Istio 1.1.14

This release includes an important security update. This release note describes what’s different between Istio 1.1.13 and Istio 1.1.14.

Security update

Following the previous fixes for the security vulnerabilities described in our August 13th, 2019 blog post, we are now addressing the internal control plane communication surface. These security fixes were not available at the time of our previous security release, and we considered the control plane gRPC surface to be harder to exploit.

You can find the gRPC vulnerability fix description on their mailing list (c.f. HTTP/2 Security Vulnerabilities).

Bug fix

  • Fix an Envoy bug that breaks and other clients that attempt to upgrade from HTTP/1.1 to HTTP/2 using the Upgrade: h2c header (Issue 16391).