-
Notifications
You must be signed in to change notification settings - Fork 1.6k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Changes for 2024-12-18 releases (#16115)
* Changes for 2024-12-18 releases * Apply suggestions from code review Co-authored-by: Daniel Hawton <[email protected]> * Update index.md Whitespace fix * Apply suggestions from code review Clean up .spelling Co-authored-by: Daniel Hawton <[email protected]> --------- Co-authored-by: Daniel Hawton <[email protected]>
- Loading branch information
1 parent
160db19
commit 912dfbc
Showing
5 changed files
with
109 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
16 changes: 16 additions & 0 deletions
16
content/en/news/releases/1.22.x/announcing-1.22.7/index.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| --- | ||
| title: Announcing Istio 1.22.7 | ||
| linktitle: 1.22.7 | ||
| subtitle: Patch Release | ||
| description: Istio 1.22.7 patch release. | ||
| publishdate: 2024-12-18 | ||
| release: 1.22.7 | ||
| --- | ||
|
|
||
| This release note describes what’s different between Istio 1.22.6 and Istio 1.22.7. | ||
|
|
||
| This release implements the security updates described in our 18th of December post, [`ISTIO-SECURITY-2024-007`](/news/security/istio-security-2024-007). | ||
|
|
||
| {{< relnote >}} | ||
|
|
||
| There are no additional user-facing changes in this release. |
25 changes: 25 additions & 0 deletions
25
content/en/news/releases/1.23.x/announcing-1.23.4/index.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| --- | ||
| title: Announcing Istio 1.23.4 | ||
| linktitle: 1.23.4 | ||
| subtitle: Patch Release | ||
| description: Istio 1.23.4 patch release. | ||
| publishdate: 2024-12-18 | ||
| release: 1.23.4 | ||
| --- | ||
|
|
||
| This release contains bug fixes to improve robustness. This release note describes what’s different between Istio 1.23.3 and Istio 1.23.4. | ||
|
|
||
| This release implements the security updates described in our 18th of December post, [`ISTIO-SECURITY-2024-007`](/news/security/istio-security-2024-007). | ||
|
|
||
| {{< relnote >}} | ||
|
|
||
| ## Changes | ||
|
|
||
| - **Added** support for providing arbitrary environment variables to `istio-cni` chart. | ||
|
|
||
| - **Fixed** an issue where merging `Duration` with an `EnvoyFilter` could lead to all listener associated attributes unexpectedly being modified because all listeners shared the same pointer typed `listener_filters_timeout`. | ||
|
|
||
| - **Fixed** Helm rendering to properly apply annotations on Pilot's `ServiceAccount`. | ||
| ([Issue #51289](https://github.com/istio/istio/issues/51289)) | ||
|
|
||
| - **Fixed** an issue where injection config errors were being silenced (i.e. logged and not returned) when the sidecar injector was unable to process the sidecar config. This change will now propagate the error to the user instead of continuing to process a faulty config. ([Issue #53357](https://github.com/istio/istio/issues/53357)) |
38 changes: 38 additions & 0 deletions
38
content/en/news/releases/1.24.x/announcing-1.24.2/index.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| --- | ||
| title: Announcing Istio 1.24.2 | ||
| linktitle: 1.24.2 | ||
| subtitle: Patch Release | ||
| description: Istio 1.24.2 patch release. | ||
| publishdate: 2024-12-18 | ||
| release: 1.24.2 | ||
| --- | ||
|
|
||
| This release contains bug fixes to improve robustness. This release note describes what’s different between Istio 1.24.1 and Istio 1.24.2. | ||
|
|
||
| This release implements the security updates described in our 18th of December post, [`ISTIO-SECURITY-2024-007`](/news/security/istio-security-2024-007). | ||
|
|
||
| {{< relnote >}} | ||
|
|
||
| ## Changes | ||
|
|
||
| - **Added** the `DAC_OVERRIDE` capability to the `istio-cni-node` DaemonSet. This fixes issues when running in environments | ||
| where certain files are owned by non-root users. | ||
| Note: prior to Istio 1.24, the `istio-cni-node` ran as `privileged`. Istio 1.24 removed this, but removed some required | ||
| privileges which are now added back. Relatively to Istio 1.23, `istio-cni-node` still has fewer privileges than it does | ||
| with this change. | ||
|
|
||
| - **Fixed** Helm rendering to properly apply annotations on Pilot's `ServiceAccount`. | ||
| ([Issue #51289](https://github.com/istio/istio/issues/51289)) | ||
|
|
||
| - **Fixed** an issue where `istiod` did not handle `RequestAuthentication` correctly for cross-namespace waypoint proxies. | ||
| ([Issue #54051](https://github.com/istio/istio/issues/54051)) | ||
|
|
||
| - **Fixed** an issue where non-default revisions controlled gateways lacked `istio.io/rev` labels. | ||
| ([Issue #54280](https://github.com/istio/istio/issues/54280)) | ||
|
|
||
| - **Fixed** an issue where `ExternalName` services failed to resolve when using ambient mode and DNS proxying. | ||
|
|
||
| - **Fixed** an issue preventing the `PodDisruptionBudget` `maxUnavailable` field from being configured. | ||
| ([Issue #54087](https://github.com/istio/istio/issues/54087)) | ||
|
|
||
| - **Fixed** an issue where injection config errors were being silenced (i.e. logged and not returned) when the sidecar injector was unable to process the sidecar config. This change will now propagate the error to the user instead of continuing to process a faulty config. ([Issue #53357](https://github.com/istio/istio/issues/53357)) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| --- | ||
| title: ISTIO-SECURITY-2024-007 | ||
| subtitle: Security Bulletin | ||
| description: CVEs reported by Envoy. | ||
| cves: [CVE-2024-53269, CVE-2024-53270, CVE-2024-53271] | ||
| cvss: "7.5" | ||
| vector: "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" | ||
| releases: ["1.22.0 to 1.22.6", "1.23.0 to 1.23.3", "1.24.0 to 1.24.1"] | ||
| publishdate: 2024-12-18 | ||
| keywords: [CVE] | ||
| skip_seealso: true | ||
| --- | ||
|
|
||
| {{< security_bulletin >}} | ||
|
|
||
| ## CVE | ||
|
|
||
| ### Envoy CVEs | ||
|
|
||
| - __[CVE-2024-53269](https://github.com/envoyproxy/envoy/security/advisories/GHSA-mfqp-7mmj-rm53)__: (CVSS Score 4.5, Moderate): Happy Eyeballs: Validate that `additional_address` are IP addresses instead of crashing when sorting. | ||
| - __[CVE-2024-53270](https://github.com/envoyproxy/envoy/security/advisories/GHSA-q9qv-8j52-77p3)__: (CVSS Score 7.5, High): HTTP/1: sending overload crashes when the request is reset beforehand. | ||
| - __[CVE-2024-53271](https://github.com/envoyproxy/envoy/security/advisories/GHSA-rmm5-h2wv-mg4f)__: (CVSS Score 7.1, High): HTTP/1.1: multiple issues with `envoy.reloadable_features.http1_balsa_delay_reset`. | ||
|
|
||
| ## Am I Impacted? | ||
|
|
||
| You are impacted if you are using Istio 1.22.0 to 1.22.6, 1.23.0 to 1.23.3, or 1.24 to 1.24.1, please upgrade immediately. If you have created a custom `EnvoyFilter` to enable the Overload manager, avoid using the `http1_server_abort_dispatch` load shed point. |