Announcing Istio 1.16.4
Istio 1.16.4 patch release.
This release fixes the security vulnerabilities described in our April 4th post, ISTIO-SECURITY-2023-001. This release note describes what’s different between Istio 1.16.3 and 1.16.4.
BEFORE YOU UPGRADE
Things to know and prepare before upgrading.
Download and install this release.
Visit the documentation for this release.
Inspect the full set of source code changes.
CVE-2023-27487: (CVSS Score 8.2, High): Client may fake the header
CVE-2023-27488: (CVSS Score 5.4, Moderate): gRPC client produces invalid protobuf when an HTTP header with non-UTF8 value is received.
CVE-2023-27491: (CVSS Score 5.4, Moderate): Envoy forwards invalid HTTP/2 and HTTP/3 downstream headers.
CVE-2023-27492: (CVSS Score 4.8, Moderate): Crash when a large request body is processed in Lua filter.
CVE-2023-27493: (CVSS Score 8.1, High): Envoy doesn’t escape HTTP header values.
CVE-2023-27496: (CVSS Score 6.5, Moderate): Crash when a redirect url without a state parameter is received in the OAuth filter.
Added support for pushing additional federated trust domains from
caCertificatesto the peer SAN validator. (Issue #41666)
Fixed overwriting label
istio.io/revin injected gateways when
istio.io/rev=<tag>. (Issue #33237)
Fixed an issue where you could not change
PrivateKeyProviderusing proxy-config. (Issue #41760)
Fixed an issue where you could not disable tracing in
ProxyConfig. (Issue #31809)
Fixed an issue where
istioctl analyzewas throwing a SIGSEGV when the optional field ‘filter’ was missing under the
EnvoyFilter.ListenerMatch.FilterChainMatchsection. (Issue #42831)
Fixed a bug that would cause unexpected behavior when applying access logging configuration based on the direction of traffic. With this fix, access logging configuration for
SERVERwill not affect each other. Issue # 43371
Fixed an issue where
Cluster.ConnectTimeoutwas affecting unrelated
Clusters. (Issue #43435)
Fixed a bug in
istioctl analyzewhere some messages are missed when there are services with no selector in the analyzed namespace.
Fixed an issue causing VMs using auto-registration to ignore labels other than those defined in a
WorkloadGroup. (Issue #32210)
istioctl experimental waithas undecipherable message when
PILOT_ENABLE_CONFIG_DISTRIBUTION_TRACKINGis not enabled. Issue #42967