mirror of https://github.com/istio/istio.io.git
This commit is contained in:
2BFL
Istio Automation
parent
ea363ed9e9
commit
7d6a03a1f9
|
|
@ -1,8 +1,8 @@
|
|||
---
|
||||
title: Announcing Istio 1.1.13
|
||||
title: Istio 1.1.13 发布公告
|
||||
linktitle: 1.1.13
|
||||
subtitle: Patch Release
|
||||
description: Istio 1.1.13 patch release.
|
||||
subtitle: 补丁发布
|
||||
description: Istio 1.1.13 补丁发布公告。
|
||||
publishdate: 2019-08-13
|
||||
release: 1.1.13
|
||||
aliases:
|
||||
|
|
@ -12,23 +12,22 @@ aliases:
|
|||
- /zh/news/announcing-1.1.13
|
||||
---
|
||||
|
||||
We're pleased to announce the availability of Istio 1.1.13. Please see below for what's changed.
|
||||
我们很高兴地宣布 Istio 1.1.13 现在是可用的,详情请查看如下更改。
|
||||
|
||||
{{< relnote >}}
|
||||
|
||||
## Security update
|
||||
## 安全更新{#security-update}
|
||||
|
||||
This release contains fixes for the security vulnerabilities described in [ISTIO-SECURITY-2019-003](/zh/news/security/istio-security-2019-003/) and
|
||||
[ISTIO-SECURITY-2019-004](/zh/news/security/istio-security-2019-004/). Specifically:
|
||||
此版本包含了在 [ISTIO-SECURITY-2019-003](/zh/news/security/istio-security-2019-003/)] 和 [ISTIO-SECURITY-2019-004](/zh/news/security/istio-security-2019-004/) 中所阐述的安全漏洞程序的修复。特别是:
|
||||
|
||||
__ISTIO-SECURITY-2019-003__: An Envoy user reported publicly an issue (c.f. [Envoy Issue 7728](https://github.com/envoyproxy/envoy/issues/7728)) about regular expressions matching that crashes Envoy with very large URIs.
|
||||
* __[CVE-2019-14993](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14993)__: After investigation, the Istio team has found that this issue could be leveraged for a DoS attack in Istio, if users are employing regular expressions in some of the Istio APIs: `JWT`, `VirtualService`, `HTTPAPISpecBinding`, `QuotaSpecBinding`.
|
||||
__ISTIO-SECURITY-2019-003__: 一位 Envoy 用户公开报告了一个正则表达式的匹配问题 (c.f. [Envoy Issue 7728](https://github.com/envoyproxy/envoy/issues/7728)),该问题可使 Envoy 出现非常严重的 URI 崩溃。
|
||||
* __[CVE-2019-14993](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14993)__: 经调查,Istio 小组发现,当用户正在使用 `Istio Api` 中一些像 `JWT`, `VirtualService`, `HTTPAPISpecBinding`, `QuotaSpecBinding` 的正则表达式时,会被利用而发起 `Istio DoS` 攻击。
|
||||
|
||||
__ISTIO-SECURITY-2019-004__: Envoy, and subsequently Istio are vulnerable to a series of trivial HTTP/2-based DoS attacks:
|
||||
* __[CVE-2019-9512](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512)__: HTTP/2 flood using `PING` frames and queuing of response `PING` ACK frames that results in unbounded memory growth (which can lead to out of memory conditions).
|
||||
* __[CVE-2019-9513](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9513)__: HTTP/2 flood using PRIORITY frames that results in excessive CPU usage and starvation of other clients.
|
||||
* __[CVE-2019-9514](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514)__: HTTP/2 flood using `HEADERS` frames with invalid HTTP headers and queuing of response `RST_STREAM` frames that results in unbounded memory growth (which can lead to out of memory conditions).
|
||||
* __[CVE-2019-9515](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9515)__: HTTP/2 flood using `SETTINGS` frames and queuing of `SETTINGS` ACK frames that results in unbounded memory growth (which can lead to out of memory conditions).
|
||||
* __[CVE-2019-9518](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9518)__: HTTP/2 flood using frames with an empty payload that results in excessive CPU usage and starvation of other clients.
|
||||
__ISTIO-SECURITY-2019-004__: Envoy 和之后的 Istio 更容易受到一系列基于 HTTP/2 的 DoS 攻击:
|
||||
* __[CVE-2019-9512](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512)__: 使用 `PING` 帧和响应 `PING` ACK 帧的 HTTP/2 流,会导致无限的内存增长(这可能导致内存不足的原因)。
|
||||
* __[CVE-2019-9513](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9513)__: 使用 PRIORITY 帧的 HTTP/2 流会导致其他客户端的 CPU 使用率过低。
|
||||
* __[CVE-2019-9514](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514)__: 使用具有无效的 HTTP header 的 `HEADERS` 帧和 `RST_STREAM` 帧的 HTTP/2 流,会导致无限的内存增长(这可能导致内存不足的原因)。
|
||||
* __[CVE-2019-9515](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9515)__: 使用 `SETTINGS` 帧和 `SETTINGS` ACK 帧的 HTTP/2 流,会导致无限的内存增长(这可能导致内存不足的原因)。
|
||||
* __[CVE-2019-9518](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9518)__: 使用具有空负载帧的 HTTP/2 流会导致其他客户端的 CPU 使用率过低。
|
||||
|
||||
Nothing else is included in this release except for the above security fixes.
|
||||
除上述修复的程序之外,此版本中不包含其他任何内容。
|
||||
|
|
|
|||
Loading…
Reference in New Issue