istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Changes for 2024-06-04 releases (#15243) 

* Changes for 2024-06-04 releases

* Apply suggestions from code review

Co-authored-by: Daniel Hawton <daniel@hawton.org>

---------

Co-authored-by: Daniel Hawton <daniel@hawton.org>
This commit is contained in:
Jonh Wendell 2024-06-04 18:36:06 -04:00 committed by GitHub
parent 105f3976fc
commit 89e95a5328
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
6 changed files with 136 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.spelling
View File

@ -370,10 +370,17 @@ CVE-2024-23322
CVE-2024-23323
CVE-2024-23324
CVE-2024-23325
CVE-2024-23326
CVE-2024-23327
CVE-2024-27919
CVE-2024-30255
CVE-2024-32475
CVE-2024-32974
CVE-2024-32975
CVE-2024-32976
CVE-2024-34362
CVE-2024-34363
CVE-2024-34364
CVEs
cves
cvss
@ -627,6 +634,7 @@ ISTIO-SECURITY-2022-005
ISTIO-SECURITY-2023-001
ISTIO-SECURITY-2023-002
ISTIO-SECURITY-2023-003
ISTIO-SECURITY-2023-004
istio-system
istio.io
istio.io.

5
content/en/docs/releases/supported-releases/index.md
View File

@ -70,8 +70,9 @@ Please keep up-to-date and use a supported version.
| Minor Releases | Patched versions with no known CVEs |
|----------------|-------------------------------------|
| 1.21.x | 1.21.2+ |
| 1.20.x | 1.20.6+ |
| 1.22.x | 1.22.1+ |
| 1.21.x | 1.21.3+ |
| 1.20.x | 1.20.7+ |
## Supported Envoy Versions

28
content/en/news/releases/1.20.x/announcing-1.20.7/index.md Normal file
View File

@ -0,0 +1,28 @@
---
title: Announcing Istio 1.20.7
linktitle: 1.20.7
subtitle: Patch Release
description: Istio 1.20.7 patch release.
publishdate: 2024-06-04
release: 1.20.7
---
This release implements the security updates described in our 4th of June post, [`ISTIO-SECURITY-2024-004`](/news/security/istio-security-2024-004) along with bug fixes to improve robustness.
This release note describes whats different between Istio 1.20.6 and 1.20.7.
{{< relnote >}}
## Changes
- **Fixed** building of EDS-typed cluster endpoints with domain address.
([Issue #50688](https://github.com/istio/istio/issues/50688))
- **Fixed** custom injection of the `istio-proxy` container not working properly when `SecurityContext.RunAs` fields were set.
- **Fixed** a regression in Istio 1.21.0 causing `VirtualService`s routing to `ExternalName` services to not work when
`ENABLE_EXTERNAL_NAME_ALIAS=false` was configured.
- **Fixed** a behavioral change in Istio 1.20 that caused merging of `ServiceEntries` with the same hostname and port names
to give unexpected results.
([Issue #50478](https://github.com/istio/istio/issues/50478))

31
content/en/news/releases/1.21.x/announcing-1.21.3/index.md Normal file
View File

@ -0,0 +1,31 @@
---
title: Announcing Istio 1.21.3
linktitle: 1.21.3
subtitle: Patch Release
description: Istio 1.21.3 patch release.
publishdate: 2024-06-04
release: 1.21.3
---
This release implements the security updates described in our 4th of June post, [`ISTIO-SECURITY-2024-004`](/news/security/istio-security-2024-004) along with bug fixes to improve robustness.
This release note describes whats different between Istio 1.21.2 and 1.21.3.
{{< relnote >}}
## Changes
- **Fixed** building of EDS-typed cluster endpoints with domain address.
([Issue #50688](https://github.com/istio/istio/issues/50688))
- **Fixed** custom injection of the `istio-proxy` container not working properly when `SecurityContext.RunAs` fields were set.
- **Fixed** a regression in Istio 1.21.0 causing `VirtualService`s routing to `ExternalName` services to not work when
`ENABLE_EXTERNAL_NAME_ALIAS=false` was configured.
- **Fixed** list matching for the audience claims in JWT tokens.
([Issue #49913](https://github.com/istio/istio/issues/49913))
- **Fixed** a behavioral change in Istio 1.20 that caused merging of `ServiceEntries` with the same hostname and port names
to give unexpected results.
([Issue #50478](https://github.com/istio/istio/issues/50478))

30
content/en/news/releases/1.22.x/announcing-1.22.1/index.md Normal file
View File

@ -0,0 +1,30 @@
---
title: Announcing Istio 1.22.1
linktitle: 1.22.1
subtitle: Patch Release
description: Istio 1.22.1 patch release.
publishdate: 2024-06-04
release: 1.22.1
---
This release implements the security updates described in our 4th of June post, [`ISTIO-SECURITY-2024-004`](/news/security/istio-security-2024-004) along with bug fixes to improve robustness.
This release note describes whats different between Istio 1.22.0 and 1.22.1.
{{< relnote >}}
## Changes
- **Added** a new, optional experimental admission policy that only allows stable features/fields to be used in Istio APIs when using a remote Istiod cluster.
([Issue #173](https://github.com/istio/enhancements/issues/173))
- **Fixed** adding of pod IPs to the host's `ipset` to explicitly fail instead of silently overwriting.
- **Fixed** an issue causing `outboundstatname` in MeshConfig to not be honored for subset clusters.
- **Fixed** custom injection of the `istio-proxy` container not working properly when `SecurityContext.RunAs` fields were set.
- **Fixed** returning 503 errors by auto-passthrough gateways created after enabling mTLS.
- **Fixed** `serviceRegistry` orders influence the proxy labels, so we put the Kubernetes registry in front.
([Issue #50968](https://github.com/istio/istio/issues/50968))

36
content/en/news/security/istio-security-2024-004/index.md Normal file
View File

@ -0,0 +1,36 @@
---
title: ISTIO-SECURITY-2024-004
subtitle: Security Bulletin
description: CVEs reported by Envoy.
cves: [CVE-2024-32976, CVE-2024-32975, CVE-2024-32974, CVE-2024-34363, CVE-2024-34362, CVE-2024-23326, CVE-2024-34364]
cvss: "7.5"
vector: "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
releases: ["All releases prior to 1.20.0", "1.20.0 to 1.20.6", "1.21.0 to 1.21.2", "1.22.0"]
publishdate: 2024-06-04
keywords: [CVE]
skip_seealso: true
---
{{< security_bulletin >}}
## CVE
### Envoy CVEs
- __[CVE-2024-23326](https://github.com/envoyproxy/envoy/security/advisories/GHSA-vcf8-7238-v74c)__: (CVSS Score 5.9, Moderate): Incorrect handling of responses to HTTP/1 upgrade requests that can lead to request smuggling.
- __[CVE-2024-32974](https://github.com/envoyproxy/envoy/security/advisories/GHSA-mgxp-7hhp-8299)__: (CVSS Score 5.9, Moderate): Vulnerability in QUIC stack that can lead to abnormal process termination.
- __[CVE-2024-32975](https://github.com/envoyproxy/envoy/security/advisories/GHSA-g9mq-6v96-cpqc)__: (CVSS Score 5.9, Moderate): Vulnerability in QUIC stack that can lead to abnormal process termination.
- __[CVE-2024-32976](https://github.com/envoyproxy/envoy/security/advisories/GHSA-7wp5-c2vq-4f8m)__: (CVSS Score 7.5, High): Vulnerability in `Brotli` decompressor that can lead to infinite loop.
- __[CVE-2024-34362](https://github.com/envoyproxy/envoy/security/advisories/GHSA-hww5-43gv-35jv)__: (CVSS Score 5.9, Moderate): Vulnerability in QUIC stack that can lead to abnormal process termination.
- __[CVE-2024-34363](https://github.com/envoyproxy/envoy/security/advisories/GHSA-g979-ph9j-5gg4)__: (CVSS Score 7.5, High): Vulnerability in Envoy access log JSON formatter, that can lead to abnormal process termination.
- __[CVE-2024-34364](https://github.com/envoyproxy/envoy/security/advisories/GHSA-xcj3-h7vf-fw26)__: (CVSS Score 5.7, Moderate): Unbounded memory consumption in `ext_proc` and `ext_authz`.
## Am I Impacted?
If you are using JSON access log formatting in Istio 1.22, you are impacted, please upgrade as soon as possible. The request smuggling will also affect users of Websockets.