Release 1.7 (#7998) (#8227) (#8230)

* Release Notes for Istio-2020-010 (#7998) (#11) * Release notes for ISTIO-2020-010 * PR comments * Update CVSS * Remove changes section * Fix Linter Issues (#12) * Increase indent * Fix lint errors * Update args.yml Co-authored-by: Eric Van Norman <ericvn@us.ibm.com> * Update index.md * Update index.md Co-authored-by: Eric Van Norman <ericvn@us.ibm.com> Co-authored-by: Eric Van Norman <ericvn@us.ibm.com>
2020-09-29 15:53:41 -04:00 · 2020-09-29 15:53:41 -04:00 · ea69e6a0df
parent dd8ffdab49
commit ea69e6a0df
4 changed files with 69 additions and 0 deletions
--- a/.spelling
+++ b/.spelling
@ -204,6 +204,7 @@ CVE-2020-12605
 CVE-2020-13379
 CVE-2020-15104
 CVE-2020-16844
+CVE-2020-25017
 CVEs
 cves
 cvss
--- a/content/en/news/releases/1.6.x/announcing-1.6.11/index.md
+++ b/content/en/news/releases/1.6.x/announcing-1.6.11/index.md
@ -0,0 +1,20 @@
+---
+title: Announcing Istio 1.6.11
+linktitle: 1.6.11
+subtitle: Security Release
+description: Istio 1.6.11 security release.
+publishdate: 2020-09-29
+release: 1.6.11
+aliases:
+    - /news/announcing-1.6.11
+---
+
+This release fixes the security vulnerability described in [our September 29 post](/news/security/istio-security-2020-010).
+
+{{< relnote >}}
+
+## Security update
+
+- __[CVE-2020-25017](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25017)__:
+In some cases, Envoy only considers the first value when multiple headers are present. Also, Envoy does not replace all existing occurrences of a non-inline header.
+    - __CVSS Score__: 8.3 [AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L&version=3.1)
--- a/content/en/news/releases/1.7.x/announcing-1.7.3/index.md
+++ b/content/en/news/releases/1.7.x/announcing-1.7.3/index.md
@ -0,0 +1,21 @@
+---
+title: Announcing Istio 1.7.3
+linktitle: 1.7.3
+subtitle: Security Release
+description: Istio 1.7.3 security release.
+publishdate: 2020-09-29
+release: 1.7.3
+aliases:
+    - /news/announcing-1.7.3
+---
+
+This release fixes the security vulnerability described in [our September 29 post](/news/security/istio-security-2020-010).
+
+{{< relnote >}}
+
+## Security update
+
+- __[CVE-2020-25017](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25017)__:
+In some cases, Envoy only considers the first value when multiple headers are present. Also, Envoy does not replace all existing occurrences of a non-inline header.
+    - __CVSS Score__: 8.3 [AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L&version=3.1)
+
--- a/content/en/news/security/istio-security-2020-010/index.md
+++ b/content/en/news/security/istio-security-2020-010/index.md
@ -0,0 +1,27 @@
+---
+title: ISTIO-SECURITY-2020-010
+subtitle: Security Bulletin
+description:
+cves: [CVE-2020-25017]
+cvss: "8.3"
+vector: "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L"
+releases: ["1.6 to 1.6.10", "1.7 to 1.7.2"]
+publishdate: 2020-09-29
+keywords: [CVE]
+skip_seealso: true
+---
+
+{{< security_bulletin >}}
+
+Envoy, and subsequently Istio, is vulnerable to a newly discovered vulnerability:
+
+- __[CVE-2020-25017](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25017)__:
+In some cases, Envoy only considers the first value when multiple headers are present. Also, Envoy does not replace all existing occurrences of a non-inline header.
+    - __CVSS Score__: 8.3 [AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L&version=3.1)
+
+## Mitigation
+
+- For Istio 1.6.x deployments: update to [Istio 1.6.11](/news/releases/1.6.x/announcing-1.6.11) or later.
+- For Istio 1.7.x deployments: update to [Istio 1.7.3](/news/releases/1.7.x/announcing-1.7.3) or later.
+
+{{< boilerplate "security-vulnerability" >}}