([Issue #57528](https://github.com/istio/istio/issues/57528))

content/en/news/releases/1.26.x/announcing-1.26.4/index.md

@@ -0,0 +1,30 @@
+---
+title: Announcing Istio 1.26.4
+linktitle: 1.26.4
+subtitle: Patch Release
+description: Istio 1.26.4 patch release.
+publishdate: 2025-09-03
+release: 1.26.4
+aliases:
+    - /news/announcing-1.26.4
+---
+
+This release contains bug fixes to improve robustness. This release note describes what’s different between Istio 1.26.3 and 1.26.4.
+
+This release implements the security updates described in our 3rd of September post, [`ISTIO-SECURITY-2025-001`](/news/security/istio-security-2025-001).
+
+{{< relnote >}}
+
+## Changes
+
+- **Fixed** an issue where `istio-iptables` would sometimes ignore the IPv4 state in favor of the IPv6 state when deciding whether new iptables rules needed to be applied.
+  ([Issue #56587](https://github.com/istio/istio/issues/56587))
+
+- **Fixed** a bug where our tag watcher code didn't consider the default revision to be the same as the default tag. This would cause issues where Kubernetes gateways wouldn't be programmed.
+  ([Issue #56767](https://github.com/istio/istio/issues/56767))
+
+- **Fixed** an issue causing Gateway chart installation failures with Helm v3.18.5 due to a stricter JSON schema validator. The chart's schema has been updated to be compatible.
+  ([Issue #57354](https://github.com/istio/istio/issues/57354))
+
+- **Fixed** an issue where the `PreserveHeaderCase` option was overriding other HTTP/1.x protocol options, such as HTTP/1.0.
+  ([Issue #57528](https://github.com/istio/istio/issues/57528))

content/en/news/releases/1.27.x/announcing-1.27.1/index.md

@@ -0,0 +1,38 @@
+---
+title: Announcing Istio 1.27.1
+linktitle: 1.27.1
+subtitle: Patch Release
+description: Istio 1.27.1 patch release.
+publishdate: 2025-09-03
+release: 1.27.1
+aliases:
+    - /news/announcing-1.27.1
+---
+
+This release contains bug fixes to improve robustness. This release note describes what’s different between Istio 1.27.0 and 1.27.1.
+
+This release implements the security updates described in our 3rd of September post, [`ISTIO-SECURITY-2025-001`](/news/security/istio-security-2025-001).
+
+{{< relnote >}}
+
+## Changes
+
+- **Fixed** an issue where `istio-iptables` would sometimes ignore the IPv4 state in favor of the IPv6 state when deciding whether new iptables rules needed to be applied.
+  ([Issue #56587](https://github.com/istio/istio/issues/56587))
+
+- **Fixed** a bug where our tag watcher code didn't consider the default revision to be the same as the default tag. This would cause issues where Kubernetes gateways wouldn't be programmed.
+  ([Issue #56767](https://github.com/istio/istio/issues/56767))
+
+- **Fixed** an issue causing Gateway chart installation failures with Helm v3.18.5 due to a stricter JSON schema validator. The chart's schema has been updated to be compatible.
+  ([Issue #57354](https://github.com/istio/istio/issues/57354))
+
+- **Fixed** an issue where the `PreserveHeaderCase` option was overriding other HTTP/1.x protocol options, such as HTTP/1.0.
+  ([Issue #57528](https://github.com/istio/istio/issues/57528))
+
+- **Fixed** a change in output of `istioctl proxy-status` to be more consistent with previous versions.
+  ([Issue #57339](https://github.com/istio/istio/issues/57339))
+
+- **Fixed** iptables detection logic to fall back to `iptables-nft` when the `iptable_nat` module is missing.
+  ([Issue #57380](https://github.com/istio/istio/issues/57380))
+
+- **Fixed** a bug that incorrectly rejected traffic policies when only `retry_budget` was set.

content/en/news/security/istio-security-2025-001/index.md

@@ -0,0 +1,25 @@
+---
+title: ISTIO-SECURITY-2025-001
+subtitle: Security Bulletin
+description: CVEs reported by Envoy.
+cves: [CVE-2025-55162, CVE-2025-54588]
+cvss: "7.5"
+vector: "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+releases: ["1.27.0", "1.26.0 to 1.26.3", "1.25.0 to 1.25.4"]
+publishdate: 2025-09-03
+keywords: [CVE]
+skip_seealso: true
+---
+
+{{< security_bulletin >}}
+
+## CVE
+
+### Envoy CVEs
+
+- __[CVE-2025-55162](https://github.com/envoyproxy/envoy/security/advisories/GHSA-95j4-hw7f-v2rh)__: (CVSS score 6.3, Moderate): OAuth2 Filter Signout route will not clear cookies because of missing "secure;" flag
+- __[CVE-2025-54588](https://github.com/envoyproxy/envoy/security/advisories/GHSA-g9vw-6pvx-7gmw)__: (CVSS score 7.5, High): Use after free in DNS cache
+
+## Am I Impacted?
+
+You are impacted if you are using Istio 1.27.0, 1.26.0 to 1.26.3, or 1.25.0 to 1.25.4, and you use cookies named with prefix `__Secure-` or `__Host-`, or you are using `EnvoyFilter` with `dynamic_forward_proxy`.