istio

1
apiVersion: release-notes/v2
2

3
# This YAML file describes the format for specifying a release notes entry for Istio.
4
# This should be filled in for all user facing changes.
5

6
# kind describes the type of change that this represents.
7
# Valid Values are:
8
# - bug-fix -- Used to specify that this change represents a bug fix.
9
# - security-fix -- Used to specify that this change represents a security fix.
10
# - feature -- Used to specify a new feature that has been added.
11
# - test -- Used to describe additional testing added. This file is optional for
12
#   tests, but included for completeness.
13
kind: security-fix
14

15
# area describes the area that this change affects.
16
# Valid values are:
17
# - traffic-management
18
# - security
19
# - telemetry
20
# - installation
21
# - istioctl
22
# - documentation
23
area: security
24

25
# releaseNotes is a markdown listing of any user facing changes. This will appear in the
26
# release notes.
27
releaseNotes:
28
  - |
29
    **Fixed** an issue preventing the use of source principal based authorization at Istio Gateway when the Server's TLS mode is ISTIO_MUTUAL.
30

31
# securityNotes is a markdown listing of any changes related to the security of
32
# Istio.
33
securityNotes:
34
  - |
35
    __Source principal validation at Gateway does not work even with ISTIO_MUTUAL TLS mode__:
36
    When the Gateway server's TLS mode is ISTIO_MUTUAL, Istio's authN filter is not installed on the appropriate filter chain. Consequently, any Istio Authorization policy with source principal based rules will not work when applied to a Gateway workload.
37
    - __CVSS Score__: 5.9 [AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N&version=3.1)
38