Announcing Istio 1.3.7
Istio 1.3.7 patch release.
This release includes bug fixes to improve robustness. This release note describes what’s different between Istio 1.3.6 and Istio 1.3.7.
BEFORE YOU UPGRADE
Things to know and prepare before upgrading.
DOWNLOAD
Download and install this release.
DOCS
Visit the documentation for this release.
SOURCE CHANGES
Inspect the full set of source code changes.
Bug fixes
- Fixed root certificate rotation in Citadel to reuse values from the expiring root certificate into the new root certificate (Issue 19644).
- Fixed telemetry to ignore forwarded attributes at the gateway.
- Fixed sidecar injection into pods with containers that export no port (Issue 18594).
- Added telemetry support for pod names containing periods (Issue 19015).
- Added support for generating
PKCS#8
private keys in Citadel agent (Issue 19948).
Minor enhancements
- Improved injection template to fully specify
securityContext
, allowingPodSecurityPolicies
to properly validate injected deployments (Issue 17318). - Added support for setting the
lifecycle
for proxy containers. - Added support for setting the Mesh UID in the Stackdriver Mixer adapter (Issue 17952).
Security update
- ISTIO-SECURITY-2020-002 Mixer policy check bypass caused by improperly accepting certain request headers.
CVE-2020-8843: Under certain circumstances it is possible to bypass a specifically configured Mixer policy. Istio-proxy accepts x-istio-attributes
header at ingress that can be used to affect policy decisions when Mixer policy selectively applies to source equal to ingress. Istio 1.3 to 1.3.6 is vulnerable.