diff --git a/.spelling b/.spelling index 2f10579c50..9d5043d224 100644 --- a/.spelling +++ b/.spelling @@ -423,6 +423,8 @@ CVE-2024-53270 CVE-2024-53271 CVE-2025-30157 CVE-2025-46821 +CVE-2025-54588 +CVE-2025-55162 CVEs cves cvss @@ -706,6 +708,7 @@ ISTIO-SECURITY-2023-003 ISTIO-SECURITY-2023-004 ISTIO-SECURITY-2024-006 ISTIO-SECURITY-2024-007 +ISTIO-SECURITY-2025-001 istio-system istio.io istio.io. @@ -1189,6 +1192,7 @@ sidecar.env sidecar.istio.io Sidecarless SignalFX +Signout sigstore sinkInfo SkyWalking @@ -1377,6 +1381,7 @@ v2 v2-mysql v2.0 v3 +v3.18.5 validatable validator ValueType diff --git a/content/en/docs/releases/supported-releases/index.md b/content/en/docs/releases/supported-releases/index.md index 930f3311cd..5f6a6a0fba 100644 --- a/content/en/docs/releases/supported-releases/index.md +++ b/content/en/docs/releases/supported-releases/index.md @@ -70,9 +70,9 @@ Please keep up-to-date and use a supported version. | Minor Releases | Patched versions with no known CVEs | |----------------|-------------------------------------| -| 1.27.x | 1.27.0+ | -| 1.26.x | 1.26.0+ | -| 1.25.x | 1.25.3+ | +| 1.27.x | 1.27.1+ | +| 1.26.x | 1.26.4+ | +| 1.25.x | 1.25.5+ | ## Supported Envoy Versions diff --git a/content/en/news/releases/1.25.x/announcing-1.25.5/index.md b/content/en/news/releases/1.25.x/announcing-1.25.5/index.md new file mode 100644 index 0000000000..d5da774f7b --- /dev/null +++ b/content/en/news/releases/1.25.x/announcing-1.25.5/index.md @@ -0,0 +1,30 @@ +--- +title: Announcing Istio 1.25.5 +linktitle: 1.25.5 +subtitle: Patch Release +description: Istio 1.25.5 patch release. +publishdate: 2025-09-03 +release: 1.25.5 +aliases: + - /news/announcing-1.25.5 +--- + +This release contains bug fixes to improve robustness. This release note describes what’s different between Istio 1.25.4 and Istio 1.25.5. + +This release implements the security updates described in our 3rd of September post, [`ISTIO-SECURITY-2025-001`](/news/security/istio-security-2025-001). + +{{< relnote >}} + +## Changes + +- **Fixed** an issue where `istio-iptables` would sometimes ignore the IPv4 state in favor of the IPv6 state when deciding whether new iptables rules needed to be applied. + ([Issue #56587](https://github.com/istio/istio/issues/56587)) + +- **Fixed** a bug where our tag watcher code didn't consider the default revision to be the same as the default tag. This would cause issues where Kubernetes gateways wouldn't be programmed. + ([Issue #56767](https://github.com/istio/istio/issues/56767)) + +- **Fixed** an issue causing Gateway chart installation failures with Helm v3.18.5 due to a stricter JSON schema validator. The chart's schema has been updated to be compatible. + ([Issue #57354](https://github.com/istio/istio/issues/57354)) + +- **Fixed** an issue where the `PreserveHeaderCase` option was overriding other HTTP/1.x protocol options, such as HTTP/1.0. + ([Issue #57528](https://github.com/istio/istio/issues/57528)) diff --git a/content/en/news/releases/1.26.x/announcing-1.26.4/index.md b/content/en/news/releases/1.26.x/announcing-1.26.4/index.md new file mode 100644 index 0000000000..d4dcba8c39 --- /dev/null +++ b/content/en/news/releases/1.26.x/announcing-1.26.4/index.md @@ -0,0 +1,30 @@ +--- +title: Announcing Istio 1.26.4 +linktitle: 1.26.4 +subtitle: Patch Release +description: Istio 1.26.4 patch release. +publishdate: 2025-09-03 +release: 1.26.4 +aliases: + - /news/announcing-1.26.4 +--- + +This release contains bug fixes to improve robustness. This release note describes what’s different between Istio 1.26.3 and 1.26.4. + +This release implements the security updates described in our 3rd of September post, [`ISTIO-SECURITY-2025-001`](/news/security/istio-security-2025-001). + +{{< relnote >}} + +## Changes + +- **Fixed** an issue where `istio-iptables` would sometimes ignore the IPv4 state in favor of the IPv6 state when deciding whether new iptables rules needed to be applied. + ([Issue #56587](https://github.com/istio/istio/issues/56587)) + +- **Fixed** a bug where our tag watcher code didn't consider the default revision to be the same as the default tag. This would cause issues where Kubernetes gateways wouldn't be programmed. + ([Issue #56767](https://github.com/istio/istio/issues/56767)) + +- **Fixed** an issue causing Gateway chart installation failures with Helm v3.18.5 due to a stricter JSON schema validator. The chart's schema has been updated to be compatible. + ([Issue #57354](https://github.com/istio/istio/issues/57354)) + +- **Fixed** an issue where the `PreserveHeaderCase` option was overriding other HTTP/1.x protocol options, such as HTTP/1.0. + ([Issue #57528](https://github.com/istio/istio/issues/57528)) diff --git a/content/en/news/releases/1.27.x/announcing-1.27.1/index.md b/content/en/news/releases/1.27.x/announcing-1.27.1/index.md new file mode 100644 index 0000000000..31d4cacfad --- /dev/null +++ b/content/en/news/releases/1.27.x/announcing-1.27.1/index.md @@ -0,0 +1,38 @@ +--- +title: Announcing Istio 1.27.1 +linktitle: 1.27.1 +subtitle: Patch Release +description: Istio 1.27.1 patch release. +publishdate: 2025-09-03 +release: 1.27.1 +aliases: + - /news/announcing-1.27.1 +--- + +This release contains bug fixes to improve robustness. This release note describes what’s different between Istio 1.27.0 and 1.27.1. + +This release implements the security updates described in our 3rd of September post, [`ISTIO-SECURITY-2025-001`](/news/security/istio-security-2025-001). + +{{< relnote >}} + +## Changes + +- **Fixed** an issue where `istio-iptables` would sometimes ignore the IPv4 state in favor of the IPv6 state when deciding whether new iptables rules needed to be applied. + ([Issue #56587](https://github.com/istio/istio/issues/56587)) + +- **Fixed** a bug where our tag watcher code didn't consider the default revision to be the same as the default tag. This would cause issues where Kubernetes gateways wouldn't be programmed. + ([Issue #56767](https://github.com/istio/istio/issues/56767)) + +- **Fixed** an issue causing Gateway chart installation failures with Helm v3.18.5 due to a stricter JSON schema validator. The chart's schema has been updated to be compatible. + ([Issue #57354](https://github.com/istio/istio/issues/57354)) + +- **Fixed** an issue where the `PreserveHeaderCase` option was overriding other HTTP/1.x protocol options, such as HTTP/1.0. + ([Issue #57528](https://github.com/istio/istio/issues/57528)) + +- **Fixed** a change in output of `istioctl proxy-status` to be more consistent with previous versions. + ([Issue #57339](https://github.com/istio/istio/issues/57339)) + +- **Fixed** iptables detection logic to fall back to `iptables-nft` when the `iptable_nat` module is missing. + ([Issue #57380](https://github.com/istio/istio/issues/57380)) + +- **Fixed** a bug that incorrectly rejected traffic policies when only `retry_budget` was set. diff --git a/content/en/news/security/istio-security-2025-001/index.md b/content/en/news/security/istio-security-2025-001/index.md new file mode 100644 index 0000000000..a832a0655b --- /dev/null +++ b/content/en/news/security/istio-security-2025-001/index.md @@ -0,0 +1,25 @@ +--- +title: ISTIO-SECURITY-2025-001 +subtitle: Security Bulletin +description: CVEs reported by Envoy. +cves: [CVE-2025-55162, CVE-2025-54588] +cvss: "7.5" +vector: "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" +releases: ["1.27.0", "1.26.0 to 1.26.3", "1.25.0 to 1.25.4"] +publishdate: 2025-09-03 +keywords: [CVE] +skip_seealso: true +--- + +{{< security_bulletin >}} + +## CVE + +### Envoy CVEs + +- __[CVE-2025-55162](https://github.com/envoyproxy/envoy/security/advisories/GHSA-95j4-hw7f-v2rh)__: (CVSS score 6.3, Moderate): OAuth2 Filter Signout route will not clear cookies because of missing "secure;" flag +- __[CVE-2025-54588](https://github.com/envoyproxy/envoy/security/advisories/GHSA-g9vw-6pvx-7gmw)__: (CVSS score 7.5, High): Use after free in DNS cache + +## Am I Impacted? + +You are impacted if you are using Istio 1.27.0, 1.26.0 to 1.26.3, or 1.25.0 to 1.25.4, and you use cookies named with prefix `__Secure-` or `__Host-`, or you are using `EnvoyFilter` with `dynamic_forward_proxy`.