Announcing Istio 1.23.6
Istio 1.23.6 patch release.
This release contains bug fixes to improve robustness. This release note describes what’s different between Istio 1.23.5 and Istio 1.23.6.
BEFORE YOU UPGRADE
Things to know and prepare before upgrading.
DOWNLOAD
Download and install this release.
DOCS
Visit the documentation for this release.
SOURCE CHANGES
Inspect the full set of source code changes.
Security Updates
- CVE-2025-30157 (CVSS Score 6.5, Medium): Envoy crashes when HTTP
ext_procprocesses local replies.
For the purposes of Istio, this CVE is only exploitable in circumstances where ext_proc is configured via EnvoyFilter.
Changes
Fixed an issue where customizing the workload identity SDS socket name via
WORKLOAD_IDENTITY_SOCKET_FILEdid not work due to the Envoy bootstrap not being updated. (Issue #51979)Fixed an issue where Istiod fails with an LDS error for proxies <1.23 when
meshConfig.accessLogEncodingis set toJSON. (Issue #55116)Fixed an issue where
gatewayinjection template did not respect thekubectl.kubernetes.io/default-logs-containerandkubectl.kubernetes.io/default-containerannotations.Fixed an issue where validation webhook would reject an otherwise valid
connectionPool.tcp.IdleTimeout=0s. (Issue #55409)Fixed an issue where the validation webhook incorrectly reported a warning when a
ServiceEntryconfiguredworkloadSelectorwith DNS resolution. (Issue #50164)Fixed an issue where ingress gateways did not use WDS discovery to retrieve metadata for ambient destinations.
Fixed DNS traffic (UDP and TCP) to now be affected by traffic annotations like
traffic.sidecar.istio.io/excludeOutboundIPRangesandtraffic.sidecar.istio.io/excludeOutboundPorts. Before, UDP/DNS traffic would uniquely ignore these traffic annotations, even if a DNS port was specified, because of the rule structure. The behavior change actually happened in the 1.23 release series, but was left out of the release notes for 1.23. (Issue #53949)