Announcing Istio 1.5.8
Patch Release
This release fixes the security vulnerability described in our July 9th, 2020 news post.
These release notes describe what’s different between Istio 1.5.8 and Istio 1.5.7.
BEFORE YOU UPGRADE
Things to know and prepare before upgrading.
DOWNLOAD
Download and install this release.
DOCS
Visit the documentation for this release.
SOURCE CHANGES
Inspect the full set of source code changes.
Security update
- CVE-2020-15104:
When validating TLS certificates, Envoy incorrectly allows wildcards in DNS Subject Alternative Name (SAN) to apply to multiple subdomains. For example, with a SAN of
*.example.com
, Envoy incorrectly allowsnested.subdomain.example.com
, when it should only allowsubdomain.example.com
.- CVSS Score: 6.6 AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:N/E:F/RL:O/RC:C
Changes
- Allowed setting
status.sidecar.istio.io/port
to zero (Issue 24722) - Improved
istioctl validate
to disallow unknown fields not included in the Open API specification (Issue 24860) - Fixed a bug in Mixer where it would incorrectly return source names when it did lookup by IP.