manual cherrypick of 13993 (#14105)

content/en/news/releases/1.17.x/announcing-1.17.8/index.md

@@ -0,0 +1,19 @@
+---
+title: Announcing Istio 1.17.8
+linktitle: 1.17.8
+subtitle: Patch Release
+description: Istio 1.17.8 patch release.
+publishdate: 2023-10-11
+release: 1.17.8
+---
+
+This release fixes the security vulnerabilities described in our Oct 11th post, [`ISTIO-SECURITY-2023-004`](/news/security/istio-security-2023-004).
+
+This release note describes what’s different between Istio 1.17.6 and 1.17.8. Please note that this release supersedes the unpublished 1.17.7 release. 1.17.7 was only published internally and has been skipped so that additional security fixes could be included in this release.
+
+{{< relnote >}}
+
+## Security updates
+
+- __[`CVE-2023-44487`](https://nvd.nist.gov/vuln/detail/CVE-2023-44487)__: (CVSS Score 7.5, High): HTTP/2 denial of service
+- __[`CVE-2023-39325`](https://github.com/golang/go/issues/63417)__: (CVSS Score 7.5, High): HTTP/2 denial of service

content/en/news/releases/1.18.x/announcing-1.18.5/index.md

@@ -0,0 +1,19 @@
+---
+title: Announcing Istio 1.18.5
+linktitle: 1.18.5
+subtitle: Patch Release
+description: Istio 1.18.5 patch release.
+publishdate: 2023-10-11
+release: 1.18.5
+---
+
+This release fixes the security vulnerabilities described in our Oct 11th post, [`ISTIO-SECURITY-2023-004`](/news/security/istio-security-2023-004).
+
+This release note describes what’s different between Istio 1.18.3 and 1.18.5. Please note that this release supersedes the unpublished 1.18.4 release. 1.18.4 was only published internally and has been skipped so that additional security fixes could be included in this release.
+
+{{< relnote >}}
+
+## Security updates
+
+- __[`CVE-2023-44487`](https://nvd.nist.gov/vuln/detail/CVE-2023-44487)__: (CVSS Score 7.5, High): HTTP/2 denial of service
+- __[`CVE-2023-39325`](https://github.com/golang/go/issues/63417)__: (CVSS Score 7.5, High): HTTP/2 denial of service

content/en/news/releases/1.19.x/announcing-1.19.3/index.md

@@ -0,0 +1,19 @@
+---
+title: Announcing Istio 1.19.3
+linktitle: 1.19.3
+subtitle: Patch Release
+description: Istio 1.19.3 patch release.
+publishdate: 2023-10-11
+release: 1.19.3
+---
+
+This release fixes the security vulnerabilities described in our Oct 11th post, [`ISTIO-SECURITY-2023-004`](/news/security/istio-security-2023-004).
+
+This release note describes what’s different between Istio 1.19.1 and 1.19.3. Please note that this release supersedes the unpublished 1.19.2 release. 1.19.2 was only published internally and has been skipped so that additional security fixes could be included in this release.
+
+{{< relnote >}}
+
+## Security updates
+
+- __[`CVE-2023-44487`](https://nvd.nist.gov/vuln/detail/CVE-2023-44487)__: (CVSS Score 7.5, High): HTTP/2 denial of service
+- __[`CVE-2023-39325`](https://github.com/golang/go/issues/63417)__: (CVSS Score 7.5, High): HTTP/2 denial of service

content/en/news/security/istio-security-2023-004/index.md

@@ -0,0 +1,28 @@
+---
+title: ISTIO-SECURITY-2023-004
+subtitle: Security Bulletin
+description: CVEs reported by Envoy and Go.
+cves: [CVE-2023-44487, CVE-2023-39325]
+cvss: "7.5"
+vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+releases: ["All releases prior to 1.17.0", "1.17.0 to 1.17.6", "1.18.0 to 1.18.3", "1.19.0 to 1.19.1"]
+publishdate: 2023-10-11
+keywords: [CVE]
+skip_seealso: true
+---
+
+{{< security_bulletin >}}
+
+## CVE
+
+### Envoy CVE
+
+- __[`CVE-2023-44487`](https://nvd.nist.gov/vuln/detail/CVE-2023-44487)__: (CVSS Score 7.5, High): HTTP/2 denial of service
+
+### Go CVE
+
+- __[`CVE-2023-39325`](https://github.com/golang/go/issues/63417)__: (CVSS Score 7.5, High): HTTP/2 denial of service
+
+## Am I Impacted?
+
+You are impacted If you accept HTTP/2 traffic from untrusted sources, which applies to most users. This especially applies if you use a Gateway exposed on the public internet.