Announcing Istio 1.3.5
Patch Release
This release contains fixes for the security vulnerability described in our November 11, 2019 news post as well as bug fixes to improve robustness. This release note describes what’s different between Istio 1.3.4 and Istio 1.3.5.
BEFORE YOU UPGRADE
Things to know and prepare before upgrading.
DOWNLOAD
Download and install this release.
DOCS
Visit the documentation for this release.
SOURCE CHANGES
Inspect the full set of source code changes.
Security update
- ISTIO-SECURITY-2019-006 A DoS vulnerability has been discovered in Envoy.
CVE-2019-18817: An infinite loop can be triggered in Envoy if the option continue_on_listener_filters_timeout
is set to True, which is the case in Istio. This vulnerability could be leveraged for a DoS attack. If you applied the mitigation mentioned in our November 11, 2019 news post, you can remove the mitigation once you upgrade to Istio 1.3.5 or newer.
Bug fixes
- Fixed Envoy listener configuration for TCP headless services. (Issue #17748)
- Fixed an issue which caused stale endpoints to remain even when a deployment was scaled to 0 replicas. (Issue #14436)
- Fixed Pilot to no longer crash when an invalid Envoy configuration is generated. (Issue 17266)
- Fixed an issue with the
destination_service_name
label not getting populated for TCP metrics related to BlackHole/Passthrough clusters. (Issue 17271) - Fixed an issue with telemetry not reporting metrics for BlackHole/Passthrough clusters when fall through filter chains were invoked. This occurred when explicit
ServiceEntries
were configured for external services. (Issue 17759)
Minor enhancements
- Added support for Citadel to periodically check the root certificate remaining lifetime and rotate expiring root certificates. (Issue 17059)
- Added
PILOT_BLOCK_HTTP_ON_443
boolean environment variable to Pilot. If enabled, this flag prevents HTTP services from running on port 443 in order to prevent conflicts with external HTTP services. This is disabled by default. (Issue 16458)