Announcing Istio 1.4.4

Istio 1.4.4 patch release.

Feb 11, 2020

This release includes bug fixes to improve robustness and user experience as well as a fix for the security vulnerability described in our February 11th, 2020 news post. This release note describes what’s different between Istio 1.4.3 and Istio 1.4.4.

BEFORE YOU UPGRADE

Things to know and prepare before upgrading.

DOWNLOAD

Download and install this release.

DOCS

Visit the documentation for this release.

SOURCE CHANGES

Inspect the full set of source code changes.

Security update

ISTIO-SECURITY-2020-001 An improper input validation has been discovered in AuthenticationPolicy.

CVE-2020-8595: A bug in Istio’s Authentication Policy exact path matching logic allows unauthorized access to resources without a valid JWT token.

Bug fixes

Fixed Debian packaging of iptables scripts (Issue 19615).
Fixed an issue where Pilot generated a wrong Envoy configuration when the same port was used more than once (Issue 19935).
Fixed an issue where running multiple instances of Pilot could lead to a crash (Issue 20047).
Fixed a potential flood of configuration pushes from Pilot to Envoy when scaling the deployment to zero (Issue 17957).
Fixed an issue where Mixer could not fetch the correct information from the request/response when pod contains a dot in its name (Issue 20028).
Fixed an issue where Pilot sometimes would not send a correct pod configuration to Envoy (Issue 19025).
Fixed an issue where sidecar injector with SDS enabled was overwriting pod securityContext section, instead of just patching it (Issue 20409).

Improvements

Improved Better compatibility with Google CA. (Issues 20530, 20560).
Improved Added analyzer error message when Policies using JWT are not configured properly (Issues 20884, 20767).