cherry-pick 4-4 security release announcement back to master branch (#13000)

* cherry-pick 4-4 security release announcement back to master branch

* lint fixes

---------

Co-authored-by: jacob-delgado <jacob.delgado@volunteers.acasi.info>

.spelling

@@ -325,6 +325,12 @@ CVE-2022-39278
 CVE-2022-39388
 CVE-2022-41715
 CVE-2022-41721
+CVE-2023-27487
+CVE-2023-27488
+CVE-2023-27491
+CVE-2023-27492
+CVE-2023-27493
+CVE-2023-27496
 cves
 CVEs
 cvss
@@ -546,6 +552,7 @@ ISTIO-SECURITY-2022-002
 ISTIO-SECURITY-2022-003
 ISTIO-SECURITY-2022-004
 ISTIO-SECURITY-2022-005
+ISTIO-SECURITY-2023-001
 istio-system
 istio.io
 istio.io.
@@ -719,6 +726,7 @@ non-conformant
 non-mTLS
 non-revisioned
 non-sandboxed
+non-UTF8
 normalization
 ns
 nsenter

content/en/docs/releases/supported-releases/index.md

@@ -74,8 +74,9 @@ Please keep up-to-date and use a supported version.
 
 | Minor Releases   | Patched versions with no known CVEs                  |
 | ---------------- | ---------------------------------------------------- |
-| 1.16.x           | 1.16.0+                                              |
-| 1.15.x           | 1.15.3+                                              |
+| 1.17.x           | 1.17.2+                                               |
+| 1.16.x           | 1.16.4+                                               |
+| 1.15.x           | 1.15.7 - End of life. A new CVE will NOT be patched  |
 | 1.14.x           | 1.14.5 - End of life. A new CVE will NOT be patched. |
 | 1.13.x           | 1.13.9 - End of life. A new CVE will NOT be patched. |
 | 1.12 and earlier | None, all versions have known vulnerabilities.       |

content/en/news/releases/1.15.x/announcing-1.15.7/index.md

@@ -0,0 +1,45 @@
+---
+title: Announcing Istio 1.15.7
+linktitle: 1.15.7
+subtitle: Patch Release
+description: Istio 1.15.7 patch release.
+publishdate: 2023-04-04T07:00:00-06:00
+release: 1.15.7
+---
+
+This release fixes the security vulnerabilities described in our April 4th post, [ISTIO-SECURITY-2023-001](/news/security/istio-security-2023-001).
+This release note describes what’s different between Istio 1.15.6 and 1.15.7.
+
+{{< relnote >}}
+
+## Security update
+
+- __CVE-2023-27487__:
+  (CVSS Score 8.2, High): Client may fake the header `x-envoy-original-path`.
+
+- __CVE-2023-27488__:
+  (CVSS Score 5.4, Moderate): gRPC client produces invalid protobuf when an HTTP header with non-UTF8 value is received.
+
+- __CVE-2023-27491__:
+  (CVSS Score 5.4, Moderate): Envoy forwards invalid HTTP/2 and HTTP/3 downstream headers.
+
+- __CVE-2023-27492__:
+  (CVSS Score 4.8, Moderate): Crash when a large request body is processed in Lua filter.
+
+- __CVE-2023-27493__:
+  (CVSS Score 8.1, High): Envoy doesn't escape HTTP header values.
+
+- __CVE-2023-27496__:
+  (CVSS Score 6.5, Moderate): Crash when a redirect url without a state parameter is received in the OAuth filter.
+
+## Changes
+
+- **Fixed** an issue where you could not change `PrivateKeyProvider` using proxy-config.
+  ([Issue #41760](https://github.com/istio/istio/issues/41760))
+
+- **Fixed** an issue where `istioctl analyze` was throwing a SIGSEGV when the optional field 'filter'
+was missing under the `EnvoyFilter.ListenerMatch.FilterChainMatch` section.
+  ([Issue #42831](https://github.com/istio/istio/issues/42831))
+
+- **Fixed** an issue where `EnvoyFilter` for `Cluster.ConnectTimeout` was affecting unrelated `Clusters`.
+  ([Issue #43435](https://github.com/istio/istio/issues/43435))

content/en/news/releases/1.16.x/announcing-1.16.4/index.md

@@ -0,0 +1,60 @@
+---
+title: Announcing Istio 1.16.4
+linktitle: 1.16.4
+subtitle: Patch Release
+description: Istio 1.16.4 patch release.
+publishdate: 2023-04-04T07:00:00-06:00
+release: 1.16.4
+---
+
+This release fixes the security vulnerabilities described in our April 4th post, [ISTIO-SECURITY-2023-001](/news/security/istio-security-2023-001).
+This release note describes what’s different between Istio 1.16.3 and 1.16.4.
+
+{{< relnote >}}
+
+## Security update
+
+- __CVE-2023-27487__:
+  (CVSS Score 8.2, High): Client may fake the header `x-envoy-original-path`.
+
+- __CVE-2023-27488__:
+  (CVSS Score 5.4, Moderate): gRPC client produces invalid protobuf when an HTTP header with non-UTF8 value is received.
+
+- __CVE-2023-27491__:
+  (CVSS Score 5.4, Moderate): Envoy forwards invalid HTTP/2 and HTTP/3 downstream headers.
+
+- __CVE-2023-27492__:
+  (CVSS Score 4.8, Moderate): Crash when a large request body is processed in Lua filter.
+
+- __CVE-2023-27493__:
+  (CVSS Score 8.1, High): Envoy doesn't escape HTTP header values.
+
+- __CVE-2023-27496__:
+  (CVSS Score 6.5, Moderate): Crash when a redirect url without a state parameter is received in the OAuth filter.
+
+# Changes
+
+- **Added** support for pushing additional federated trust domains from `caCertificates` to the peer SAN validator.
+  ([Issue #41666](https://github.com/istio/istio/issues/41666))
+
+- **Fixed** overwriting label `istio.io/rev` in injected gateways when `istio.io/rev=<tag>`.
+  ([Issue #33237](https://github.com/istio/istio/issues/33237))
+
+- **Fixed** an issue where you could not change `PrivateKeyProvider` using proxy-config.
+  ([Issue #41760](https://github.com/istio/istio/issues/41760))
+
+- **Fixed** an issue where you could not disable tracing in `ProxyConfig`.
+  ([Issue #31809](https://github.com/istio/istio/issues/31809))
+
+- **Fixed** an issue where `istioctl analyze` was throwing a SIGSEGV when the optional field 'filter' was missing under the `EnvoyFilter.ListenerMatch.FilterChainMatch` section. ([Issue #42831](https://github.com/istio/istio/issues/42831))
+
+- **Fixed** a bug that would cause unexpected behavior when applying access logging configuration based on the direction of traffic. With this fix, access logging configuration for `CLIENT` or `SERVER` will not affect each other.
+  [Issue # 43371](https://github.com/istio/istio/issues/43371)
+
+- **Fixed** an issue where `EnvoyFilter` for `Cluster.ConnectTimeout` was affecting unrelated `Clusters`. ([Issue #43435](https://github.com/istio/istio/issues/43435))
+
+- **Fixed** a bug in `istioctl analyze` where some messages are missed when there are services with no selector in the analyzed namespace.
+
+- **Fixed** an issue causing VMs using auto-registration to ignore labels other than those defined in a `WorkloadGroup`. ([Issue #32210](https://github.com/istio/istio/issues/32210))
+
+- **Fixed** `istioctl experimental wait` has undecipherable message when `PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING` is not enabled. [Issue #42967](https://github.com/istio/istio/issues/42967)

content/en/news/releases/1.17.x/announcing-1.17.2/index.md

@@ -0,0 +1,73 @@
+---
+title: Announcing Istio 1.17.2
+linktitle: 1.17.2
+subtitle: Patch Release
+description: Istio 1.17.2 patch release.
+publishdate: 2023-04-04T07:00:00-06:00
+release: 1.17.2
+---
+
+This release fixes the security vulnerabilities described in our April 4th post, [ISTIO-SECURITY-2023-001](/news/security/istio-security-2023-001).
+This release note describes what’s different between Istio 1.17.1 and 1.17.2.
+
+{{< relnote >}}
+
+## Security update
+
+- __CVE-2023-27487__:
+  (CVSS Score 8.2, High): Client may fake the header `x-envoy-original-path`.
+
+- __CVE-2023-27488__:
+  (CVSS Score 5.4, Moderate): gRPC client produces invalid protobuf when an HTTP header with non-UTF8 value is received.
+
+- __CVE-2023-27491__:
+  (CVSS Score 5.4, Moderate): Envoy forwards invalid HTTP/2 and HTTP/3 downstream headers.
+
+- __CVE-2023-27492__:
+  (CVSS Score 4.8, Moderate): Crash when a large request body is processed in Lua filter.
+
+- __CVE-2023-27493__:
+  (CVSS Score 8.1, High): Envoy doesn't escape HTTP header values.
+
+- __CVE-2023-27496__:
+  (CVSS Score 6.5, Moderate): Crash when a redirect url without a state parameter is received in the OAuth filter.
+
+## Changes
+
+- **Added** support for pushing additional federated trust domains from `caCertificates` to the peer SAN validator.
+  ([Issue #41666](https://github.com/istio/istio/issues/41666))
+
+- **Fixed** overwriting label `istio.io/rev` in injected gateways when `istio.io/rev=<tag>`.
+  ([Issue #33237](https://github.com/istio/istio/issues/33237))
+
+- **Fixed** an issue where you could not disable tracing in `ProxyConfig`.
+  ([Issue #31809](https://github.com/istio/istio/issues/31809))
+
+- **Fixed** admission webhook fails with custom header value format.
+  ([Issue #42749](https://github.com/istio/istio/issues/42749))
+
+- **Fixed** a bug that would cause unexpected behavior when applying access logging configuration based on the direction of traffic. With this fix, access logging configuration for `CLIENT` or `SERVER` will not affect each other.
+  [Issue # 43371](https://github.com/istio/istio/issues/43371)
+
+- **Fixed** an issue where `EnvoyFilter` for `Cluster.ConnectTimeout` was affecting unrelated `Clusters`.
+  ([Issue #43435](https://github.com/istio/istio/issues/43435))
+
+- **Fixed** an issue where `EnvoyFilter` for `Cluster.ConnectTimeout` was affecting unrelated `Clusters`.
+   [Issue #43435](https://github.com/istio/istio/issues/43435)
+
+- **Fixed** a bug in `istioctl analyze` where some messages are missed when there are services with no selector in the analyzed namespace. [PR #43678](https://github.com/istio/istio/pull/43678)
+
+- **Fixed** resource namespace resolution for `istioctl` commands. [Issue #43691](https://github.com/istio/istio/issues/43691)
+
+- **Fixed** an issue where auto allocated service entry IPs change on host reuse.
+  ([Issue #43858](https://github.com/istio/istio/issues/43858))
+
+- **Fixed** an issue where RBAC updates were not sent to older proxies after upgrading istiod to 1.17.
+  ([Issue #43785](https://github.com/istio/istio/issues/43785))
+
+- **Fixed** an issue causing VMs using auto-registration to ignore labels other than those defined in a `WorkloadGroup`.
+  ([Issue #32210](https://github.com/istio/istio/issues/32210))
+
+- **Fixed** an issue causing VMs using auto-registration to ignore labels other than those defined in a `WorkloadGroup`. [PR #44021](https://github.com/istio/istio/pull/44021)
+
+- **Fixed** `istioctl experimental wait` has undecipherable message when `PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING` is not enabled. [Issue #42967](https://github.com/istio/istio/issues/42967)

content/en/news/security/istio-security-2023-001/index.md

@@ -0,0 +1,40 @@
+---
+title: ISTIO-SECURITY-2023-001
+subtitle: Security Bulletin
+description: Multiple CVEs reported by Envoy.
+cves: [CVE-2023-27496, CVE-2023-27488, CVE-2023-27493, CVE-2023-27492, CVE-2023-27491, CVE-2023-27487]
+cvss: "8.2"
+vector: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
+releases: ["All releases prior to 1.15.0", "1.15.0 to 1.15.6", "1.16.0 to 1.16.3", "1.17.0 to 1.17.1"]
+publishdate: 2023-04-04
+keywords: [CVE]
+skip_seealso: true
+---
+
+{{< security_bulletin >}}
+
+## CVE
+
+### Envoy CVEs
+
+- __CVE-2023-27487__: (CVSS Score 8.2, High):
+Client may fake the header `x-envoy-original-path`.
+
+- __CVE-2023-27488__: (CVSS Score 5.4, Moderate):
+gRPC client produces invalid protobuf when an HTTP header with non-UTF8 value is received.
+
+- __CVE-2023-27491__: (CVSS Score 5.4, Moderate):
+Envoy forwards invalid HTTP/2 and HTTP/3 downstream headers.
+
+- __CVE-2023-27492__: (CVSS Score 4.8, Moderate):
+Crash when a large request body is processed in Lua filter.
+
+- __CVE-2023-27493__: (CVSS Score 8.1, High):
+Envoy doesn't escape HTTP header values.
+
+- __CVE-2023-27496__: (CVSS Score 6.5, Moderate):
+Crash when a redirect url without a state parameter is received in the OAuth filter.
+
+## Am I Impacted?
+
+You may be at risk if you have an Istio gateway or if you use external istiod.

content/en/news/support/announcing-1.15-eol-final/index.md

@@ -0,0 +1,11 @@
+---
+title: Support for Istio 1.15 has ended
+subtitle: Support Announcement
+description: Istio 1.15 end of life announcement.
+publishdate: 2023-04-04
+---
+
+As [previously announced](/news/support/announcing-1.15-eol/), support for Istio 1.15 has now officially ended.
+
+At this point we will no longer back-port fixes for security issues and critical bugs to 1.15, so we heartily encourage
+you to upgrade to the latest version of Istio ({{<istio_release_name>}}) if you haven't already.