docs: Fix duplicate message and format of 1.17.2 release note and sync it with related security update to zh (#13106)

* Remove dup change and fix format * Combine dup changes in one * Sync 1.17.2 release notes into Chinese * Add security 2023-001 * Fix lint * Apply suggestions from code review Co-authored-by: Eric Van Norman <ericvn@us.ibm.com> * Update PR to the original one * Add fixed changelog * Update content/zh/news/security/istio-security-2023-001/index.md Co-authored-by: Michael <haifeng.yao@daocloud.io> * Fix spaces * Sync latest changelogs to zh * Update header tanslate to 头信息 --------- Co-authored-by: Eric Van Norman <ericvn@us.ibm.com> Co-authored-by: Michael <haifeng.yao@daocloud.io>
2023-04-26 21:39:28 +08:00 · 2023-04-26 21:39:28 +08:00 · f8c8b54ff5
parent 9b0315deba
commit f8c8b54ff5
3 changed files with 126 additions and 9 deletions
--- a/content/en/news/releases/1.17.x/announcing-1.17.2/index.md
+++ b/content/en/news/releases/1.17.x/announcing-1.17.2/index.md
@ -47,17 +47,16 @@ Crash when a redirect url without a state parameter is received in the OAuth fil
  ([Issue #42749](https://github.com/istio/istio/issues/42749))

 - **Fixed** a bug that would cause unexpected behavior when applying access logging configuration based on the direction of traffic. With this fix, access logging configuration for `CLIENT` or `SERVER` will not affect each other.
-  [Issue # 43371](https://github.com/istio/istio/issues/43371)
+  ([Issue #43371](https://github.com/istio/istio/issues/43371))

 - **Fixed** an issue where `EnvoyFilter` for `Cluster.ConnectTimeout` was affecting unrelated `Clusters`.
  ([Issue #43435](https://github.com/istio/istio/issues/43435))

- **Fixed** an issue where `EnvoyFilter` for `Cluster.ConnectTimeout` was affecting unrelated `Clusters`.
-   [Issue #43435](https://github.com/istio/istio/issues/43435)
+- **Fixed** a bug in `istioctl analyze` where some messages are missed when there are services with no selector in the analyzed namespace.
+  ([PR #43678](https://github.com/istio/istio/pull/43678))

- **Fixed** a bug in `istioctl analyze` where some messages are missed when there are services with no selector in the analyzed namespace. [PR #43678](https://github.com/istio/istio/pull/43678)
-
- **Fixed** resource namespace resolution for `istioctl` commands. [Issue #43691](https://github.com/istio/istio/issues/43691)
+- **Fixed** resource namespace resolution for `istioctl` commands.
+  ([Issue #43691](https://github.com/istio/istio/issues/43691))

 - **Fixed** an issue where auto allocated service entry IPs change on host reuse.
  ([Issue #43858](https://github.com/istio/istio/issues/43858))
@ -65,9 +64,11 @@ Crash when a redirect url without a state parameter is received in the OAuth fil
 - **Fixed** an issue where RBAC updates were not sent to older proxies after upgrading istiod to 1.17.
  ([Issue #43785](https://github.com/istio/istio/issues/43785))

- **Fixed** an issue causing VMs using auto-registration to ignore labels other than those defined in a `WorkloadGroup`.
+- **Fixed** reconciliation logic in the validation webhook controller to rate-limit the retries in the loop. This should drastically reduce churn (and generated logs) in cases of misconfiguration.
  ([Issue #32210](https://github.com/istio/istio/issues/32210))

- **Fixed** an issue causing VMs using auto-registration to ignore labels other than those defined in a `WorkloadGroup`. [PR #44021](https://github.com/istio/istio/pull/44021)
+- **Fixed** an issue causing VMs using auto-registration to ignore labels other than those defined in a `WorkloadGroup`.
+  ([PR #44012](https://github.com/istio/istio/pull/44012))

- **Fixed** `istioctl experimental wait` has undecipherable message when `PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING` is not enabled. [Issue #42967](https://github.com/istio/istio/issues/42967)
+- **Fixed** `istioctl experimental wait` has undecipherable message when `PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING` is not enabled.
+  ([Issue #42967](https://github.com/istio/istio/issues/42967))
--- a/content/zh/news/releases/1.17.x/announcing-1.17.2/index.md
+++ b/content/zh/news/releases/1.17.x/announcing-1.17.2/index.md
@ -0,0 +1,76 @@
+---
+title: 发布 Istio 1.17.2
+linktitle: 1.17.2
+subtitle: 补丁发布
+description: Istio 1.17.2 补丁发布。
+publishdate: 2023-04-04T07:00:00-06:00
+release: 1.17.2
+---
+
+该版本修复了于 4 月 4 日发布的 [ISTIO-SECURITY-2023-001](/zh/news/security/istio-security-2023-001)
+中阐述的安全漏洞。
+本发布说明描述了 Istio 1.17.1 和 Istio 1.17.2 之间的不同之处。
+
+{{< relnote >}}
+
+## 安全更新{#security-updates}
+
+- __[CVE-2023-27487](https://github.com/envoyproxy/envoy/security/advisories/GHSA-5375-pq35-hf2g)__:
+  (CVSS Score 8.2, High)：客户端可能会伪造 `x-envoy-original-path` 头信息。
+
+- __[CVE-2023-27488](https://github.com/envoyproxy/envoy/security/advisories/GHSA-9g5w-hqr3-w2ph)__:
+  (CVSS Score 5.4, Moderate)：当收到具有非 UTF8 值的 HTTP 头信息时，gRPC 客户端会生成无效的 protobuf。
+
+- __[CVE-2023-27491](https://github.com/envoyproxy/envoy/security/advisories/GHSA-5jmv-cw9p-f9rp)__:
+  (CVSS Score 5.4, Moderate)：Envoy 将转发无效的 HTTP/2 和 HTTP/3 下游头信息。
+
+- __[CVE-2023-27492](https://github.com/envoyproxy/envoy/security/advisories/GHSA-wpc2-2jp6-ppg2)__:
+  (CVSS Score 4.8, Moderate)：在 Lua 过滤器中处理大请求体时导致崩溃。
+
+- __[CVE-2023-27493](https://github.com/envoyproxy/envoy/security/advisories/GHSA-w5w5-487h-qv8q)__:
+  (CVSS Score 8.1, High)：Envoy 不会转义 HTTP 头信息的值。
+
+- __[CVE-2023-27496](https://github.com/envoyproxy/envoy/security/advisories/GHSA-j79q-2g66-2xv5)__:
+  (CVSS Score 6.5, Moderate)：在 OAuth 过滤器中收到没有 state 参数的重定向 URL 时导致崩溃。
+
+## 变更{#changes}
+
+- **新增** 支持将额外的信任域联邦从 `caCertificates` 推送到对等 SAN 验证器。
+  ([Issue #41666](https://github.com/istio/istio/issues/41666))
+
+- **修复** 当标签为 `istio.io/rev=<tag>` 时，在注入的网关中覆盖 `istio.io/rev` 标签。
+  ([Issue #33237](https://github.com/istio/istio/issues/33237))
+
+- **修复** 无法在 `ProxyConfig` 中禁用链路的问题。
+  ([Issue #31809](https://github.com/istio/istio/issues/31809))
+
+- **修复** 当头信息值使用自定义格式时 Admission Webhook 失败。
+  ([Issue #42749](https://github.com/istio/istio/issues/42749))
+
+- **修复** 基于流量流向应用访问日志配置时导致异常行为的问题。
+  通过此修复，`CLIENT` 或 `SERVER` 的访问日志配置将不会相互影响。
+  ([Issue # 43371](https://github.com/istio/istio/issues/43371))
+
+- **修复** `Cluster.ConnectTimeout` 类型的 `EnvoyFilter` 影响不相关 `Clusters` 的问题。
+  ([Issue #43435](https://github.com/istio/istio/issues/43435))
+
+- **修复** 在 `istioctl analyze` 中的一个错误，当分析的命名空间中存在没有选择器的服务时，会丢失一些消息。
+  ([PR #43678](https://github.com/istio/istio/pull/43678))
+
+- **修复** `istioctl` 命令针对资源的命名空间解析。
+  ([Issue #43691](https://github.com/istio/istio/issues/43691))
+
+- **修复** 自动分配的服务条目 IP 在主机重用时发生变化的问题。
+  ([Issue #43858](https://github.com/istio/istio/issues/43858))
+
+- **修复** 当 istiod 升级到 1.17 后，RBAC 更新未发送到旧代理的问题。
+  ([Issue #43785](https://github.com/istio/istio/issues/43785))
+
+- **修复** 在验证 webhook 控制器中达到限流的循环重试中的调谐逻辑。当配置错误的情况下，该操作会大大减少抖动（以及生成的日志）。
+  ([Issue #32210](https://github.com/istio/istio/issues/32210))
+
+- **修复** 导致当 VM 使用自动注册时忽略掉在 `WorkloadGroup` 中定义的标签的问题。
+  ([PR #44021](https://github.com/istio/istio/pull/44021))
+
+- **修复** 当未启用 `PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKING` 时 `istioctl experimental wait` 中存在无法辨认的消息。
+  ([Issue #42967](https://github.com/istio/istio/issues/42967))
--- a/content/zh/news/security/istio-security-2023-001/index.md
+++ b/content/zh/news/security/istio-security-2023-001/index.md
@ -0,0 +1,40 @@
+---
+title: ISTIO-SECURITY-2023-001
+subtitle: 安全公告
+description: Envoy 上报的众多 CVE 漏洞。
+cves: [CVE-2023-27496, CVE-2023-27488, CVE-2023-27493, CVE-2023-27492, CVE-2023-27491, CVE-2023-27487]
+cvss: "8.2"
+vector: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
+releases: ["1.15.0 之前的所有版本", "1.15.0 到 1.15.6", "1.16.0 到 1.16.3", "1.17.0 到 1.17.1"]
+publishdate: 2023-04-04
+keywords: [CVE]
+skip_seealso: true
+---
+
+{{< security_bulletin >}}
+
+## CVE
+
+### Envoy CVEs{#envoy-cves}
+
+- __[CVE-2023-27487](https://github.com/envoyproxy/envoy/security/advisories/GHSA-5375-pq35-hf2g)__:
+  (CVSS Score 8.2, High)：客户端可能会伪造 `x-envoy-original-path` 头信息。
+
+- __[CVE-2023-27488](https://github.com/envoyproxy/envoy/security/advisories/GHSA-9g5w-hqr3-w2ph)__:
+  (CVSS Score 5.4, Moderate)：当收到具有非 UTF8 值的 HTTP 头信息时，gRPC 客户端会生成无效的 protobuf。
+
+- __[CVE-2023-27491](https://github.com/envoyproxy/envoy/security/advisories/GHSA-5jmv-cw9p-f9rp)__:
+  (CVSS Score 5.4, Moderate)：Envoy 将转发无效的 HTTP/2 和 HTTP/3 下游头信息。
+
+- __[CVE-2023-27492](https://github.com/envoyproxy/envoy/security/advisories/GHSA-wpc2-2jp6-ppg2)__:
+  (CVSS Score 4.8, Moderate)：在 Lua 过滤器中处理大请求体时导致崩溃。
+
+- __[CVE-2023-27493](https://github.com/envoyproxy/envoy/security/advisories/GHSA-w5w5-487h-qv8q)__:
+  (CVSS Score 8.1, High)：Envoy 不会转义 HTTP 头信息的值。
+
+- __[CVE-2023-27496](https://github.com/envoyproxy/envoy/security/advisories/GHSA-j79q-2g66-2xv5)__:
+  (CVSS Score 6.5, Moderate)：在 OAuth 过滤器中收到没有 state 参数的重定向 URL 时导致崩溃。
+
+## 我受到影响了吗？{#am-i-impacted}
+
+如果您使用了 Istio Gateway 或者使用外部 istiod 可能面临风险。