From 3f6e730b9d4cf945b4fafd368550f4a6a5dcc855 Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Tue, 9 Apr 2024 22:10:53 -0700 Subject: [PATCH] [release-1.21] [zh] Sync #14858 1.19.9, 1.20.5, 1.21.1 and Security Advisory 2024-002 into Chinese (#14868) * Sync #14858 into Chinese * Apply suggestions from code review Co-authored-by: Xiaopeng Han * Apply suggestions from code review Co-authored-by: Michael * Fix bad issue link --------- Co-authored-by: Wilson Wu Co-authored-by: Xiaopeng Han Co-authored-by: Michael --- .../docs/releases/supported-releases/index.md | 6 ++-- .../1.19.x/announcing-1.19.9/index.md | 20 +++++++++++ .../1.20.x/announcing-1.20.5/index.md | 31 ++++++++++++++++ .../1.21.x/announcing-1.21.1/index.md | 31 ++++++++++++++++ .../security/istio-security-2024-002/index.md | 35 +++++++++++++++++++ 5 files changed, 120 insertions(+), 3 deletions(-) create mode 100644 content/zh/news/releases/1.19.x/announcing-1.19.9/index.md create mode 100644 content/zh/news/releases/1.20.x/announcing-1.20.5/index.md create mode 100644 content/zh/news/releases/1.21.x/announcing-1.21.1/index.md create mode 100644 content/zh/news/security/istio-security-2024-002/index.md diff --git a/content/zh/docs/releases/supported-releases/index.md b/content/zh/docs/releases/supported-releases/index.md index 87fcc8b38f..521cc99f02 100644 --- a/content/zh/docs/releases/supported-releases/index.md +++ b/content/zh/docs/releases/supported-releases/index.md @@ -70,9 +70,9 @@ Istio 不保证超出支持窗口期的次要版本都有已知的 CVE 补丁。 | 次要版本 | 没有已知 CVE 的补丁版本 | | ---------------- | ---------------------------------------------------- | -| 1.21.x | 1.21.0 | -| 1.20.x | 1.20.3+ | -| 1.19.x | 1.19.7+ | +| 1.21.x | 1.21.1+ | +| 1.20.x | 1.20.5+ | +| 1.19.x | 1.19.9+ | ## 支持的 Envoy 版本 {#supported-envoy-versions} diff --git a/content/zh/news/releases/1.19.x/announcing-1.19.9/index.md b/content/zh/news/releases/1.19.x/announcing-1.19.9/index.md new file mode 100644 index 0000000000..a628e9d47b --- /dev/null +++ b/content/zh/news/releases/1.19.x/announcing-1.19.9/index.md @@ -0,0 +1,20 @@ +--- +title: 发布 Istio 1.19.9 +linktitle: 1.19.9 +subtitle: 补丁发布 +description: Istio 1.19.9 补丁发布。 +publishdate: 2024-04-08 +release: 1.19.9 +--- + +本次发布实现了 4 月 8 日公布的安全更新 [`ISTIO-SECURITY-2024-002`](/zh/news/security/istio-security-2024-002) +并修复了一些错误,提高了稳健性。 + +本发布说明描述了 Istio 1.19.8 和 Istio 1.19.9 之间的不同之处。 + +{{< relnote >}} + +## 变更 {#changes} + +- **修复** 修复了更新 `ServiceEntry` 的 `TargetPort` 不会触发 xDS 推送的问题。 + ([Issue #49878](https://github.com/istio/istio/issues/49878)) diff --git a/content/zh/news/releases/1.20.x/announcing-1.20.5/index.md b/content/zh/news/releases/1.20.x/announcing-1.20.5/index.md new file mode 100644 index 0000000000..c74f96bcf0 --- /dev/null +++ b/content/zh/news/releases/1.20.x/announcing-1.20.5/index.md @@ -0,0 +1,31 @@ +--- +title: 发布 Istio 1.20.5 +linktitle: 1.20.5 +subtitle: 补丁发布 +description: Istio 1.20.5 补丁发布。 +publishdate: 2024-04-08 +release: 1.20.5 +--- + +本次发布实现了 4 月 8 日公布的安全更新 [`ISTIO-SECURITY-2024-002`](/zh/news/security/istio-security-2024-002) +并修复了一些错误,提高了稳健性。 + +本发布说明描述了 Istio 1.20.4 和 Istio 1.20.5 之间的不同之处。 + +{{< relnote >}} + +## 变更 {#changes} + +- **修复** 修复了当 `VirtualService` 包含不同大小写的重复主机将导致路由被 Envoy 拒绝的错误。 + ([Issue #49638](https://github.com/istio/istio/issues/49638)) + +- **修复** 修复了由于存在 ECDS 配置使得依赖 Envoy 配置转储的命令无法工作的问题。 + +- **修复** 修复了在安装过程中观测 `EnvoyFilter` 资源未被正确修剪的问题。 + ([Issue #48126](https://github.com/istio/istio/issues/48126)) + +- **修复** 修复了启用集群内分析时, CPU 消耗异常高的问题。 + ([Issue #49340](https://github.com/istio/istio/issues/49340)) + +- **修复** 修复了更新 `ServiceEntry` 的 `TargetPort` 不会触发 xDS 推送的问题。 + ([Issue #49878](https://github.com/istio/istio/issues/49878)) diff --git a/content/zh/news/releases/1.21.x/announcing-1.21.1/index.md b/content/zh/news/releases/1.21.x/announcing-1.21.1/index.md new file mode 100644 index 0000000000..55c674c25b --- /dev/null +++ b/content/zh/news/releases/1.21.x/announcing-1.21.1/index.md @@ -0,0 +1,31 @@ +--- +title: 发布 Istio 1.21.1 +linktitle: 1.21.1 +subtitle: 补丁发布 +description: Istio 1.21.1 补丁发布。 +publishdate: 2024-04-08 +release: 1.21.1 +--- + +本次发布实现了 4 月 8 日公布的安全更新 [`ISTIO-SECURITY-2024-002`](/zh/news/security/istio-security-2024-002) +并修复了一些错误,提高了稳健性。 + +本发布说明描述了 Istio 1.21.0 和 Istio 1.21.1 之间的不同之处。 + +{{< relnote >}} + +## 变更 {#changes} + +- **修复** 修复了当 `VirtualService` 包含不同大小写的重复主机将导致路由被 Envoy 拒绝的错误。 + ([Issue #49638](https://github.com/istio/istio/issues/49638)) + +- **修复** 修复了由于存在 ECDS 配置使得依赖 Envoy 配置转储的命令无法工作的问题。 + +- **修复** 修复了在安装过程中观测 `EnvoyFilter` 资源未被正确修剪的问题。 + ([Issue #48126](https://github.com/istio/istio/issues/48126)) + +- **修复** 修复了启用集群内分析时, CPU 消耗异常高的问题。 + ([Issue #49340](https://github.com/istio/istio/issues/49340)) + +- **修复** 修复了更新 `ServiceEntry` 的 `TargetPort` 不会触发 xDS 推送的问题。 + ([Issue #49878](https://github.com/istio/istio/issues/49878)) diff --git a/content/zh/news/security/istio-security-2024-002/index.md b/content/zh/news/security/istio-security-2024-002/index.md new file mode 100644 index 0000000000..d1e591d98b --- /dev/null +++ b/content/zh/news/security/istio-security-2024-002/index.md @@ -0,0 +1,35 @@ +--- +title: ISTIO-SECURITY-2024-002 +subtitle: 安全公告 +description: Envoy 和 Go 上报的 CVE 漏洞。 +cves: [CVE-2024-27919, CVE-2024-30255, CVE-2023-45288] +cvss: "7.5" +vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" +releases: ["1.19.0 之前的所有版本", "1.19.0 到 1.19.8", "1.20.0 到 1.20.4", "1.21.0"] +publishdate: 2024-04-08 +keywords: [CVE] +skip_seealso: true +--- + +{{< security_bulletin >}} + +## CVE + +### Envoy CVE {#envoy-cves} + +- __[CVE-2024-27919](https://github.com/envoyproxy/envoy/security/advisories/GHSA-gghf-vfxp-799r)__: + (CVSS Score 7.5, High):HTTP/2:由于 CONTINUATION 帧泛滥而导致内存耗尽。 +- __[CVE-2024-30255](https://github.com/envoyproxy/envoy/security/advisories/GHSA-j654-3ccm-vfmm)__: + (CVSS Score 5.3, Moderate):HTTP/2:由于 CONTINUATION 帧泛滥而导致 CPU 耗尽。 + +### Go CVE {#go-cves} + +**注意**:在发布时,该 CVE 尚未被评分或量化。 + +- __[CVE-2024-45288](https://nvd.nist.gov/vuln/detail/CVE-2023-45288)__: + (CVSS Score Unpublished): HTTP/2 CONTINUATION 帧可被用于 DoS 攻击。 + +## 我受到影响了吗?{#am-i-impacted} + +如果您接受来自不受信任来源的 HTTP/2 流量,您就会受到影响。 +这适用于大多数用户。如果您使用公共互联网上公开的网关,这一点尤其适用。