Announcing Istio 1.3.7

Patch Release

This release includes bug fixes to improve robustness. This release note describes what's different between Istio 1.3.6 and Istio 1.3.7.

Bug fixes

  • Fixed root certificate rotation in Citadel to reuse values from the expiring root certificate into the new root certificate (Issue 19644).
  • Fixed telemetry to ignore forwarded attributes at the gateway.
  • Fixed sidecar injection into pods with containers that export no port (Issue 18594).
  • Added telemetry support for pod names containing periods (Issue 19015).
  • Added support for generating PKCS#8 private keys in Citadel agent (Issue 19948).

Minor enhancements

  • Improved injection template to fully specify securityContext, allowing PodSecurityPolicies to properly validate injected deployments (Issue 17318).
  • Added support for setting the lifecycle for proxy containers.
  • Added support for setting the Mesh UID in the Stackdriver Mixer adapter (Issue 17952).

Security update

CVE-2020-8843: Under certain circumstances it is possible to bypass a specifically configured Mixer policy. Istio-proxy accepts x-istio-attributes header at ingress that can be used to affect policy decisions when Mixer policy selectively applies to source equal to ingress. Istio 1.3 to 1.3.6 is vulnerable.

Was this information useful?
Do you have any suggestions for improvement?

Thanks for your feedback!