zh-translation: sync some missing content (#6619)

2020-03-02 17:27:16 +08:00 · 2020-03-02 17:27:16 +08:00 · 8de008aa7a
parent 1f0d2caf0e
commit 8de008aa7a
8 changed files with 72 additions and 72 deletions
--- a/content/zh/news/releases/1.3.x/announcing-1.3.7/index.md
+++ b/content/zh/news/releases/1.3.x/announcing-1.3.7/index.md
@ -31,4 +31,4 @@ aliases:

 * [**ISTIO-SECURITY-2020-002**](/zh/news/security/istio-security-2020-002) 由于不正确地接受某些请求 header，导致可绕过 Mixer 策略检查。

-__[CVE-2020-8843](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8843)__：在某些情况下，可以绕过专门配置的 Mixer 策略。Istio-proxy 在 ingress 处接受 `x-istio-attributes` header，当 Mixer 策略有选择地应用至 source 时，等价于应用至 ingress，其可能会影响策略决策。 Istio 1.3 到 1.3.6 容易受到攻击。
+__[CVE-2020-8843](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8843)__：在某些情况下，可以绕过特定配置的 Mixer 策略。Istio-proxy 在 ingress 处接受 `x-istio-attributes` header，当 Mixer 策略有选择地应用至 source 时，等价于应用至 ingress，其可能会影响策略决策。 Istio 1.3 到 1.3.6 容易受到攻击。
--- a/content/zh/news/releases/1.3.x/announcing-1.3.8/index.md
+++ b/content/zh/news/releases/1.3.x/announcing-1.3.8/index.md
@ -1,20 +1,20 @@
 ---
-title: Announcing Istio 1.3.8
+title: Istio 1.3.8 发布公告
 linktitle: 1.3.8
-subtitle: Patch Release
-description: Istio 1.3.8 patch release.
+subtitle: 补丁发布
+description: Istio 1.3.8 补丁发布。
 publishdate: 2020-02-11
 release: 1.3.8
 aliases:
    - /zh/news/announcing-1.3.8
 ---

-This release contains a fix for the security vulnerability described in [our February 11th, 2020 news post](/zh/news/security/istio-security-2020-001). This release note describes what's different between Istio 1.3.7 and Istio 1.3.8.
+此版本包含了 [我们在 2020 年 2 月 11 日的新闻](/zh/news/security/istio-security-2020-001) 中描述的安全漏洞的修复程序。此发行说明描述了 Istio 1.3.7 和 Istio 1.3.8 之间的区别。

 {{< relnote >}}

-## Security update
+## 安全更新{#security-update}

- **ISTIO-SECURITY-2020-001** Improper input validation have been discovered in `AuthenticationPolicy`.
+- **ISTIO-SECURITY-2020-001** 在 `AuthenticationPolicy` 中发现了错误的输入验证。

-__[CVE-2020-8595](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8595)__: A bug in Istio's [Authentication Policy](/zh/docs/reference/config/security/istio.authentication.v1alpha1/#Policy) exact path matching logic allows unauthorized access to resources without a valid JWT token.
+__[CVE-2020-8595](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8595)__：Istio 的[认证策略](/zh/docs/reference/config/security/istio.authentication.v1alpha1/#Policy)精确路径匹配逻辑中的一个 bug，允许在没有效的 JWT 令牌、未经授权的情况下访问资源。
--- a/content/zh/news/releases/1.4.x/announcing-1.4.4/index.md
+++ b/content/zh/news/releases/1.4.x/announcing-1.4.4/index.md
@ -1,35 +1,35 @@
 ---
-title: Announcing Istio 1.4.4
+title: Istio 1.4.4 发布公告
 linktitle: 1.4.4
-subtitle: Patch Release
-description: Istio 1.4.4 patch release.
+subtitle: 补丁发布
+description: Istio 1.4.4 补丁发布。
 publishdate: 2020-02-11
 release: 1.4.4
 aliases:
    - /zh/news/announcing-1.4.4
 ---

-This release includes bug fixes to improve robustness and user experience as well as a fix for the security vulnerability described in [our February 11th, 2020 news post](/zh/news/security/istio-security-2020-001). This release note describes what’s different between Istio 1.4.3 and Istio 1.4.4.
+此版本包含一些错误修复程序，以改善健壮性和用户体验，并修复了[我们在 2020 年 2 月 11 日新闻](/zh/news/security/istio-security-2020-001)中描述的安全漏洞。[我们在 2020 年 2 月 11 日新闻](/zh/news/security/istio-security-2020-001) 中描述的安全漏洞的修复程序。此发行说明描述了 Istio 1.4.3 和 Istio 1.3.4 之间的区别。

 {{< relnote >}}

-## Security update
+## 安全更新{#security-update}

- **ISTIO-SECURITY-2020-001** An improper input validation has been discovered in `AuthenticationPolicy`.
+- **ISTIO-SECURITY-2020-001** 在 `AuthenticationPolicy` 中发现了错误的输入验证。

-__[CVE-2020-8595](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8595)__: A bug in Istio's [Authentication Policy](/zh/docs/reference/config/security/istio.authentication.v1alpha1/#Policy) exact path matching logic allows unauthorized access to resources without a valid JWT token.
+__[CVE-2020-8595](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8595)__：Istio 的[认证策略](/zh/docs/reference/config/security/istio.authentication.v1alpha1/#Policy)精确路径匹配逻辑中的一个 bug，允许在没有效的 JWT 令牌、未经授权的情况下访问资源。

-## Bug fixes
+## Bug 修复{#bug-fixes}

- **Fixed** Debian packaging of `iptables` scripts ([Issue 19615](https://github.com/istio/istio/issues/19615)).
- **Fixed** an issue where Pilot generated a wrong Envoy configuration when the same port was used more than once ([Issue 19935](https://github.com/istio/istio/issues/19935)).
- **Fixed** an issue where running multiple instances of Pilot could lead to a crash ([Issue 20047](https://github.com/istio/istio/issues/20047)).
- **Fixed** a potential flood of configuration pushes from Pilot to Envoy when scaling the deployment to zero ([Issue 17957](https://github.com/istio/istio/issues/17957)).
- **Fixed** an issue where Mixer could not fetch the correct information from the request/response when pod contains a dot in its name  ([Issue 20028](https://github.com/istio/istio/issues/20028)).
- **Fixed** an issue where Pilot sometimes would not send a correct pod configuration to Envoy ([Issue 19025](https://github.com/istio/istio/issues/19025)).
- **Fixed** an issue where sidecar injector with SDS enabled was overwriting pod `securityContext` section, instead of just patching it ([Issue 20409](https://github.com/istio/istio/issues/20409)).
+- **修复** Debian `iptables` 脚本的包（[Issue 19615](https://github.com/istio/istio/issues/19615)）。
+- **修复** 当多次使用同一端口时 Pilot 会生成错误的 Envoy 配置的问题（[Issue 19935](https://github.com/istio/istio/issues/19935)）。
+- **修复** 运行多个 Pilot 实例可能导致崩溃的问题（[Issue 20047](https://github.com/istio/istio/issues/20047)）。
+- **修复** 将部署规模收缩为 0 时，一个潜在的从 Pilot 到 Envoy 配置推送洪流的问题（[Issue 17957](https://github.com/istio/istio/issues/17957)）。
+- **修复** 当 pod 名称中包含点 `.` 时，Mixer 无法从 request/response 中获取正确信息的问题（[Issue 20028](https://github.com/istio/istio/issues/20028)）。
+- **修复** Pilot 有时候不能正确的将 pod 配置发送至 Envoy 的问题（[Issue 19025](https://github.com/istio/istio/issues/19025)）。
+- **修复** 启用了 SDS 的 Sidecar 注入器，会覆盖 pod 的 `securityContext` 部分，而不是仅对其进行修补的问题（[Issue 20409](https://github.com/istio/istio/issues/20409)）。

-## Improvements
+## 改进{#improvements}

- **Improved** Better compatibility with Google CA. (Issues [20530](https://github.com/istio/istio/issues/20530), [20560](https://github.com/istio/istio/issues/20560)).
- **Improved** Added analyzer error message when Policies using JWT are not configured properly (Issues [20884](https://github.com/istio/istio/issues/20884), [20767](https://github.com/istio/istio/issues/20767)).
+- **改进** 与 Google CA 有了更好的兼容性。（Issues [20530](https://github.com/istio/istio/issues/20530), [20560](https://github.com/istio/istio/issues/20560)）。
+- **改进** 当没有正确配置使用 JWT 的策略时，添加了分析器错误消息（Issues [20884](https://github.com/istio/istio/issues/20884), [20767](https://github.com/istio/istio/issues/20767)）。
--- a/content/zh/news/releases/1.4.x/announcing-1.4.5/index.md
+++ b/content/zh/news/releases/1.4.x/announcing-1.4.5/index.md
@ -1,22 +1,22 @@
 ---
-title: Announcing Istio 1.4.5
+title: Istio 1.4.5 发布公告
 linktitle: 1.4.5
-subtitle: Patch Release
-description: Istio 1.4.5 patch release.
+subtitle: 补丁发布
+description: Istio 1.4.5 补丁发布。
 publishdate: 2020-02-18
 release: 1.4.5
 aliases:
    - /zh/news/announcing-1.4.5
 ---

-This release includes bug fixes to improve robustness. This release note describes what’s different between Istio 1.4.4 and Istio 1.4.5.
+此版本包含一些 bug 修复程序，可提高稳定性。此发行说明描述了 Istio 1.4.4 和 Istio 1.4.5 之间的区别。

-The fixes below focus on various bugs occurring during node restarts. If you use Istio CNI, or have nodes that restart, you are highly encouraged to upgrade.
+以下修复程序着重于节点重新启动期间发生的各种错误。如果您在使用 Istio CNI，或重启节点，则强烈建议您进行升级。

 {{< relnote >}}

-## Improvements
+## 改进{#improvements}

- **Fixed** a bug triggered by node restart causing Pods to receive incorrect configuration ([Issue 20676](https://github.com/istio/istio/issues/20676)).
- **Improved** [Istio CNI](/zh/docs/setup/additional-setup/cni/) robustness. Previously, when a node restarted, new pods may be created before the CNI was setup, causing pods to be created without `iptables` rules configured ([Issue 14327](https://github.com/istio/istio/issues/14327)).
- **Fixed** MCP metrics to include the size of the MCP responses, rather than just requests ([Issue 21049](https://github.com/istio/istio/issues/21049)).
+- **修复** 节点重启触发的 bug，该 bug 会导致 Pod 接收到错误的配置（[Issue 20676](https://github.com/istio/istio/issues/20676)）。
+- **改进** [Istio CNI](/zh/docs/setup/additional-setup/cni/) 的健壮性。以前，当节点重新启动时，可能会在安装 CNI 之前就创建新的 Pod，从而导致在没有配置 `iptables` 规则的情况下创建 Pod（[Issue 14327](https://github.com/istio/istio/issues/14327)）。
+- **修复** MCP 指标，现在会包含 MCP 响应的大小，而不只是包含请求（[Issue 21049](https://github.com/istio/istio/issues/21049)）。
--- a/content/zh/news/security/istio-security-2019-007/index.md
+++ b/content/zh/news/security/istio-security-2019-007/index.md
@ -1,7 +1,7 @@
 ---
 title: ISTIO-SECURITY-2019-007
-subtitle: Security Bulletin
-description: Heap overflow and improper input validation in Envoy.
+subtitle: 安全公告
+description: Envoy 中的堆溢出及错误的输入验证。
 cves: [CVE-2019-18801,CVE-2019-18802]
 cvss: "9.0"
 vector: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"
@ -13,20 +13,20 @@ skip_seealso: true

 {{< security_bulletin >}}

-Envoy, and subsequently Istio are vulnerable to two newly discovered vulnerabilities:
+Envoy 及 Istio 容易受到基于两个新发现的漏洞的攻击:

-* __[CVE-2019-18801](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18801)__: This vulnerability affects Envoy’s HTTP/1 codec in its way it processes downstream's requests with large HTTP/2 headers. A successful exploitation of this vulnerability could lead to a denial of Service, escalation of privileges, or information disclosure.
+* __[CVE-2019-18801](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18801)__：此漏洞以处理带有大量 HTTP/2 header 下游请求的方式影响 Envoy 的 HTTP/1 编解码器。利用此漏洞可能会导致拒绝服务、特权升级或信息泄露。

-* __[CVE-2019-18802](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18802)__: HTTP/1 codec incorrectly fails to trim whitespace after header values. This could allow an attacker to bypass Istio's policy either for information disclosure or escalation of privileges.
+* __[CVE-2019-18802](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18802)__：HTTP/1 编解码器未能正确修剪 header 值的尾缀空格。这可能使攻击者可以绕开 Istio 的策略，导致特权升级或信息泄露。

-## Impact and detection
+## 影响范围{#impact-and-detection}

-Both Istio gateways and sidecars are vulnerable to this issue. If you are running one of the affected releases where downstream's requests are HTTP/2 while upstream's are HTTP/1, then your cluster is vulnerable.  We expect this to be true of most clusters.
+Istio gateway 和 sidecar 都容易受到此问题的影响。如果您正在运行受影响的发行版之一，其中下游的请求为 HTTP/2，而上游的请求为 HTTP/1，则您的群集很容易受到攻击。我们估计很多集群都是这样。

-## Mitigation
+## 防范{#mitigation}

-* For Istio 1.2.x deployments: update to a [Istio 1.2.10](/zh/news/releases/1.2.x/announcing-1.2.10) or later.
-* For Istio 1.3.x deployments: update to a [Istio 1.3.6](/zh/news/releases/1.3.x/announcing-1.3.6) or later.
-* For Istio 1.4.x deployments: update to a [Istio 1.4.2](/zh/news/releases/1.4.x/announcing-1.4.2) or later.
+* 对于 Istio 1.2.x 部署: 请升级至 [Istio 1.2.10](/zh/news/releases/1.2.x/announcing-1.2.10) 或更高的版本。
+* 对于 Istio 1.3.x 部署: 请升级至 [Istio 1.3.6](/zh/news/releases/1.3.x/announcing-1.3.6) 或更高的版本。
+* 对于 Istio 1.4.x 部署: 请升级至 [Istio 1.4.2](/zh/news/releases/1.4.x/announcing-1.4.2) 或更高的版本。

 {{< boilerplate "security-vulnerability" >}}
--- a/content/zh/news/security/istio-security-2020-001/index.md
+++ b/content/zh/news/security/istio-security-2020-001/index.md
@ -1,7 +1,7 @@
 ---
 title: ISTIO-SECURITY-2020-001
-subtitle: Security Bulletin
-description: Authentication Policy bypass.
+subtitle: 安全公告
+description: 绕过身份认证策略。
 cves: [CVE-2020-8595]
 cvss: "9.0"
 vector: "AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"
@ -13,17 +13,17 @@ skip_seealso: true

 {{< security_bulletin >}}

-Istio 1.3 to 1.3.7 and 1.4 to 1.4.3 are vulnerable to a newly discovered vulnerability affecting [Authentication Policy](/zh/docs/reference/config/security/istio.authentication.v1alpha1/#Policy):
+Istio 1.3 到 1.3.7 以及 1.4 到 1.4.3 容易受到一个新发现漏洞的攻击，其会影响[认证策略](/zh/docs/reference/config/security/istio.authentication.v1alpha1/#Policy)：

-* __[CVE-2020-8595](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8595)__: A bug in Istio's Authentication Policy exact path matching logic allows unauthorized access to resources without a valid JWT token. This bug affects all versions of Istio that support JWT Authentication Policy with path based trigger rules. The logic for the exact path match in the Istio JWT filter includes query strings or fragments instead of stripping them off before matching. This means attackers can bypass the JWT validation by appending `?` or `#` characters after the protected paths.
+* __[CVE-2020-8595](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8595)__：Istio 身份认证策略精确路径匹配逻辑中的一个 bug，允许在没有有效 JWT 令牌的情况下，对资源进行未经授权的访问。此 bug 会影响所有支持基于路径触发规则的 JWT 身份验证策略的 Istio 版本。Istio JWT 过滤器中用于精确路径匹配的逻辑包括查询字符串或片段，而不是在匹配之前将其剥离。这意味着攻击者可以通过在受保护的路径之后添加 `？` 或 `##` 字符来绕过 JWT 验证。

-## Mitigation
+## 防范{#mitigation}

-* For Istio 1.3.x deployments: update to [Istio 1.3.8](/zh/news/releases/1.3.x/announcing-1.3.8) or later.
-* For Istio 1.4.x deployments: update to [Istio 1.4.4](/zh/news/releases/1.4.x/announcing-1.4.4) or later.
+* 对于 Istio 1.3.x 部署: 请升级至 [Istio 1.3.8](/zh/news/releases/1.3.x/announcing-1.3.8) 或更高的版本。
+* 对于 Istio 1.4.x 部署: 请升级至 [Istio 1.4.4](/zh/news/releases/1.4.x/announcing-1.4.4) 或更高的版本。

-## Credit
+## 鸣谢{#credit}

-The Istio team would like to thank [Aspen Mesh](https://aspenmesh.com/2H8qf3r) for the original bug report and code fix of [CVE-2020-8595](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8595).
+Istio 团队在此对 [Aspen Mesh](https://aspenmesh.com/2H8qf3r) 的原始错误报告和 [CVE-2020-8595](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8595) 的修复代码表示感谢。

 {{< boilerplate "security-vulnerability" >}}
--- a/content/zh/news/security/istio-security-2020-002/index.md
+++ b/content/zh/news/security/istio-security-2020-002/index.md
@ -1,7 +1,7 @@
 ---
 title: ISTIO-SECURITY-2020-002
-subtitle: Security Bulletin
-description: Mixer policy check bypass caused by improperly accepting certain request headers.
+subtitle: 安全公告
+description: 由于不正确地接受某些请求 header 导致 Mixer 策略检查被绕过。
 cves: [CVE-2020-8843]
 cvss: "7.4"
 vector: "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
@ -13,20 +13,19 @@ skip_seealso: true

 {{< security_bulletin >}}

-Istio 1.3 to 1.3.6 contain a vulnerability affecting Mixer policy checks.
+Istio 1.3 到 1.3.6 包含了影响 Mixer 策略检查的漏洞。

-Note: We regret that the vulnerability was silently fixed in Istio 1.4.0 and Istio 1.3.7.
-An [issue was raised](https://github.com/istio/istio/issues/12063) and [fixed](https://github.com/istio/istio/pull/17692) in Istio 1.4.0 as a non-security issue. We reclassified the issue as a vulnerability in Dec 2019.
+注意：我们在 Istio 1.4.0 以及 Istio 1.3.7 中默认地修复了该漏洞。
+Istio 1.4.0 中的一个 [问题](https://github.com/istio/istio/issues/12063) 及其 [修复](https://github.com/istio/istio/pull/17692) 是一个非安全性问题。我们在 2019 年 12 月将该问题重新分类为漏洞。
+__[CVE-2020-8843](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8843)__：在某些情况下，可以绕过特定配置的 Mixer 策略。Istio-proxy 在 ingress 处接受 `x-istio-attributes` header，当 Mixer 策略有选择地应用至 source 时，等价于应用至 ingress，其可能会影响策略决策。
+为了避免这种情况，Istio 必须启用并以指定方式使用 Mixer 策略。在 Istio 1.3 和 1.4 中，默认情况下未启用此功能。

-* __[CVE-2020-8843](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8843)__: Under certain circumstances it is possible to bypass a specifically configured Mixer policy. Istio-proxy accepts `x-istio-attributes` header at ingress that can be used to affect policy decisions when Mixer policy selectively applies to source equal to ingress.
-To be vulnerable, Istio must have Mixer Policy enabled and used in the specified way. This feature is disabled by default in Istio 1.3 and 1.4.
+## 防范{#mitigation}

-## Mitigation
+* 对于 Istio 1.3.x 部署: 请升级至 [Istio 1.3.7](/zh/news/releases/1.3.x/announcing-1.3.7) 或更高的版本。

-* For Istio 1.3.x deployments: update to [Istio 1.3.7](/zh/news/releases/1.3.x/announcing-1.3.7) or later.
+## 鸣谢{#credit}

-## Credit
-
-The Istio team would like to thank Krishnan Anantheswaran and Eric Zhang of [Splunk](https://www.splunk.com/) for the private bug report.
+Istio 团队在此对 [Splunk](https://www.splunk.com/) 的 Krishnan Anantheswaran 和 Eric Zhang 提供的私人 bug 报告表示感谢。

 {{< boilerplate "security-vulnerability" >}}
--- a/content/zh/news/support/announcing-1.3-eol-final/index.md
+++ b/content/zh/news/support/announcing-1.3-eol-final/index.md
@ -1,10 +1,11 @@
 ---
-title: Support for Istio 1.3 has ended
-subtitle: Support Announcement
-description: Istio 1.3 end of life announcement.
+title: 对 Istio 1.3 的支持已终止
+subtitle: 版本维护公告
+description: Istio 1.3 生命周期终止公告。
 publishdate: 2020-02-14
 ---

-As [previously announced](/zh/news/support/announcing-1.3-eol/), support for Istio 1.3 has now officially ended.
+如 [先前宣布](/zh/news/support/announcing-1.3-eol/) 的一样, 对 Istio 1.3 的支持现已正式终止。

-At this point we will no longer back-port fixes for security issues and critical bugs to 1.3, so we heartily encourage you to upgrade to the latest version of Istio ({{<istio_release_name>}}) if you haven't already.
+我们将不再为 1.3 提供针对安全问题和关键错误的修复程序，因此，如果您尚未升级，
+我们建议您升级到最新版本的 Istio ({{<istio_release_name>}})。