Announcing Istio 1.3.5
This release contains fixes for the security vulnerability described in our November 11, 2019 news post as well as bug fixes to improve robustness. This release note describes what's different between Istio 1.3.4 and Istio 1.3.5.
BEFORE YOU UPGRADE
Things to know and prepare before upgrading.
Download and install this release.
Visit the documentation for this release.
Inspect the full set of source code changes.
- ISTIO-SECURITY-2019-006 A DoS vulnerability has been discovered in Envoy.
CVE-2019-18817: An infinite loop can be triggered in Envoy if the option
continue_on_listener_filters_timeout is set to True, which is the case in Istio. This vulnerability could be leveraged for a DoS attack. If you applied the mitigation mentioned in our November 11, 2019 news post, you can remove the mitigation once you upgrade to Istio 1.3.5 or newer.
- Fixed Envoy listener configuration for TCP headless services. (Issue #17748)
- Fixed an issue which caused stale endpoints to remain even when a deployment was scaled to 0 replicas. (Issue #14436)
- Fixed Pilot to no longer crash when an invalid Envoy configuration is generated. (Issue 17266)
- Fixed an issue with the
destination_service_namelabel not getting populated for TCP metrics related to BlackHole/Passthrough clusters. (Issue 17271)
- Fixed an issue with telemetry not reporting metrics for BlackHole/Passthrough clusters when fall through filter chains were invoked. This occurred when explicit
ServiceEntrieswere configured for external services. (Issue 17759)
- Added support for Citadel to periodically check the root certificate remaining lifetime and rotate expiring root certificates. (Issue 17059)
PILOT_BLOCK_HTTP_ON_443boolean environment variable to Pilot. If enabled, this flag prevents HTTP services from running on port 443 in order to prevent conflicts with external HTTP services. This is disabled by default. (Issue 16458)