1.5.8 and 1.6.5 release notes (#7692)

* publish istio-1.6.5 release notes

* publish istio-1.6.5 release notes

* address review comments

* fix format

* Draft release notes for 1.5.8 and 1.6.5

* Removed a feature that didn't actually make it into 1.6.5.

* Fix date on 1.6.5 release.

* Apply suggestions from code review

Co-authored-by: Francois Pesce <fpesce@google.com>
Co-authored-by: jacob-delgado <jacob.delgado@aspenmesh.io>

* Update content/en/news/releases/1.5.x/announcing-1.5.8/index.md

* Move CVE out of backticks into .spelling.

* Added clarification.

* Fixed naming of Istio CA/Citadel

* Apply suggestions from code review

Co-authored-by: Rigs Caballero <grca@google.com>

* Apply suggestions from code review

Co-authored-by: Rigs Caballero <grca@google.com>

* Apply suggestions from code review

Co-authored-by: Rigs Caballero <grca@google.com>

Co-authored-by: “irisdingbj” <irisdingbj@gmail.com>
Co-authored-by: Francois Pesce <fpesce@google.com>
Co-authored-by: jacob-delgado <jacob.delgado@aspenmesh.io>
Co-authored-by: Rigs Caballero <grca@google.com>

.spelling

@@ -198,6 +198,7 @@ CVE-2020-12603
 CVE-2020-12604
 CVE-2020-12605
 CVE-2020-13379
+CVE-2020-15104
 CVEs
 cves
 cvss

content/en/news/releases/1.5.x/announcing-1.5.8/index.md

@@ -0,0 +1,28 @@
+---
+title: Announcing Istio 1.5.8
+linktitle: 1.5.8
+subtitle: Patch Release
+description: Istio 1.5.8 security release.
+publishdate: 2020-07-09
+release: 1.5.8
+aliases:
+    - /news/announcing-1.5.8
+---
+
+This release fixes the security vulnerability described in [our July 9th, 2020 news post](/news/security/istio-security-2020-008).
+
+These release notes describe what's different between Istio 1.5.8 and Istio 1.5.7.
+
+{{< relnote >}}
+
+## Security update
+
+- __[CVE-2020-15104](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15104)__:
+When validating TLS certificates, Envoy incorrectly allows wildcards in DNS Subject Alternative Name (SAN) to apply to multiple subdomains. For example, with a SAN of `*.example.com`, Envoy incorrectly allows `nested.subdomain.example.com`, when it should only allow `subdomain.example.com`.
+    - CVSS Score: 6.6 [AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N/E:F/RL:O/RC:C](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N/E:F/RL:O/RC:C&version=3.1)
+
+## Changes
+
+- **Allowed** setting `status.sidecar.istio.io/port` to zero ([Issue 24722](https://github.com/istio/istio/issues/24722))
+- **Improved** `istioctl validate` to disallow unknown fields not included in the Open API specification ([Issue 24860](https://github.com/istio/istio/issues/24860))
+- **Fixed** a bug in Mixer where it would incorrectly return source names when it did lookup by IP.

content/en/news/releases/1.6.x/announcing-1.6.5/index.md

@@ -0,0 +1,41 @@
+---
+title: Announcing Istio 1.6.5
+linktitle: 1.6.5
+subtitle: Patch Release
+description: Istio 1.6.5 patch release.
+publishdate: 2020-07-09
+release: 1.6.5
+aliases:
+    - /news/announcing-1.6.5
+---
+
+This release fixes the security vulnerability described in [our July 9th, 2020 news post](/news/security/istio-security-2020-008).
+
+This release contains bug fixes to improve robustness. These release notes describe
+what’s different between Istio 1.6.5 and Istio 1.6.4.
+
+{{< relnote >}}
+
+## Security update
+
+- __[CVE-2020-15104](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15104)__:
+When validating TLS certificates, Envoy incorrectly allows a wildcard DNS Subject Alternative Name to apply to multiple subdomains. For example, with a SAN of `*.example.com`, Envoy incorrectly allows `nested.subdomain.example.com`, when it should only allow `subdomain.example.com`.
+    - CVSS Score: 6.6 [AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N/E:F/RL:O/RC:C](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N/E:F/RL:O/RC:C&version=3.1)
+
+## Changes
+
+- **Fixed** return the proper source name after Mixer does a lookup by IP if multiple pods have the same IP.
+- **Improved** the sidecar injection control based on revision at a per-pod level ([Issue 24801](https://github.com/istio/istio/issues/24801))
+- **Improved** `istioctl validate` to disallow unknown fields not included in the Open API specification ([Issue 24860](https://github.com/istio/istio/issues/24860))
+- **Changed** `stsPort` to `sts_port` in Envoy's bootstrap file.
+- **Preserved** existing WASM state schema for state objects to reference it later as needed.
+- **Added** `targetUri` to `stackdriver_grpc_service`.
+- **Updated** WASM state to log for Access Log Service.
+- **Increased** default protocol detection timeout from 100 ms to 5 s ([Issue 24379](https://github.com/istio/istio/issues/24379))
+- **Removed** UDP port 53 from Istiod.
+- **Allowed** setting `status.sidecar.istio.io/port` to zero ([Issue 24722](https://github.com/istio/istio/issues/24722))
+- **Fixed**  EDS endpoint selection for subsets with no or empty label selector. ([Issue 24969](https://github.com/istio/istio/issues/24969))
+- **Allowed** `k8s.overlays` on `BaseComponentSpec`. ([Issue 24476](https://github.com/istio/istio/issues/24476))
+- **Fixed** `istio-agent` to create _elliptical_ curve CSRs when `ECC_SIGNATURE_ALGORITHM` is set.
+- **Improved** mapping of gRPC status codes into HTTP domain for telemetry.
+- **Fixed** `scaleTargetRef` naming in `HorizontalPodAutoscaler` for Istiod ([Issue 24809](https://github.com/istio/istio/issues/24809))

content/en/news/security/istio-security-2020-008/index.md

@@ -0,0 +1,37 @@
+---
+title: ISTIO-SECURITY-2020-008
+subtitle: Security Bulletin
+description: Incorrect validation of wildcard DNS Subject Alternative Names.
+cves: [CVE-2020-15104]
+cvss: "6.6"
+vector: "AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N/E:F/RL:O/RC:C"
+releases: ["1.5 to 1.5.7", "1.6 to 1.6.4", "All releases prior to 1.5"]
+publishdate: 2020-07-09
+keywords: [CVE]
+skip_seealso: true
+---
+
+{{< security_bulletin >}}
+
+Istio is vulnerable to a newly discovered vulnerability:
+
+* __[`CVE-2020-15104`](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15104)__:
+When validating TLS certificates, Envoy incorrectly allows a wildcard DNS Subject Alternative Name apply to multiple subdomains. For example, with a SAN of `*.example.com`, Envoy incorrectly allows `nested.subdomain.example.com`, when it should only allow `subdomain.example.com`.
+    * CVSS Score: 6.6 [AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N/E:F/RL:O/RC:C](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N/E:F/RL:O/RC:C&version=3.1)
+
+Istio users are exposed to this vulnerability in the following ways:
+
+* Direct use of Envoy's `verify_subject_alt_name` and `match_subject_alt_names` configuration via [Envoy Filter](/docs/reference/config/networking/envoy-filter/).
+
+* Use of Istio's [`subjectAltNames` field in destination rules with client TLS settings](/docs/reference/config/networking/destination-rule/#ClientTLSSettings).  A destination rule with a `subjectAltNames` field containing `nested.subdomain.example.com` incorrectly accepts a certificate from an upstream peer with a Subject Alternative Name (SAN) of `*.example.com`.  Instead a SAN of `*.subdomain.example.com` or `nested.subdomain.example.com` should be present.
+
+* Use of Istio's [`subjectAltNames` in service entries](/docs/reference/config/networking/service-entry/).  A service entry with a `subjectAltNames` field with a value similar to `nested.subdomain.example.com` incorrectly accepts a certificate from an upstream peer with a SAN of `*.example.com`.
+
+The Istio CA, which was formerly known as Citadel, does not issue certificates with DNS wildcard SANs. The vulnerability only impacts configurations that validate externally issued certificates.
+
+## Mitigation
+
+* For Istio 1.5.x deployments: update to [Istio 1.5.8](/news/releases/1.5.x/announcing-1.5.8) or later.
+* For Istio 1.6.x deployments: update to [Istio 1.6.5](/news/releases/1.6.x/announcing-1.6.5) or later.
+
+{{< boilerplate "security-vulnerability" >}}