Announcing Istio 1.4.7
Istio 1.4.7 patch release.
This release contains fixes for the security vulnerabilities described in our March 25th, 2020 news post. This release note describes what’s different between Istio 1.4.6 and Istio 1.4.7.
BEFORE YOU UPGRADE
Things to know and prepare before upgrading.
DOWNLOAD
Download and install this release.
DOCS
Visit the documentation for this release.
SOURCE CHANGES
Inspect the full set of source code changes.
Security Update
- ISTIO-SECURITY-2020-004 Istio uses a hard coded
signing_key
for Kiali.
CVE-2020-1764: Istio uses a default signing key
to install Kiali. This can allow an attacker with access to Kiali to bypass authentication and gain administrative privileges over Istio.
In addition, another CVE is fixed in this release, described in the Kiali 1.15.1 release.
Changes
- Fixed an issue causing protocol detection to break HTTP2 traffic to gateways (Issue 21230).