Announcing Istio 1.14.5

Istio 1.14.5 patch release.

Oct 11, 2022

This release contains a fix for CVE-2022-39278 and bug fixes to improve robustness. This release note describes what is different between Istio 1.14.4 and Istio 1.14.5.

FYI, This release includes security fixes in Go 1.18.7 (released 2022-10-04) for the archive/tar, net/http/httputil, and regexp packages.

BEFORE YOU UPGRADE

Things to know and prepare before upgrading.

DOWNLOAD

Download and install this release.

DOCS

Visit the documentation for this release.

SOURCE CHANGES

Inspect the full set of source code changes.

Changes

Fixed some ServiceEntry host names can cause non-deterministic Envoy routes. (Issue #38678)
Fixed kube-inject crashes when the pod annotation proxy.istio.io/config is set.
Fixed an issue where the user can not delete the Istio Operator resource with revision if istiod is not running. (Issue #40796)
Fixed an issue that the default idleTimeout for the passthrough cluster was changed to 0s in 1.14.0, disabling the timeout. Restored the previous behavior to using Envoy’s default value of 1 hour. (Issue #41114)
Fixed a bug where the return dynamically generated by jwks was not base64 encoded, causing Envoy to fail to parse it.
Fixed an issue where adding a ServiceEntry could affect an existing ServiceEntry with the same host name. (Issue #40166)
Fixed an issue where a root namespace Sidecar config would be ignored.
Fixed the gateway API integration to not fail when the v1alpha2 version is removed.