From ea69e6a0dff2e52fa93a64daff21c32a6a8eec8a Mon Sep 17 00:00:00 2001
From: Brian Avery <bavery@redhat.com>
Date: Tue, 29 Sep 2020 15:53:41 -0400
Subject: [PATCH] Release 1.7 (#7998) (#8227) (#8230)

* Release Notes for Istio-2020-010 (#7998) (#11)

* Release notes for ISTIO-2020-010

* PR comments

* Update CVSS

* Remove changes section

* Fix Linter Issues (#12)

* Increase indent

* Fix lint errors

* Update args.yml

Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>

* Update index.md

* Update index.md

Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>

Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>
---
 .spelling                                     |  1 +
 .../releases/1.6.x/announcing-1.6.11/index.md | 20 ++++++++++++++
 .../releases/1.7.x/announcing-1.7.3/index.md  | 21 +++++++++++++++
 .../security/istio-security-2020-010/index.md | 27 +++++++++++++++++++
 4 files changed, 69 insertions(+)
 create mode 100644 content/en/news/releases/1.6.x/announcing-1.6.11/index.md
 create mode 100644 content/en/news/releases/1.7.x/announcing-1.7.3/index.md
 create mode 100644 content/en/news/security/istio-security-2020-010/index.md

diff --git a/.spelling b/.spelling
index 11826cc2ea..458d303d43 100644
--- a/.spelling
+++ b/.spelling
@@ -204,6 +204,7 @@ CVE-2020-12605
 CVE-2020-13379
 CVE-2020-15104
 CVE-2020-16844
+CVE-2020-25017
 CVEs
 cves
 cvss
diff --git a/content/en/news/releases/1.6.x/announcing-1.6.11/index.md b/content/en/news/releases/1.6.x/announcing-1.6.11/index.md
new file mode 100644
index 0000000000..946b39cd1b
--- /dev/null
+++ b/content/en/news/releases/1.6.x/announcing-1.6.11/index.md
@@ -0,0 +1,20 @@
+---
+title: Announcing Istio 1.6.11
+linktitle: 1.6.11
+subtitle: Security Release
+description: Istio 1.6.11 security release.
+publishdate: 2020-09-29
+release: 1.6.11
+aliases:
+    - /news/announcing-1.6.11
+---
+
+This release fixes the security vulnerability described in [our September 29 post](/news/security/istio-security-2020-010).
+
+{{< relnote >}}
+
+## Security update
+
+- __[CVE-2020-25017](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25017)__:
+In some cases, Envoy only considers the first value when multiple headers are present. Also, Envoy does not replace all existing occurrences of a non-inline header.
+    - __CVSS Score__: 8.3 [AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L&version=3.1)
diff --git a/content/en/news/releases/1.7.x/announcing-1.7.3/index.md b/content/en/news/releases/1.7.x/announcing-1.7.3/index.md
new file mode 100644
index 0000000000..dd04899e41
--- /dev/null
+++ b/content/en/news/releases/1.7.x/announcing-1.7.3/index.md
@@ -0,0 +1,21 @@
+---
+title: Announcing Istio 1.7.3
+linktitle: 1.7.3
+subtitle: Security Release
+description: Istio 1.7.3 security release.
+publishdate: 2020-09-29
+release: 1.7.3
+aliases:
+    - /news/announcing-1.7.3
+---
+
+This release fixes the security vulnerability described in [our September 29 post](/news/security/istio-security-2020-010).
+
+{{< relnote >}}
+
+## Security update
+
+- __[CVE-2020-25017](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25017)__:
+In some cases, Envoy only considers the first value when multiple headers are present. Also, Envoy does not replace all existing occurrences of a non-inline header.
+    - __CVSS Score__: 8.3 [AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L&version=3.1)
+
diff --git a/content/en/news/security/istio-security-2020-010/index.md b/content/en/news/security/istio-security-2020-010/index.md
new file mode 100644
index 0000000000..bb663772ce
--- /dev/null
+++ b/content/en/news/security/istio-security-2020-010/index.md
@@ -0,0 +1,27 @@
+---
+title: ISTIO-SECURITY-2020-010
+subtitle: Security Bulletin
+description:
+cves: [CVE-2020-25017]
+cvss: "8.3"
+vector: "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L"
+releases: ["1.6 to 1.6.10", "1.7 to 1.7.2"]
+publishdate: 2020-09-29
+keywords: [CVE]
+skip_seealso: true
+---
+
+{{< security_bulletin >}}
+
+Envoy, and subsequently Istio, is vulnerable to a newly discovered vulnerability:
+
+- __[CVE-2020-25017](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25017)__:
+In some cases, Envoy only considers the first value when multiple headers are present. Also, Envoy does not replace all existing occurrences of a non-inline header.
+    - __CVSS Score__: 8.3 [AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L&version=3.1)
+
+## Mitigation
+
+- For Istio 1.6.x deployments: update to [Istio 1.6.11](/news/releases/1.6.x/announcing-1.6.11) or later.
+- For Istio 1.7.x deployments: update to [Istio 1.7.3](/news/releases/1.7.x/announcing-1.7.3) or later.
+
+{{< boilerplate "security-vulnerability" >}}