From 7d6a03a1f94a16ed3e681c97140dc9202158db15 Mon Sep 17 00:00:00 2001 From: 2BFL Date: Thu, 2 Jan 2020 09:46:22 +0800 Subject: [PATCH] zh-translation: /news/releases/1.1.x/announcing-1.1.13/index.md #1543 (#6269) --- .../releases/1.1.x/announcing-1.1.13/index.md | 31 +++++++++---------- 1 file changed, 15 insertions(+), 16 deletions(-) diff --git a/content/zh/news/releases/1.1.x/announcing-1.1.13/index.md b/content/zh/news/releases/1.1.x/announcing-1.1.13/index.md index f6ad514910..7c421c1c73 100644 --- a/content/zh/news/releases/1.1.x/announcing-1.1.13/index.md +++ b/content/zh/news/releases/1.1.x/announcing-1.1.13/index.md @@ -1,8 +1,8 @@ --- -title: Announcing Istio 1.1.13 +title: Istio 1.1.13 发布公告 linktitle: 1.1.13 -subtitle: Patch Release -description: Istio 1.1.13 patch release. +subtitle: 补丁发布 +description: Istio 1.1.13 补丁发布公告。 publishdate: 2019-08-13 release: 1.1.13 aliases: @@ -12,23 +12,22 @@ aliases: - /zh/news/announcing-1.1.13 --- -We're pleased to announce the availability of Istio 1.1.13. Please see below for what's changed. +我们很高兴地宣布 Istio 1.1.13 现在是可用的,详情请查看如下更改。 {{< relnote >}} -## Security update +## 安全更新{#security-update} -This release contains fixes for the security vulnerabilities described in [ISTIO-SECURITY-2019-003](/zh/news/security/istio-security-2019-003/) and -[ISTIO-SECURITY-2019-004](/zh/news/security/istio-security-2019-004/). Specifically: +此版本包含了在 [ISTIO-SECURITY-2019-003](/zh/news/security/istio-security-2019-003/)] 和 [ISTIO-SECURITY-2019-004](/zh/news/security/istio-security-2019-004/) 中所阐述的安全漏洞程序的修复。特别是: -__ISTIO-SECURITY-2019-003__: An Envoy user reported publicly an issue (c.f. [Envoy Issue 7728](https://github.com/envoyproxy/envoy/issues/7728)) about regular expressions matching that crashes Envoy with very large URIs. - * __[CVE-2019-14993](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14993)__: After investigation, the Istio team has found that this issue could be leveraged for a DoS attack in Istio, if users are employing regular expressions in some of the Istio APIs: `JWT`, `VirtualService`, `HTTPAPISpecBinding`, `QuotaSpecBinding`. +__ISTIO-SECURITY-2019-003__: 一位 Envoy 用户公开报告了一个正则表达式的匹配问题 (c.f. [Envoy Issue 7728](https://github.com/envoyproxy/envoy/issues/7728)),该问题可使 Envoy 出现非常严重的 URI 崩溃。 + * __[CVE-2019-14993](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14993)__: 经调查,Istio 小组发现,当用户正在使用 `Istio Api` 中一些像 `JWT`, `VirtualService`, `HTTPAPISpecBinding`, `QuotaSpecBinding` 的正则表达式时,会被利用而发起 `Istio DoS` 攻击。 -__ISTIO-SECURITY-2019-004__: Envoy, and subsequently Istio are vulnerable to a series of trivial HTTP/2-based DoS attacks: - * __[CVE-2019-9512](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512)__: HTTP/2 flood using `PING` frames and queuing of response `PING` ACK frames that results in unbounded memory growth (which can lead to out of memory conditions). - * __[CVE-2019-9513](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9513)__: HTTP/2 flood using PRIORITY frames that results in excessive CPU usage and starvation of other clients. - * __[CVE-2019-9514](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514)__: HTTP/2 flood using `HEADERS` frames with invalid HTTP headers and queuing of response `RST_STREAM` frames that results in unbounded memory growth (which can lead to out of memory conditions). - * __[CVE-2019-9515](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9515)__: HTTP/2 flood using `SETTINGS` frames and queuing of `SETTINGS` ACK frames that results in unbounded memory growth (which can lead to out of memory conditions). - * __[CVE-2019-9518](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9518)__: HTTP/2 flood using frames with an empty payload that results in excessive CPU usage and starvation of other clients. +__ISTIO-SECURITY-2019-004__: Envoy 和之后的 Istio 更容易受到一系列基于 HTTP/2 的 DoS 攻击: + * __[CVE-2019-9512](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512)__: 使用 `PING` 帧和响应 `PING` ACK 帧的 HTTP/2 流,会导致无限的内存增长(这可能导致内存不足的原因)。 + * __[CVE-2019-9513](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9513)__: 使用 PRIORITY 帧的 HTTP/2 流会导致其他客户端的 CPU 使用率过低。 + * __[CVE-2019-9514](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514)__: 使用具有无效的 HTTP header 的 `HEADERS` 帧和 `RST_STREAM` 帧的 HTTP/2 流,会导致无限的内存增长(这可能导致内存不足的原因)。 + * __[CVE-2019-9515](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9515)__: 使用 `SETTINGS` 帧和 `SETTINGS` ACK 帧的 HTTP/2 流,会导致无限的内存增长(这可能导致内存不足的原因)。 + * __[CVE-2019-9518](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9518)__: 使用具有空负载帧的 HTTP/2 流会导致其他客户端的 CPU 使用率过低。 -Nothing else is included in this release except for the above security fixes. +除上述修复的程序之外,此版本中不包含其他任何内容。