Announcing Istio 1.4.9

Patch Release

May 12, 2020

This release contains bug fixes to improve robustness and fixes for the security vulnerabilities described in our May 12th, 2020 news post. This release note describes what’s different between Istio 1.4.9 and Istio 1.4.8.

BEFORE YOU UPGRADE

Things to know and prepare before upgrading.

DOWNLOAD

Download and install this release.

DOCS

Visit the documentation for this release.

SOURCE CHANGES

Inspect the full set of source code changes.

Security update

ISTIO-SECURITY-2020-005 Denial of Service with Telemetry V2 enabled.

CVE-2020-10739: By sending a specially crafted packet, an attacker could trigger a Null Pointer Exception resulting in a Denial of Service. This could be sent to the ingress gateway or a sidecar.

Bug Fixes

Fixed the Helm installer to install Kiali using an dynamically generated signing key.
Fixed Citadel to ignore namespaces that are not part of the mesh.
Fixed the Istio operator installer to print the name of any resources that are not ready when an installation timeout occurs.

Was this information useful?

Do you have any suggestions for improvement?

Thanks for your feedback!