add release notes for 1.24.6 and 1.25.3 (#16483)

* add release notes for 1.24.6 and 1.25.3 Signed-off-by: Daniel Hawton <daniel@hawton.org> * bump CVE table in supported releases page Signed-off-by: Daniel Hawton <daniel@hawton.org> --------- Signed-off-by: Daniel Hawton <daniel@hawton.org>
2025-05-13 17:52:12 +02:00 · 2025-05-13 17:52:12 +02:00 · b37c0a45e6
parent 354c2ffb05
commit b37c0a45e6
4 changed files with 53 additions and 2 deletions
--- a/.spelling
+++ b/.spelling
@ -414,6 +414,7 @@ CVE-2024-53269
 CVE-2024-53270
 CVE-2024-53271
 CVE-2025-30157
+CVE-2025-46821
 CVEs
 cves
 cvss
--- a/content/en/docs/releases/supported-releases/index.md
+++ b/content/en/docs/releases/supported-releases/index.md
@ -71,8 +71,8 @@ Please keep up-to-date and use a supported version.
 | Minor Releases | Patched versions with no known CVEs |
 |----------------|-------------------------------------|
 | 1.26.x         | 1.26.0+                             |
-| 1.25.x         | 1.25.0+                             |
-| 1.24.x         | 1.24.0+                             |
+| 1.25.x         | 1.25.3+                             |
+| 1.24.x         | 1.24.6+                             |

 ## Supported Envoy Versions

--- a/content/en/news/releases/1.24.x/announcing-1.24.6/index.md
+++ b/content/en/news/releases/1.24.x/announcing-1.24.6/index.md
@ -0,0 +1,27 @@
+---
+title: Announcing Istio 1.24.6
+linktitle: 1.24.6
+subtitle: Patch Release
+description: Istio 1.24.6 patch release.
+publishdate: 2025-05-13
+release: 1.24.6
+---
+
+
+This release contains bug fixes to improve robustness. This release note describes what’s different between Istio 1.24.5 and Istio 1.24.6.
+
+{{< relnote >}}
+
+## Security Updates
+
+- [CVE-2025-46821](https://nvd.nist.gov/vuln/detail/CVE-2025-46821) (CVSS Score 5.3, Medium): Bypass of RBAC `uri_template` permission.
+
+If you use `**` within an `AuthorizationPolicy`'s path field, it is recommended you upgrade to Istio 1.24.6.
+
+## Changes
+
+- **Fixed** an issue where validation webhook incorrectly reported a warning when a `ServiceEntry` configured `workloadSelector` with DNS resolution.
+  ([Issue #50164](https://github.com/istio/istio/issues/50164))
+
+- **Removed** the restriction where revision tag only worked when `istiodRemote` was not enabled in the istiod helm chart. Revision tags now work as long as the `revisionTags` is specified without regard to whether `istiodRemote` is enabled or not.
+  ([Issue #54743](https://github.com/istio/istio/issues/54743))
--- a/content/en/news/releases/1.25.x/announcing-1.25.3/index.md
+++ b/content/en/news/releases/1.25.x/announcing-1.25.3/index.md
@ -0,0 +1,23 @@
+---
+title: Announcing Istio 1.25.3
+linktitle: 1.25.3
+subtitle: Patch Release
+description: Istio 1.25.3 patch release.
+publishdate: 2025-05-13
+release: 1.25.3
+---
+
+This release contains bug fixes to improve robustness. This release note describes what’s different between Istio 1.25.2 and Istio 1.25.3.
+
+{{< relnote >}}
+
+## Security Updates
+
+- [CVE-2025-46821](https://nvd.nist.gov/vuln/detail/CVE-2025-46821) (CVSS Score 5.3, Medium): Bypass of RBAC `uri_template` permission.
+
+If you use `**` within an `AuthorizationPolicy`'s path field, it is recommended you upgrade to Istio 1.25.3.
+
+## Changes
+
+- **Removed** the restriction where revision tag only worked when `istiodRemote` was not enabled in the istiod helm chart. Revision tags now work as long as the `revisionTags` is specified without regard to whether `istiodRemote` is enabled or not.
+  ([Issue #54743](https://github.com/istio/istio/issues/54743))