[release-1.22] security adv, release notes 1.22.1 and 1.21.4 (#15358) (#15371)

* release notes * Update content/en/news/releases/1.22.x/announcing-1.22.2/index.md * Update content/en/news/releases/1.21.x/announcing-1.21.4/index.md --------- Signed-off-by: Daniel Hawton <daniel@hawton.org> Co-authored-by: Faseela K <k.faseela@gmail.com>
2024-07-01 16:56:50 -06:00 · 2024-07-01 16:56:50 -06:00 · 64e33b5284
parent 644c787c4b
commit 64e33b5284
6 changed files with 117 additions and 5 deletions
--- a/.spelling
+++ b/.spelling
@ -519,6 +519,7 @@ GCP_OPTS
 gcr.io
 gdb
 Geneve
+GHSA-8mq4-c2v5-3h39
 GiB
 git
 GitHub
--- a/content/en/docs/releases/supported-releases/index.md
+++ b/content/en/docs/releases/supported-releases/index.md
@ -70,9 +70,8 @@ Please keep up-to-date and use a supported version.

 | Minor Releases | Patched versions with no known CVEs |
 |----------------|-------------------------------------|
-| 1.22.x         | 1.22.1+                             |
-| 1.21.x         | 1.21.3+                             |
-| 1.20.x         | 1.20.7+                             |
+| 1.22.x         | 1.22.2+                             |
+| 1.21.x         | 1.21.4+                             |

 ## Supported Envoy Versions

@ -84,6 +83,5 @@ The relationship between the two project's versions:
 |---------------|----------------------|
 | 1.22.x        | release/v1.30        |
 | 1.21.x        | release/v1.29        |
-| 1.20.x        | release/v1.28        |

 You can find the precise Envoy commit used by Istio [in the `istio/proxy` repository](https://github.com/istio/proxy/blob/{{< source_branch_name >}}/WORKSPACE#L26): look for the `ENVOY_SHA` variable.
--- a/content/en/news/releases/1.21.x/announcing-1.21.4/index.md
+++ b/content/en/news/releases/1.21.x/announcing-1.21.4/index.md
@ -0,0 +1,33 @@
+---
+title: Announcing Istio 1.21.4
+linktitle: 1.21.4
+subtitle: Patch Release
+description: Istio 1.21.4 patch release.
+publishdate: 2024-06-27
+release: 1.21.4
+---
+
+This release implements the security updates described in our 27th of June post, [`ISTIO-SECURITY-2024-005`](/news/security/istio-security-2024-005) along with bug fixes to improve robustness.
+
+This release note describes what is different between Istio 1.21.3 and 1.21.4.
+
+{{< relnote >}}
+
+## Changes
+
+- **Added** `gateways.securityContext` to manifests to provide an option to customize the gateway `securityContext`.
+  ([Issue #49549](https://github.com/istio/istio/issues/49549))
+
+- **Fixed** an issue where `istioctl analyze` returned IST0162 false positives.
+  ([Issue #51257](https://github.com/istio/istio/issues/51257))
+
+- **Fixed** false positives in IST0128 and IST0129 when `credentialName` and `workloadSelector` were set.
+  ([Issue #51567](https://github.com/istio/istio/issues/51567))
+
+- **Fixed** an issue where JWKS fetched from URIs were not updated promptly when there are errors fetching other URIs.
+  ([Issue #51636](https://github.com/istio/istio/issues/51636))
+
+- **Fixed** 503 errors returned by `auto-passthrough` gateways created after enabling mTLS.
+
+- **Fixed** `serviceRegistry` ordering of the proxy labels, so we put the Kubernetes registry in front.
+  ([Issue #50968](https://github.com/istio/istio/issues/50968))
--- a/content/en/news/releases/1.22.x/announcing-1.22.2/index.md
+++ b/content/en/news/releases/1.22.x/announcing-1.22.2/index.md
@ -0,0 +1,56 @@
+---
+title: Announcing Istio 1.22.2
+linktitle: 1.22.2
+subtitle: Patch Release
+description: Istio 1.22.2 patch release.
+publishdate: 2024-06-27
+release: 1.22.2
+---
+
+This release implements the security updates described in our 27th of June post, [`ISTIO-SECURITY-2024-005`](/news/security/istio-security-2024-005) along with bug fixes to improve robustness.
+
+This release note describes what is different between Istio 1.22.1 and 1.22.2.
+
+{{< relnote >}}
+
+## Changes
+
+- **Improved** waypoint proxies to no longer run as root.
+
+- **Added** `gateways.securityContext` to manifests to provide an option to customize the gateway `securityContext`.
+  ([Issue #49549](https://github.com/istio/istio/issues/49549))
+
+- **Added** a new option in ztunnel to completely disable IPv6, to enable running on kernels with IPv6 disabled.
+
+- **Fixed** an issue where `istioctl analyze` returned IST0162 false positives.
+  ([Issue #51257](https://github.com/istio/istio/issues/51257))
+
+- **Fixed** `ENABLE_ENHANCED_RESOURCE_SCOPING` not being part of helm compatibility profiles for Istio 1.20/1.21.
+  ([Issue #51399](https://github.com/istio/istio/issues/51399))
+
+- **Fixed** Kubernetes job pod IPs may not be fully unenrolled from ambient despite being in a terminated state.
+
+- **Fixed** false positives in IST0128 and IST0129 when `credentialName` and `workloadSelector` were set.
+  ([Issue #51567](https://github.com/istio/istio/issues/51567))
+
+- **Fixed** an issue where JWKS fetched from URIs were not updated promptly when there are errors fetching other URIs.
+  ([Issue #51636](https://github.com/istio/istio/issues/51636))
+
+- **Fixed** an issue causing `workloadSelector` policies to apply to the wrong namespace in ztunnel.
+  ([Issue #51556](https://github.com/istio/istio/issues/51556))
+
+- **Fixed** a bug causing `discoverySelectors` to accidentally filter out all `GatewayClasses`.
+
+- **Fixed** certificate chains parsing avoid unnecessary parsing errors by trimming unnecessary intermediate certificates.
+
+- **Fixed** a bug in ambient mode causing requests at the start of a Pod lifetime to be rejected with `unknown source`.
+
+- **Fixed** an issue in ztunnel where some expected connection terminations were reported as errors.
+
+- **Fixed** an issue in ztunnel when connecting to a service with a `targetPort` that exists only on a subset of pods.
+
+- **Fixed** an issue when deleting a `ServiceEntry` when there are duplicate hostnames across multiple `ServiceEntries`.
+
+- **Fixed** an issue where ztunnel would send directly to pods when connecting to a `LoadBalancer` IP, instead of going through the `LoadBalancer`.
+
+- **Fixed** an issue where ztunnel would send traffic to terminating pods.
--- a/content/en/news/security/istio-security-2024-005/index.md
+++ b/content/en/news/security/istio-security-2024-005/index.md
@ -0,0 +1,24 @@
+---
+title: ISTIO-SECURITY-2024-005
+subtitle: Security Bulletin
+description: CVEs reported by Envoy.
+cves: []
+cvss: "7.5"
+vector: "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+releases: ["1.21.0 to 1.21.3", "1.22.0 to 1.22.1"]
+publishdate: 2024-06-27
+keywords: [CVE]
+skip_seealso: true
+---
+
+{{< security_bulletin >}}
+
+## CVE
+
+### Envoy CVEs
+
+- __[GHSA-8mq4-c2v5-3h39](https://github.com/envoyproxy/envoy/security/advisories/GHSA-8mq4-c2v5-3h39)__: (CVSS Score 7.5, Moderate): Datadog: Datadog tracer does not handle trace headers with Unicode characters.
+
+## Am I Impacted?
+
+You are impacted if you are using Istio 1.21.0 to 1.21.3 or 1.22.0 to 1.22.1 and have enabled the Datadog tracer.
--- a/data/compatibility/supportStatus.yml
+++ b/data/compatibility/supportStatus.yml
@ -22,7 +22,7 @@
 - version: "1.20"
  supported: "Yes"
  releaseDate: "Nov 14, 2023"
-  eolDate: "~Jul 2024 (Expected)"
+  eolDate: "Jun 25, 2024"
  k8sVersions: ["1.25", "1.26", "1.27", "1.28", "1.29"]
  testedK8sVersions: ["1.23", "1.24"]
 - version: "1.19"