From 89e95a5328483a9b8e0321538bf5eaf593b38c94 Mon Sep 17 00:00:00 2001
From: Jonh Wendell <jwendell@redhat.com>
Date: Tue, 4 Jun 2024 18:36:06 -0400
Subject: [PATCH] Changes for 2024-06-04 releases (#15243)

* Changes for 2024-06-04 releases

* Apply suggestions from code review

Co-authored-by: Daniel Hawton <daniel@hawton.org>

---------

Co-authored-by: Daniel Hawton <daniel@hawton.org>
---
 .spelling                                     |  8 +++++
 .../docs/releases/supported-releases/index.md |  5 +--
 .../1.20.x/announcing-1.20.7/index.md         | 28 +++++++++++++++
 .../1.21.x/announcing-1.21.3/index.md         | 31 ++++++++++++++++
 .../1.22.x/announcing-1.22.1/index.md         | 30 ++++++++++++++++
 .../security/istio-security-2024-004/index.md | 36 +++++++++++++++++++
 6 files changed, 136 insertions(+), 2 deletions(-)
 create mode 100644 content/en/news/releases/1.20.x/announcing-1.20.7/index.md
 create mode 100644 content/en/news/releases/1.21.x/announcing-1.21.3/index.md
 create mode 100644 content/en/news/releases/1.22.x/announcing-1.22.1/index.md
 create mode 100644 content/en/news/security/istio-security-2024-004/index.md

diff --git a/.spelling b/.spelling
index 06e1a1b823..c11c9010e2 100644
--- a/.spelling
+++ b/.spelling
@@ -370,10 +370,17 @@ CVE-2024-23322
 CVE-2024-23323
 CVE-2024-23324
 CVE-2024-23325
+CVE-2024-23326
 CVE-2024-23327
 CVE-2024-27919
 CVE-2024-30255
 CVE-2024-32475
+CVE-2024-32974
+CVE-2024-32975
+CVE-2024-32976
+CVE-2024-34362
+CVE-2024-34363
+CVE-2024-34364
 CVEs
 cves
 cvss
@@ -627,6 +634,7 @@ ISTIO-SECURITY-2022-005
 ISTIO-SECURITY-2023-001
 ISTIO-SECURITY-2023-002
 ISTIO-SECURITY-2023-003
+ISTIO-SECURITY-2023-004
 istio-system
 istio.io
 istio.io.
diff --git a/content/en/docs/releases/supported-releases/index.md b/content/en/docs/releases/supported-releases/index.md
index 3ab5a13282..23e7fa903e 100644
--- a/content/en/docs/releases/supported-releases/index.md
+++ b/content/en/docs/releases/supported-releases/index.md
@@ -70,8 +70,9 @@ Please keep up-to-date and use a supported version.
 
 | Minor Releases | Patched versions with no known CVEs |
 |----------------|-------------------------------------|
-| 1.21.x         | 1.21.2+                             |
-| 1.20.x         | 1.20.6+                             |
+| 1.22.x         | 1.22.1+                             |
+| 1.21.x         | 1.21.3+                             |
+| 1.20.x         | 1.20.7+                             |
 
 ## Supported Envoy Versions
 
diff --git a/content/en/news/releases/1.20.x/announcing-1.20.7/index.md b/content/en/news/releases/1.20.x/announcing-1.20.7/index.md
new file mode 100644
index 0000000000..a9478ea8c2
--- /dev/null
+++ b/content/en/news/releases/1.20.x/announcing-1.20.7/index.md
@@ -0,0 +1,28 @@
+---
+title: Announcing Istio 1.20.7
+linktitle: 1.20.7
+subtitle: Patch Release
+description: Istio 1.20.7 patch release.
+publishdate: 2024-06-04
+release: 1.20.7
+---
+
+This release implements the security updates described in our 4th of June post, [`ISTIO-SECURITY-2024-004`](/news/security/istio-security-2024-004) along with bug fixes to improve robustness.
+
+This release note describes what’s different between Istio 1.20.6 and 1.20.7.
+
+{{< relnote >}}
+
+## Changes
+
+- **Fixed** building of EDS-typed cluster endpoints with domain address.
+  ([Issue #50688](https://github.com/istio/istio/issues/50688))
+
+- **Fixed** custom injection of the `istio-proxy` container not working properly when `SecurityContext.RunAs` fields were set.
+
+- **Fixed** a regression in Istio 1.21.0 causing `VirtualService`s routing to `ExternalName` services to not work when
+  `ENABLE_EXTERNAL_NAME_ALIAS=false` was configured.
+
+- **Fixed** a behavioral change in Istio 1.20 that caused merging of `ServiceEntries` with the same hostname and port names
+  to give unexpected results.
+  ([Issue #50478](https://github.com/istio/istio/issues/50478))
diff --git a/content/en/news/releases/1.21.x/announcing-1.21.3/index.md b/content/en/news/releases/1.21.x/announcing-1.21.3/index.md
new file mode 100644
index 0000000000..6380811f73
--- /dev/null
+++ b/content/en/news/releases/1.21.x/announcing-1.21.3/index.md
@@ -0,0 +1,31 @@
+---
+title: Announcing Istio 1.21.3
+linktitle: 1.21.3
+subtitle: Patch Release
+description: Istio 1.21.3 patch release.
+publishdate: 2024-06-04
+release: 1.21.3
+---
+
+This release implements the security updates described in our 4th of June post, [`ISTIO-SECURITY-2024-004`](/news/security/istio-security-2024-004) along with bug fixes to improve robustness.
+
+This release note describes what’s different between Istio 1.21.2 and 1.21.3.
+
+{{< relnote >}}
+
+## Changes
+
+- **Fixed** building of EDS-typed cluster endpoints with domain address.
+  ([Issue #50688](https://github.com/istio/istio/issues/50688))
+
+- **Fixed** custom injection of the `istio-proxy` container not working properly when `SecurityContext.RunAs` fields were set.
+
+- **Fixed** a regression in Istio 1.21.0 causing `VirtualService`s routing to `ExternalName` services to not work when
+  `ENABLE_EXTERNAL_NAME_ALIAS=false` was configured.
+
+- **Fixed** list matching for the audience claims in JWT tokens.
+  ([Issue #49913](https://github.com/istio/istio/issues/49913))
+
+- **Fixed** a behavioral change in Istio 1.20 that caused merging of `ServiceEntries` with the same hostname and port names
+  to give unexpected results.
+  ([Issue #50478](https://github.com/istio/istio/issues/50478))
diff --git a/content/en/news/releases/1.22.x/announcing-1.22.1/index.md b/content/en/news/releases/1.22.x/announcing-1.22.1/index.md
new file mode 100644
index 0000000000..157d80de2c
--- /dev/null
+++ b/content/en/news/releases/1.22.x/announcing-1.22.1/index.md
@@ -0,0 +1,30 @@
+---
+title: Announcing Istio 1.22.1
+linktitle: 1.22.1
+subtitle: Patch Release
+description: Istio 1.22.1 patch release.
+publishdate: 2024-06-04
+release: 1.22.1
+---
+
+This release implements the security updates described in our 4th of June post, [`ISTIO-SECURITY-2024-004`](/news/security/istio-security-2024-004) along with bug fixes to improve robustness.
+
+This release note describes what’s different between Istio 1.22.0 and 1.22.1.
+
+{{< relnote >}}
+
+## Changes
+
+- **Added** a new, optional experimental admission policy that only allows stable features/fields to be used in Istio APIs when using a remote Istiod cluster.
+  ([Issue #173](https://github.com/istio/enhancements/issues/173))
+
+- **Fixed** adding of pod IPs to the host's `ipset` to explicitly fail instead of silently overwriting.
+
+- **Fixed** an issue causing `outboundstatname` in MeshConfig to not be honored for subset clusters.
+
+- **Fixed** custom injection of the `istio-proxy` container not working properly when `SecurityContext.RunAs` fields were set.
+
+- **Fixed** returning 503 errors by auto-passthrough gateways created after enabling mTLS.
+
+- **Fixed** `serviceRegistry` orders influence the proxy labels, so we put the Kubernetes registry in front.
+  ([Issue #50968](https://github.com/istio/istio/issues/50968))
diff --git a/content/en/news/security/istio-security-2024-004/index.md b/content/en/news/security/istio-security-2024-004/index.md
new file mode 100644
index 0000000000..a2b560c382
--- /dev/null
+++ b/content/en/news/security/istio-security-2024-004/index.md
@@ -0,0 +1,36 @@
+---
+title: ISTIO-SECURITY-2024-004
+subtitle: Security Bulletin
+description: CVEs reported by Envoy.
+cves: [CVE-2024-32976, CVE-2024-32975, CVE-2024-32974, CVE-2024-34363, CVE-2024-34362, CVE-2024-23326, CVE-2024-34364]
+cvss: "7.5"
+vector: "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+releases: ["All releases prior to 1.20.0", "1.20.0 to 1.20.6", "1.21.0 to 1.21.2", "1.22.0"]
+publishdate: 2024-06-04
+keywords: [CVE]
+skip_seealso: true
+---
+
+{{< security_bulletin >}}
+
+## CVE
+
+### Envoy CVEs
+
+- __[CVE-2024-23326](https://github.com/envoyproxy/envoy/security/advisories/GHSA-vcf8-7238-v74c)__: (CVSS Score 5.9, Moderate): Incorrect handling of responses to HTTP/1 upgrade requests that can lead to request smuggling.
+
+- __[CVE-2024-32974](https://github.com/envoyproxy/envoy/security/advisories/GHSA-mgxp-7hhp-8299)__: (CVSS Score 5.9, Moderate): Vulnerability in QUIC stack that can lead to abnormal process termination.
+
+- __[CVE-2024-32975](https://github.com/envoyproxy/envoy/security/advisories/GHSA-g9mq-6v96-cpqc)__: (CVSS Score 5.9, Moderate): Vulnerability in QUIC stack that can lead to abnormal process termination.
+
+- __[CVE-2024-32976](https://github.com/envoyproxy/envoy/security/advisories/GHSA-7wp5-c2vq-4f8m)__: (CVSS Score 7.5, High): Vulnerability in `Brotli` decompressor that can lead to infinite loop.
+
+- __[CVE-2024-34362](https://github.com/envoyproxy/envoy/security/advisories/GHSA-hww5-43gv-35jv)__: (CVSS Score 5.9, Moderate): Vulnerability in QUIC stack that can lead to abnormal process termination.
+
+- __[CVE-2024-34363](https://github.com/envoyproxy/envoy/security/advisories/GHSA-g979-ph9j-5gg4)__: (CVSS Score 7.5, High): Vulnerability in Envoy access log JSON formatter, that can lead to abnormal process termination.
+
+- __[CVE-2024-34364](https://github.com/envoyproxy/envoy/security/advisories/GHSA-xcj3-h7vf-fw26)__: (CVSS Score 5.7, Moderate): Unbounded memory consumption in `ext_proc` and `ext_authz`.
+
+## Am I Impacted?
+
+If you are using JSON access log formatting in Istio 1.22, you are impacted, please upgrade as soon as possible. The request smuggling will also affect users of Websockets.