On this page

1.28.1

Solo build of Istio version 1.28.1 patch release.

This release note describes what’s different between Solo builds of Istio versions 1.28.0-patch0 and 1.28.1.

Security Notice

This build includes a fix of Envoy CVEs:

CVE-2025-66220: (CVSS score 8.1, High): TLS certificate matcher for match_typed_subject_alt_names may incorrectly treat certificates with OTHERNAME SANs containing an embedded null byte as valid.
CVE-2025-64527: (CVSS score 6.5, Medium): Envoy crashes when JWT authentication is configured with the remote JWKS fetching.
CVE-2025-64763: (CVSS score 5.3, Medium): Potential request smuggling from early data after the CONNECT upgrade.

General Changes

Built against upstream Istio version 1.28.1, release note can be found here.

Solo Flavor Changes

Added network configuration validation to istioctl multicluster check.
Added validation for the compatibility of intermediate certificates between peered clusters using istioctl multicluster check.
Fixed an issue encountered during upgrades from 1.27, where WorkloadEntry resources for Pods in remote clusters were not reachable on the same network.

FIPS Flavor Changes

No changes in this section.