Announcing Istio 1.6.5
Istio 1.6.5 patch release.
This release fixes the security vulnerability described in our July 9th, 2020 news post.
This release contains bug fixes to improve robustness. These release notes describe what’s different between Istio 1.6.5 and Istio 1.6.4.
BEFORE YOU UPGRADE
Things to know and prepare before upgrading.
DOWNLOAD
Download and install this release.
DOCS
Visit the documentation for this release.
SOURCE CHANGES
Inspect the full set of source code changes.
Security update
- CVE-2020-15104:
When validating TLS certificates, Envoy incorrectly allows a wildcard DNS Subject Alternative Name to apply to multiple subdomains. For example, with a SAN of
*.example.com
, Envoy incorrectly allowsnested.subdomain.example.com
, when it should only allowsubdomain.example.com
.- CVSS Score: 6.6 AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N/E:F/RL:O/RC:C
Changes
- Fixed return the proper source name after Mixer does a lookup by IP if multiple pods have the same IP.
- Improved the sidecar injection control based on revision at a per-pod level (Issue 24801)
- Improved
istioctl validate
to disallow unknown fields not included in the Open API specification (Issue 24860) - Changed
stsPort
tosts_port
in Envoy’s bootstrap file. - Preserved existing WASM state schema for state objects to reference it later as needed.
- Added
targetUri
tostackdriver_grpc_service
. - Updated WASM state to log for Access Log Service.
- Increased default protocol detection timeout from 100 ms to 5 s (Issue 24379)
- Removed UDP port 53 from Istiod.
- Allowed setting
status.sidecar.istio.io/port
to zero (Issue 24722) - Fixed EDS endpoint selection for subsets with no or empty label selector. (Issue 24969)
- Allowed
k8s.overlays
onBaseComponentSpec
. (Issue 24476) - Fixed
istio-agent
to create elliptical curve CSRs whenECC_SIGNATURE_ALGORITHM
is set. - Improved mapping of gRPC status codes into HTTP domain for telemetry.
- Fixed
scaleTargetRef
naming inHorizontalPodAutoscaler
for Istiod (Issue 24809)