Announcing Istio 1.3.7
This release includes bug fixes to improve robustness. This release note describes what’s different between Istio 1.3.6 and Istio 1.3.7.
BEFORE YOU UPGRADE
Things to know and prepare before upgrading.
Download and install this release.
Visit the documentation for this release.
Inspect the full set of source code changes.
- Fixed root certificate rotation in Citadel to reuse values from the expiring root certificate into the new root certificate (Issue 19644).
- Fixed telemetry to ignore forwarded attributes at the gateway.
- Fixed sidecar injection into pods with containers that export no port (Issue 18594).
- Added telemetry support for pod names containing periods (Issue 19015).
- Added support for generating
PKCS#8private keys in Citadel agent (Issue 19948).
- Improved injection template to fully specify
PodSecurityPoliciesto properly validate injected deployments (Issue 17318).
- Added support for setting the
lifecyclefor proxy containers.
- Added support for setting the Mesh UID in the Stackdriver Mixer adapter (Issue 17952).
- ISTIO-SECURITY-2020-002 Mixer policy check bypass caused by improperly accepting certain request headers.
CVE-2020-8843: Under certain circumstances it is possible to bypass a specifically configured Mixer policy. Istio-proxy accepts
x-istio-attributes header at ingress that can be used to affect policy decisions when Mixer policy selectively applies to source equal to ingress. Istio 1.3 to 1.3.6 is vulnerable.