istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Release notes for Istio 1.4.10 (#7551) 

* Release notes for Istio 1.4.10

* Include Istio 1.4.10 as part of security bulletin

* Update the date

* Fix linting issue

* Add additional changes put into 1.4.10

* Fix dates

* Update content/en/news/releases/1.4.x/announcing-1.4.10/index.md

Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>

* Update content/en/news/releases/1.4.x/announcing-1.4.10/index.md

Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>

Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>
This commit is contained in:
jacob-delgado 2020-06-18 10:06:29 -06:00 committed by GitHub
parent 9669d70d07
commit 8e4673c709
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 39 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
content/en/news/releases/1.4.x/announcing-1.4.10/index.md Normal file
View File

@ -0,0 +1,37 @@
---
title: Announcing Istio 1.4.10
linktitle: 1.4.10
subtitle: Patch Release
description: Istio 1.4.10 security release.
publishdate: 2020-06-18
release: 1.4.10
aliases:
- /news/announcing-1.4.10
test: n/a
---
This is the final release for Istio 1.4.
This release fixes the security vulnerability described in [our June 11th, 2020 news post](/news/security/istio-security-2020-006)
as well as bug fixes to improve robustness.
This release note describes what's different between Istio 1.4.9 and Istio 1.4.10.
{{< relnote >}}
## Security update
- **ISTIO-SECURITY-2020-006** Excessive CPU usage when processing HTTP/2 SETTINGS frames with too many parameters, potentially leading to a denial of service.
__[CVE-2020-11080](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11080)__: By sending a specially crafted packet, an attacker could cause the CPU to spike at 100%. This could be sent to the ingress gateway or a sidecar.
## Bug fixes
- **Fixed** `istio-cni-node` crash when `COS_CONTAINERD` and Istio CNI are enabled when running on Google Kubernetes Engine ([Issue 23643](https://github.com/istio/istio/issues/23643))
- **Fixed** Istio CNI causes pod initialization to experience a 30-40 second delay on startup when DNS is unreachable ([Issue 23770](https://github.com/istio/istio/issues/23770))
## Bookinfo sample application security fixes
We've updated the versions of Node.js and jQuery used in the Bookinfo sample application. Node.js has been upgraded from
version 12.9 to 12.18. jQuery has been updated from version 2.1.4 to version 3.5.0. The highest rated vulnerability fixed:
*HTTP request smuggling using malformed Transfer-Encoding header (Critical) (CVE-2019-15605)*

3
content/en/news/security/istio-security-2020-006/index.md
View File

@ -5,7 +5,7 @@ description: Denial of service in the HTTP2 library used by Envoy.
cves: [CVE-2020-11080]
cvss: "7.5"
vector: "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
releases: ["1.5 to 1.5.4", "1.6 to 1.6.1"]
releases: ["1.4 to 1.4.9", "1.5 to 1.5.4", "1.6 to 1.6.1"]
publishdate: 2020-06-11
keywords: [CVE]
skip_seealso: true
@ -51,6 +51,7 @@ spec:
codec_type: HTTP1
{{< /text >}}
* For Istio 1.4.x deployments: update to [Istio 1.4.10](/news/releases/1.4.x/announcing-1.4.10) or later.
* For Istio 1.5.x deployments: update to [Istio 1.5.5](/news/releases/1.5.x/announcing-1.5.5) or later.
* For Istio 1.6.x deployments: update to [Istio 1.6.2](/news/releases/1.6.x/announcing-1.6.2) or later.