Announcing Istio 1.3.7

Patch Release

February 4, 2020 | 2 minute read

This release includes bug fixes to improve robustness. This release note describes what’s different between Istio 1.3.6 and Istio 1.3.7.

BEFORE YOU UPGRADE

Things to know and prepare before upgrading.

DOWNLOAD

Download and install this release.

DOCS

Visit the documentation for this release.

SOURCE CHANGES

Inspect the full set of source code changes.

Bug fixes

Fixed root certificate rotation in Citadel to reuse values from the expiring root certificate into the new root certificate (Issue 19644).
Fixed telemetry to ignore forwarded attributes at the gateway.
Fixed sidecar injection into pods with containers that export no port (Issue 18594).
Added telemetry support for pod names containing periods (Issue 19015).
Added support for generating PKCS#8 private keys in Citadel agent (Issue 19948).

Minor enhancements

Improved injection template to fully specify securityContext, allowing PodSecurityPolicies to properly validate injected deployments (Issue 17318).
Added support for setting the lifecycle for proxy containers.
Added support for setting the Mesh UID in the Stackdriver Mixer adapter (Issue 17952).

Security update

ISTIO-SECURITY-2020-002 Mixer policy check bypass caused by improperly accepting certain request headers.

CVE-2020-8843: Under certain circumstances it is possible to bypass a specifically configured Mixer policy. Istio-proxy accepts x-istio-attributes header at ingress that can be used to affect policy decisions when Mixer policy selectively applies to source equal to ingress. Istio 1.3 to 1.3.6 is vulnerable.

Was this information useful?

Do you have any suggestions for improvement?

Thanks for your feedback!