https://github.com/solo-io/istio Latest Istio releases by Solo.io en-us https://docs.solo.io/gloo-mesh-enterprise/latest/reference/changelog/solo-istio/ https://istio.io/latest/news/releases/1.25.x/announcing-1.25/ Tue, 04 Mar 2025 00:00:00 GMT Patch Release
Solo build of Istio version 1.25.0 patch release.

This release note describes the changes of Solo builds of Istio version 1.25. ## General This version was built against upstream [Istio release 1.25.0](https://istio.io/latest/news/releases/1.25.x/announcing-1.25/). - Added support for EnvoyFilters to be used in waypoints. - Added support for defining egress policies via Helm installation. - Added support for multi-network, ECS, and peering installations. ]]> https://docs.solo.io/gloo-mesh-enterprise/latest/reference/changelog/solo-istio/ https://istio.io/latest/news/releases/1.25.x/announcing-1.25.1/ Tue, 25 Mar 2025 00:00:00 GMT Patch Release
Solo build of Istio version 1.25.1 patch release.

This release note describes the changes of Solo builds between Istio versions 1.25.0 and 1.25.1. ## General This version was built against upstream [Istio release 1.25.1](https://istio.io/latest/news/releases/1.25.x/announcing-1.25.1/). - Fixed an issue where improper license checks were being made in FIPS installations. ]]> https://docs.solo.io/gloo-mesh-enterprise/latest/reference/changelog/solo-istio/ https://github.com/istio/istio/commit/6ea8d546ca5f63c0ce43fa0eb6dfdae52eaf66da Fri, 25 Apr 2025 00:00:00 GMT Patch Release
Solo build of Istio version 1.25.2-patch0 patch release.

This release note describes the changes of Solo builds between Istio versions 1.25.2 and 1.25.2-patch0. ## General This version was built against upstream Istio commit [`6ea8d546ca5f63c0ce43fa0eb6dfdae52eaf66da`](https://github.com/istio/istio/commit/6ea8d546ca5f63c0ce43fa0eb6dfdae52eaf66da). - The peering controller is now a leader elected function and is also responsible for writing the correct status for istio-remote gateways. Since the peering controller now writes the status, the istio-remote gateway is no longer tagged as an unmanaged gateway and the gateway controller is no longer responsible for writing the `Programmed: Programmed` and `Accepted: Accepted` status to the istio-remote gateway. - Removes the distribute-to annotation from the auto-generated remote gateway as it does not play well when the agent is deployed in the management cluster. The configuration distribution annotation is now solely managed by the management server and corresponds to a change in Gloo Mesh Enterprise. ]]> https://docs.solo.io/gloo-mesh-enterprise/latest/reference/changelog/solo-istio/ https://istio.io/latest/news/releases/1.25.x/announcing-1.25.2/ Tue, 15 Apr 2025 00:00:00 GMT Patch Release
Solo build of Istio version 1.25.2 patch release.

This release note describes the changes of Solo builds between Istio versions 1.25.1 and 1.25.2. ## General This version was built against upstream [Istio release 1.25.2](https://istio.io/latest/news/releases/1.25.x/announcing-1.25.2/). No other Solo-specific changes were included in this build. ]]> https://docs.solo.io/gloo-mesh-enterprise/latest/reference/changelog/solo-istio/ https://istio.io/latest/news/releases/1.25.x/announcing-1.25.3/ Tue, 13 May 2025 00:00:00 GMT Patch Release
Solo build of Istio version 1.25.3 patch release.

This release note describes the changes of Solo builds between Istio versions 1.25.2 and 1.25.3. ## Security Notice This build includes resolution of Envoy [CVE-2025-46821](https://nvd.nist.gov/vuln/detail/CVE-2025-46821). ## General This version was built against upstream [Istio release 1.25.3](https://istio.io/latest/news/releases/1.25.x/announcing-1.25.3/). No other Solo-specific changes were included in this build. ]]> https://docs.solo.io/gloo-mesh-enterprise/latest/reference/changelog/solo-istio/ https://istio.io/latest/news/releases/1.25.x/announcing-1.25.4/ Tue, 26 Aug 2025 00:00:00 GMT Patch Release
Solo build of Istio version 1.25.4 patch release.

This release note describes the changes of Solo builds between Istio versions 1.25.3 and 1.25.4. ## General This version was built against upstream [Istio release 1.25.4](https://istio.io/latest/news/releases/1.25.x/announcing-1.25.4/). No other Solo-specific changes were included in this build. ]]> https://docs.solo.io/gloo-mesh-enterprise/latest/reference/changelog/solo-istio/ https://github.com/solo-io/istio/releases/tag/1.25.5-patch0 Mon, 20 Oct 2025 00:00:00 GMT Patch Release
Solo build of Istio version 1.25.5-patch0 patch release.

This release note describes the changes of Solo builds between Istio versions 1.25.5 and 1.25.5-patch0, a Solo-specific release. ## Security Notice This build includes fixes for the Envoy CVEs: - [CVE-2025-62504](https://nvd.nist.gov/vuln/detail/CVE-2025-62504): (CVSS score 6.5, Medium): Lua modified large enough response body will cause Envoy to crash. - [CVE-2025-62409](https://nvd.nist.gov/vuln/detail/CVE-2025-62409): (CVSS score 6.6, Medium): Large requests and responses can cause TCP connection pool crash. ## General Changes - Bumped base image of the distroless variant to pick up fixes for [CVE-2025-8058](https://nvd.nist.gov/vuln/detail/CVE-2025-8058). ## Solo Flavor Changes No changes in this section. ## FIPS Flavor Changes No changes in this section. ]]> https://docs.solo.io/gloo-mesh-enterprise/latest/reference/changelog/solo-istio/ https://github.com/solo-io/istio/releases/tag/1.25.5-patch1 Thu, 04 Dec 2025 00:00:00 GMT Patch Release
Solo build of Istio version 1.25.5-patch1 patch release.

This release note describes the changes of Solo builds between Istio versions 1.25.5-patch0 and 1.25.5-patch1, a Solo-specific release. ## Security Notice This build includes a fix of Envoy CVEs: - __[CVE-2025-66220](https://nvd.nist.gov/vuln/detail/CVE-2025-66220)__: (CVSS score 8.1, High): TLS certificate matcher for `match_typed_subject_alt_names` may incorrectly treat certificates with `OTHERNAME` SANs containing an embedded null byte as valid. - __[CVE-2025-64527](https://nvd.nist.gov/vuln/detail/CVE-2025-64527)__: (CVSS score 6.5, Medium): Envoy crashes when JWT authentication is configured with the remote JWKS fetching. - __[CVE-2025-64763](https://nvd.nist.gov/vuln/detail/CVE-2025-64763)__: (CVSS score 5.3, Medium): Potential request smuggling from early data after the CONNECT upgrade. ## General This release only features changes related to the Envoy CVE. ## Solo Flavor Changes No changes in this section. ## FIPS Flavor Changes No changes in this section. ]]> https://docs.solo.io/gloo-mesh-enterprise/latest/reference/changelog/solo-istio/ https://github.com/solo-io/istio/releases/tag/1.25.5-patch2 Mon, 22 Dec 2025 00:00:00 GMT Patch Release
Solo build of Istio version 1.25.5-patch2 patch release.

This release note describes the changes of Solo builds between Istio versions 1.25.5-patch1 and 1.25.5-patch2, a Solo-specific release. ## Security Notice This build includes a fix of a CVE in the c-ares dependency of Envoy: - __[CVE-2025-62408](https://github.com/c-ares/c-ares/security/advisories/GHSA-jq53-42q6-pqr5)__: (CVSS score 5.9, Medium): Use after free due to connection being cleaned up after error. ## General This release only features changes related to the above CVE. ## Solo Flavor Changes No changes in this section. ## FIPS Flavor Changes No changes in this section. ]]> https://docs.solo.io/gloo-mesh-enterprise/latest/reference/changelog/solo-istio/ https://github.com/solo-io/istio/releases/tag/1.25.5-patch3 Fri, 30 Jan 2026 00:00:00 GMT Patch Release
Solo build of Istio version 1.25.5-patch3 patch release.

This release note describes what’s different between Solo builds of Istio versions 1.25.5-patch2 and 1.25.5-patch3. ## Security Notice When using peered global services in sidecar environments, the generated Envoy cluster configuration was missing the `tlsMode: istio` transport socket match causing local sidecar-to-sidecar traffic to be sent as plaintext. In environments where strict mTLS was used, connectivity would break. ## Solo Flavor Changes - **Fixed** east-west gateway TLS listeners showing an incorrect `UnsupportedProtocol` status when `PILOT_ENABLE_ALPHA_GATEWAY_API` was disabled. - **Fixed** an issue causing envoy clusters for peered global services to not have the tlsMode-istio transport socket configured. ## FIPS Flavor Changes No changes in this section. ]]> https://docs.solo.io/gloo-mesh-enterprise/latest/reference/changelog/solo-istio/ https://github.com/solo-io/istio/releases/tag/1.25.5-patch4 Wed, 18 Feb 2026 00:00:00 GMT Patch Release
Solo build of Istio version 1.25.5-patch4 patch release.

This release note describes what’s different between Solo builds of Istio versions 1.25.5-patch3 and 1.25.5-patch4. ## Security Notice - [CVE-2025-61732](https://github.com/advisories/GHSA-8jvr-vh7g-f8gx) (CVSS score 8.6, High): A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary. - [CVE-2025-68121](https://github.com/advisories/GHSA-h355-32pf-p2xm) (CVSS score 4.8, Moderate): A flaw in `crypto/tls` session resumption allows resumed handshakes to succeed when they should fail if ClientCAs or RootCAs are mutated between the initial and resumed handshake. This can occur when using `Config.Clone` with mutations or `Config.GetConfigForClient`. As a result, clients may resume sessions with unintended servers, and servers may resume sessions with unintended clients. ## Solo Flavor Changes No changes in this section. ## FIPS Flavor Changes No changes in this section. ]]> https://docs.solo.io/gloo-mesh-enterprise/latest/reference/changelog/solo-istio/ https://istio.io/latest/news/releases/1.25.x/announcing-1.25.5/ Wed, 03 Sep 2025 00:00:00 GMT Patch Release
Solo build of Istio version 1.25.5 patch release.

This release note describes the changes of Solo builds between Istio versions 1.25.4 and 1.25.5. ## Security Notice This build includes a fix of the Envoy CVE: - [CVE-2025-55162](https://github.com/envoyproxy/envoy/security/advisories/GHSA-95j4-hw7f-v2rh) (CVSS score: 6.3, Moderate): "oAuth2 Filter Signout route will not clear cookies because of missing 'Secure;' flag." ## General This version was built against upstream [Istio release 1.25.5](https://istio.io/latest/news/releases/1.25.x/announcing-1.25.5/). - **Added** the telemetry field `pilot_xds_recv_max` to allow monitoring the maximum size of XDS requests received through gRPC. This is a backport from upstream feature that will be introduced in Istio 1.28. ]]> https://docs.solo.io/gloo-mesh-enterprise/latest/reference/changelog/solo-istio/ https://istio.io/latest/news/releases/1.26.x/announcing-1.26/ Wed, 28 May 2025 00:00:00 GMT Patch Release
Solo build of Istio version 1.26.0 patch release.

This release note describes the changes of Solo builds of Istio version 1.26. ## General This version was built against upstream [Istio release 1.26.0](https://istio.io/latest/news/releases/1.26.x/announcing-1.26/). No other Solo-specific changes included in this build. ]]> https://docs.solo.io/gloo-mesh-enterprise/latest/reference/changelog/solo-istio/ https://github.com/istio/istio/commit/06050b371eba3eb23c204a478c20a476f2cfa337 Wed, 11 Jun 2025 00:00:00 GMT Patch Release
Solo build of Istio version 1.26.1-patch0 patch release.

This release note describes the changes of Solo builds between Istio versions 1.26.1 and 1.26.1-patch0, a Solo-specific build. ## General This version was built against upstream Istio commit [`06050b371eba3eb23c204a478c20a476f2cfa337`](https://github.com/istio/istio/commit/06050b371eba3eb23c204a478c20a476f2cfa337). - Fixed an issue in ztunnel's outlier detection's backoff calculation, which could overflow when too many consecutive failures occurred. ## FIPS Flavor - Fixed an issue where when a license was not set in FIPS builds of proxy, istiod would return an error. Licensing will become enforced in 1.28. ]]> https://docs.solo.io/gloo-mesh-enterprise/latest/reference/changelog/solo-istio/ https://istio.io/latest/news/releases/1.26.x/announcing-1.26.1/ Fri, 30 May 2025 00:00:00 GMT Patch Release
Solo build of Istio version 1.26.1 patch release.

This release note describes the changes of Solo builds between Istio versions 1.26.0 and 1.26.1. ## General This version was built against upstream [Istio release 1.26.1](https://istio.io/latest/news/releases/1.26.x/announcing-1.26.1/). No other Solo-specific changes included in this build. ]]> https://docs.solo.io/gloo-mesh-enterprise/latest/reference/changelog/solo-istio/ https://github.com/istio/istio/commit/1ee7aa2f2f950c914c72cbbb96e21f02274dec97 Tue, 22 Jul 2025 00:00:00 GMT Patch Release
Solo build of Istio version 1.26.2-patch0 patch release.

This release note describes the changes of Solo builds between Istio versions 1.26.2 and 1.26.2-patch0, a Solo-specific build. ## General This version was built against upstream Istio commit [`1ee7aa2f2f950c914c72cbbb96e21f02274dec97`](https://github.com/istio/istio/commit/1ee7aa2f2f950c914c72cbbb96e21f02274dec97). - Fixed an issue where waypoints would duplicate routes when TCP and UDP ports shared the same port number. - Added an override for gateway addresses for multi-network peering. - Fixed an issue in EDS where East/West Gateway endpoints were missing from waypoints when more than two clusters were peered. - Fixed locality weights with multi-network peering. ]]> https://docs.solo.io/gloo-mesh-enterprise/latest/reference/changelog/solo-istio/ https://istio.io/latest/news/releases/1.26.x/announcing-1.26.2/ Mon, 23 Jun 2025 00:00:00 GMT Patch Release
Solo build of Istio version 1.26.2 patch release.

This release note describes the changes of Solo builds between Istio versions 1.26.1-patch0 and 1.26.2. ## General This version was built against upstream [Istio release 1.26.2](https://istio.io/latest/news/releases/1.26.x/announcing-1.26.2/). No other Solo-specific changes were included in this build. ]]> https://docs.solo.io/gloo-mesh-enterprise/latest/reference/changelog/solo-istio/ https://github.com/istio/istio/commit/00a1751421300ce4aaf9ac5366b140b854dcfe36 Tue, 12 Aug 2025 00:00:00 GMT Patch Release
Solo build of Istio version 1.26.3-patch1 patch release.

This release note describes the changes of Solo builds between Istio versions 1.26.3 and 1.26.3-patch1, a Solo-specific build. ## General This version was built against upstream Istio commit [`00a1751421300ce4aaf9ac5366b140b854dcfe36`](https://github.com/istio/istio/commit/00a1751421300ce4aaf9ac5366b140b854dcfe36). - Backported a fix for Envoy where the TLS inspector listener filter timed out when used with other listener filters. ]]> https://docs.solo.io/gloo-mesh-enterprise/latest/reference/changelog/solo-istio/ https://istio.io/latest/news/releases/1.26.x/announcing-1.26.3/ Tue, 22 Jul 2025 00:00:00 GMT Patch Release
Solo build of Istio version 1.26.3 patch release.

This release note describes the changes of Solo builds between Istio versions 1.26.2-patch0 and 1.26.3. ## General This version was built against upstream [Istio release 1.26.3](https://istio.io/latest/news/releases/1.26.x/announcing-1.26.3/). - Replaced `istio.io/expose-istiod-address` with a more general `istio.io/expose-gateway-address` annotation which drives the address list in gateway statuses. It will be picked up when generating istio-remote Gateways for multicluster and bootstrap generation for ECS to determine how to reach istiod for XDS. Istiod will program proxies to send cross-network traffic over the address(es) configured by this annotation. ]]> https://docs.solo.io/gloo-mesh-enterprise/latest/reference/changelog/solo-istio/ https://istio.io/latest/news/releases/1.26.x/announcing-1.26.4/ Wed, 03 Sep 2025 00:00:00 GMT Patch Release
Solo build of Istio version 1.26.4 patch release.

This release note describes the changes of Solo builds between Istio versions 1.26.3 and 1.26.4. ## Security Notice This build includes fixes of the Envoy CVEs: - [CVE-2025-55162](https://github.com/envoyproxy/envoy/security/advisories/GHSA-95j4-hw7f-v2rh) (CVSS score: 6.3, Moderate): "oAuth2 Filter Signout route will not clear cookies because of missing 'Secure;' flag." - [CVE-2025-54588](https://github.com/envoyproxy/envoy/security/advisories/GHSA-g9vw-6pvx-7gmw) (CVSS score: 7.5, High): "Use after free in DNS cache" ## General This version was built against upstream [Istio release 1.26.4](https://istio.io/latest/news/releases/1.26.x/announcing-1.26.4/). - **Added** the telemetry field `pilot_xds_recv_max` to allow monitoring the maximum size of XDS requests received through gRPC. This is a backport from upstream feature that will be introduced in Istio 1. ]]> https://docs.solo.io/gloo-mesh-enterprise/latest/reference/changelog/solo-istio/ https://github.com/solo-io/istio/releases/tag/1.26.5 Wed, 15 Oct 2025 00:00:00 GMT Patch Release
Solo build of Istio version 1.26.5 patch release.

This release note describes what’s different between Solo builds of Istio versions 1.26.4 and 1.26.5. ## General Changes - Built against upstream Istio version 1.26.5, release note can be found [here](https://istio.io/latest/news/releases/1.26.x/announcing-1.26.5/). ## Solo Flavor Changes No changes in this section. ## FIPS Flavor Changes No changes in this section. ]]> https://docs.solo.io/gloo-mesh-enterprise/latest/reference/changelog/solo-istio/ https://github.com/solo-io/istio/releases/tag/1.26.6 Mon, 20 Oct 2025 00:00:00 GMT Patch Release
Solo build of Istio version 1.26.6 patch release.

This release note describes what’s different between Solo builds of Istio versions 1.26.5 and 1.26.6. ## Security Notice This build includes fixes for the Envoy CVEs: - [CVE-2025-62504](https://nvd.nist.gov/vuln/detail/CVE-2025-62504): (CVSS score 6.5, Medium): Lua modified large enough response body will cause Envoy to crash. - [CVE-2025-62409](https://nvd.nist.gov/vuln/detail/CVE-2025-62409): (CVSS score 6.6, Medium): Large requests and responses can cause TCP connection pool crash. ## General Changes - Built against upstream Istio version 1.26.6, release note can be found [here](https://istio.io/latest/news/releases/1.26.x/announcing-1.26.6/). ## Solo Flavor Changes No changes in this section. ## FIPS Flavor Changes No changes in this section. ]]> https://docs.solo.io/gloo-mesh-enterprise/latest/reference/changelog/solo-istio/ https://github.com/solo-io/istio/releases/tag/1.26.7 Thu, 04 Dec 2025 00:00:00 GMT Patch Release
Solo build of Istio version 1.26.7 patch release.

This release note describes what’s different between Solo builds of Istio versions 1.26.6 and 1.26.7. ## Security Notice This build includes a fix of Envoy CVEs: - __[CVE-2025-66220](https://nvd.nist.gov/vuln/detail/CVE-2025-66220)__: (CVSS score 8.1, High): TLS certificate matcher for `match_typed_subject_alt_names` may incorrectly treat certificates with `OTHERNAME` SANs containing an embedded null byte as valid. - __[CVE-2025-64527](https://nvd.nist.gov/vuln/detail/CVE-2025-64527)__: (CVSS score 6.5, Medium): Envoy crashes when JWT authentication is configured with the remote JWKS fetching. - __[CVE-2025-64763](https://nvd.nist.gov/vuln/detail/CVE-2025-64763)__: (CVSS score 5.3, Medium): Potential request smuggling from early data after the CONNECT upgrade. ## General Changes - Built against upstream Istio version 1.26.7, release note can be found [here](https://istio.io/latest/news/releases/1.26.x/announcing-1.26.7/). ## Solo Flavor Changes No changes in this section. ## FIPS Flavor Changes No changes in this section. ]]> https://docs.solo.io/gloo-mesh-enterprise/latest/reference/changelog/solo-istio/ https://github.com/solo-io/istio/releases/tag/1.26.8-patch0 Fri, 30 Jan 2026 00:00:00 GMT Patch Release
Solo build of Istio version 1.26.8-patch0 patch release.

This release note describes what’s different between Solo builds of Istio versions 1.26.8 and 1.26.8-patch0. ## Security Notice When using peered global services in sidecar environments, the generated Envoy cluster configuration was missing the `tlsMode: istio` transport socket match causing local sidecar-to-sidecar traffic to be sent as plaintext. In environments where strict mTLS was used, connectivity would break. ## Solo Flavor Changes - **Fixed** east-west gateway TLS listeners showing an incorrect `UnsupportedProtocol` status when `PILOT_ENABLE_ALPHA_GATEWAY_API` was disabled. - **Fixed** an issue causing envoy clusters for peered global services to not have the tlsMode-istio transport socket configured. ## FIPS Flavor Changes No changes in this section. ]]> https://docs.solo.io/gloo-mesh-enterprise/latest/reference/changelog/solo-istio/ https://github.com/solo-io/istio/releases/tag/1.26.8-patch1 Wed, 18 Feb 2026 00:00:00 GMT Patch Release
Solo build of Istio version 1.26.8-patch1 patch release.

This release note describes what’s different between Solo builds of Istio versions 1.26.8-patch0 and 1.26.8-patch1. ## Security Notice - [CVE-2025-61732](https://github.com/advisories/GHSA-8jvr-vh7g-f8gx) (CVSS score 8.6, High): A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary. - [CVE-2025-68121](https://github.com/advisories/GHSA-h355-32pf-p2xm) (CVSS score 4.8, Moderate): A flaw in `crypto/tls` session resumption allows resumed handshakes to succeed when they should fail if ClientCAs or RootCAs are mutated between the initial and resumed handshake. This can occur when using `Config.Clone` with mutations or `Config.GetConfigForClient`. As a result, clients may resume sessions with unintended servers, and servers may resume sessions with unintended clients. ## Solo Flavor Changes No changes in this section. ## FIPS Flavor Changes No changes in this section. ]]> https://docs.solo.io/gloo-mesh-enterprise/latest/reference/changelog/solo-istio/ https://github.com/solo-io/istio/releases/tag/1.26.8 Mon, 22 Dec 2025 00:00:00 GMT Patch Release
Solo build of Istio version 1.26.8 patch release.

This release note describes what’s different between Solo builds of Istio versions 1.26.7 and 1.26.8. ## Security Notice This build includes a fix of a CVE in the c-ares dependency of Envoy: - __[CVE-2025-62408](https://github.com/c-ares/c-ares/security/advisories/GHSA-jq53-42q6-pqr5)__: (CVSS score 5.9, Medium): Use after free due to connection being cleaned up after error. ## General Changes - Built against upstream Istio version 1.26.8, release note can be found [here](https://istio.io/latest/news/releases/1.26.x/announcing-1.26.8/). ## Solo Flavor Changes No changes in this section. ## FIPS Flavor Changes No changes in this section. ]]> https://docs.solo.io/gloo-mesh-enterprise/latest/reference/changelog/solo-istio/ https://github.com/solo-io/istio/releases/tag/1.27.0-patch0 Mon, 25 Aug 2025 00:00:00 GMT Patch Release
Solo build of Istio version 1.27.0-patch0 patch release.

This release note describes the changes of Solo builds between Istio versions 1.27.0 and 1.27.0-patch0. ## General This version was built against upstream [Istio commit 43a803a4813f49224e199e412f0a5efbe2ea92db](https://github.com/istio/istio/commit/43a803a4813f49224e199e412f0a5efbe2ea92db). [Comparison](https://github.com/istio/istio/compare/1.27.0..43a803a4813f49224e199e412f0a5efbe2ea92db) - **Bumped** Envoy dependency to [9fadb0ac6f6637742f8c85b9ede005d43fcd1b0c](https://github.com/envoyproxy/envoy/commit/9fadb0ac6f6637742f8c85b9ede005d43fcd1b0c) to pickup additional bugfixes. [Comparison](https://github.com/envoyproxy/envoy/compare/84305a6cb64bd55aaf606bdd53de7cd6080427a1..9fadb0ac6f6637742f8c85b9ede005d43fcd1b0c) ## Solo Flavor Changes - **Fixed** an issue where ambient workloads attempted to send HBONE to plaintext workloads on other clusters when using flat-network multicluster configurations. ]]> https://docs.solo.io/gloo-mesh-enterprise/latest/reference/changelog/solo-istio/ https://istio.io/latest/news/releases/1.27.x/announcing-1.27/ Wed, 13 Aug 2025 00:00:00 GMT Patch Release
Solo build of Istio version 1.27.0 patch release.

This release note describes the changes of Solo builds of Istio version 1.27. ## General This version was built against upstream [Istio release 1.27.0](https://istio.io/latest/news/releases/1.27.x/announcing-1.27/). - **Added** istiod support for per-service account mTLS egress via a single waypoint. - This is enabled by adding the environment variable`PERMIT_CROSS_NAMESPACE_RESOURCE_ACCESS` to istiod, the value is a comma-separated list of `namespace/gateway` pairs. Gateway is the name of the waypoint's service account. - This also includes sample manifests under `samples/solo-mtls-egress` to demonstrate how to use this feature. - This feature requires a valid license capable of enabling our EnvoyFilter waypoint support. - **Added** the command `istioctl multicluster check` which will iterate through a few different checks on the status of multicluster for the current Kubernetes context. The following checks are performed: - Checks the license in use by each istiod and validates that it supports multicluster - Checks the health of all istiod, ztunnel, and eastwest gateway pods - Checks that the eastwest gateway is programmed - Checks that each remote gateway has a gloo.solo.io/PeeringSucceeded status of True - **Added** syncing of peer connection status to remote Gateways - **Added** to the `istioctl multicluster check` command, a flag to pass in multiple contexts and run checks against all of them. - **Improved** the `istioctl multicluster check` command to use the new `gloo.solo.io/PeerConnected` gateway condition which accurately reflects the current connected status of istiod to remote peers. - **Fixed** an issue where if a Service only existed in the remote cluster, the local cluster would not be able to apply L7 policies via a local sidecar or waypoint, as long as the remote Service properly declared an L7 protocol via the port name or `appProtocol`. - **Fixed** the `istioctl multicluster check` command's pod check being inconsistently ordered. - **Fixed** an issue where locality information was not being propagated for peered multi-cluster resources when the `istio-remote` Gateway's `topology.kubernetes.io/zone` and `topology.kubernetes.io/region` labels were updated without restarting istiod. Now, the labels changing will trigger an update without a restart. - **Fixed** an issue with locality weighting in multi-network cases. ]]> https://docs.solo.io/gloo-mesh-enterprise/latest/reference/changelog/solo-istio/ https://github.com/solo-io/istio/releases/tag/1.27.1-patch0 Fri, 05 Sep 2025 00:00:00 GMT Patch Release
Solo build of Istio version 1.27.1-patch0 patch release.

This release note describes the changes of Solo builds between Istio versions 1.27.1 and 1.27.1-patch0. ## General This version was built against upstream [Istio commit b97585886f7c4040c25c8ba0e5b883302c33e57f](https://github.com/istio/istio/commit/b97585886f7c4040c25c8ba0e5b883302c33e57f). [Comparison](https://github.com/istio/istio/compare/1.27.1..b97585886f7c4040c25c8ba0e5b883302c33e57f) ## Solo Flavor Changes - **Fixed** multi-cluster traffic breaking when each cluster uses a different trust domain. ## FIPS Flavor Changes No changes in this section. ]]> https://docs.solo.io/gloo-mesh-enterprise/latest/reference/changelog/solo-istio/ https://github.com/solo-io/istio/releases/tag/1.27.1-patch1 Mon, 15 Sep 2025 00:00:00 GMT Patch Release
Solo build of Istio version 1.27.1-patch1 patch release.

This release note describes what’s different between Solo builds of Istio versions 1.27.1 and 1.27.1-patch1. ## General Changes - Built against upstream [Istio commit `834871d5c9985ff9caadd5404a4bd5057487d885`](https://github.com/istio/istio/commits/834871d5c9985ff9caadd5404a4bd5057487d885/). [Compare](https://github.com/istio/istio/compare/1.27.1..834871d5c9985ff9caadd5404a4bd5057487d885). ## Solo Flavor Changes - **Improved** the experience when using `istioctl multicluster check` against installations <1.27 by checking the `gloo.solo.io/PeeringSucceeded` remote gateway condition. - **Fixed** if a Service only exists in the remote cluster, the local cluster will now be able to apply L7 policy via a local sidecar or waypoint, as long as the remote Service properly declares an L7 protocol via the port name or `appProtocol`. - **Fixed** Services with `solo.io/service-scope=global-only` will now be reachable via standard Kubernetes service hostnames whether the local cluster has a copy of the service or not. - **Fixed** istiod crash when supplying a license to a FIPS-compliant version using a license secret. - **Fixed** deleting a remote service did not delete the corresponding service entry in the local cluster. - **Fixed** multi-cluster traffic breaking when each cluster uses a different trust domain. - **Fixed** to-workload traffic through a waypoint failing when peering is enabled (regardless of actual multi-cluster installation or traffic). - **Fixed** traffic routing through the local cluster's waypoint proxy when a service exists only on remote cluster, but the same waypoint is also deployed locally. Traffic now correctly routes to remote waypoint proxies when the service only exists remotely. - **Fixed** rare istiod crash when using multi-cluster ambient with waypoints. - **Fixed** traffic breaking when a waypoint from the local cluster is deleted while one still exists on the remote cluster. ## FIPS Flavor Changes No changes in this section. ]]> https://docs.solo.io/gloo-mesh-enterprise/latest/reference/changelog/solo-istio/ https://istio.io/latest/news/releases/1.27.x/announcing-1.27.1/ Thu, 04 Sep 2025 00:00:00 GMT Patch Release
Solo build of Istio version 1.27.1 patch release.

This release note describes the changes of Solo builds between Istio versions 1.27.0-patch0 and 1.27.1. ## Security Notice This build includes fixes of the Envoy CVEs: - [CVE-2025-55162](https://github.com/envoyproxy/envoy/security/advisories/GHSA-95j4-hw7f-v2rh) (CVSS score: 6.3, Moderate): "oAuth2 Filter Signout route will not clear cookies because of missing 'Secure;' flag." - [CVE-2025-54588](https://github.com/envoyproxy/envoy/security/advisories/GHSA-g9vw-6pvx-7gmw) (CVSS score: 7.5, High): "Use after free in DNS cache." ## General This version was built against upstream [Istio release 1.27.1](https://istio.io/latest/news/releases/1.27.x/announcing-1.27.1/). ## Solo Flavor Changes - **Added** the telemetry field `pilot_xds_recv_max` to allow monitoring the maximum size of XDS requests received through gRPC. This is a backport from upstream feature that will be introduced in Istio 1.28. - **Fixed** a race condition that occasionally missed global Services when peering from remote clusters. - **Fixed** an issue where changes to Service resources were not propagated to their associated global services. - **Fixed** an issue where any external modification of auto-generated resources for multi-cluster peering would be restored to its original state. - **Fixed** a race condition where gateway status updates were conflicting with gateway updates. Retries are now attempted when an error occurs. - **Fixed** ambient workloads attempting to send HBONE to plaintext workloads on other clusters when using flat network multicluster. ## FIPS Flavor Changes No changes in this section. ]]> https://docs.solo.io/gloo-mesh-enterprise/latest/reference/changelog/solo-istio/ https://github.com/solo-io/istio/releases/tag/1.27.2 Wed, 15 Oct 2025 00:00:00 GMT Patch Release
Solo build of Istio version 1.27.2 patch release.

This release note describes what’s different between Solo builds of Istio versions 1.27.1-patch1 and 1.27.2. ## General Changes - Built against upstream Istio version 1.27.2, release note can be found [here](https://istio.io/latest/news/releases/1.27.x/announcing-1.27.2/). ## Solo Flavor Changes - **Added** support for labeling Namespaces with `solo.io/service-scope` to allow setting the default scope for all services in the namespace. Labeling individual Services will take precedence over the Namespace label. Setting the scope to "cluster" allows opting out an individual service when the namespace is marked as "global" or "global-only". - **Fixed** an issue where traffic did not traverse remote-only waypoints with flat networking. - **Fixed** an issue where in connections to east/west gateways from Envoy proxies (sidecar, waypoint, ingress), the outer HBONE connection used port 15008, rather than the HBONE port specified in the istio-remote gateway. This presented a problem when specifying NodePort east/west gateways. - **Fixed** missing gateway reconciliation statuses for service-type changes. - **Fixed** an issue where locality information was not being propagated for peered multi-cluster resources when the `istio-remote` Gateway's `topology.istio.io/subzone` was specified. - **Fixed** an issue where workloads added with the `--external` flag using `istioctl bootstrap` or `istioctl ecs add-server` wouldn't be able to route traffic due to no `networkGateway` being attached. - **Removed** an incorrect `UnsupportedProtocol` warning from Gateway resources for east-west gateways. ## FIPS Flavor Changes No changes in this section. ]]> https://docs.solo.io/gloo-mesh-enterprise/latest/reference/changelog/solo-istio/ https://github.com/solo-io/istio/releases/tag/1.27.3-patch0 Wed, 19 Nov 2025 00:00:00 GMT Patch Release
Solo build of Istio version 1.27.3-patch0 patch release.

This release note describes what’s different between Solo builds of Istio versions 1.27.3 and 1.27.3-patch0. ## General Changes - Built against upstream [Istio commit `44bd16d30604528e2b16628f3dd687625a96b773`](https://github.com/istio/istio/commits/44bd16d30604528e2b16628f3dd687625a96b773/). [Compare](https://github.com/istio/istio/compare/1.27.3..44bd16d30604528e2b16628f3dd687625a96b773). ## Solo Flavor Changes - **Added** an environment variable to istiod `DISABLE_LEGACY_MULTICLUSTER` to disable legacy remote secrets based mult-cluster. This is useful for migrating from a legacy sidecar environment by setting this on the new revision of the control plane. - **Fixed** invalid service entry generation when service port is not named. - **Fixed** local eastwest gateways not being translated into `networkGateways` when the cluster name matches the network ID. - **Fixed** incorrect trust domain set on peered flat-networking workloads. ## FIPS Flavor Changes No changes in this section. ]]> https://docs.solo.io/gloo-mesh-enterprise/latest/reference/changelog/solo-istio/ https://github.com/solo-io/istio/releases/tag/1.27.3 Tue, 21 Oct 2025 00:00:00 GMT Patch Release
Solo build of Istio version 1.27.3 patch release.

This release note describes what’s different between Solo builds of Istio versions 1.27.2 and 1.27.3. ## Security Notice This build includes fixes for the Envoy CVEs: - [CVE-2025-62504](https://nvd.nist.gov/vuln/detail/CVE-2025-62504): (CVSS score 6.5, Medium): Lua modified large enough response body will cause Envoy to crash. - [CVE-2025-62409](https://nvd.nist.gov/vuln/detail/CVE-2025-62409): (CVSS score 6.6, Medium): Large requests and responses can cause TCP connection pool crash. ## General Changes - Built against upstream Istio version 1.27.3, release note can be found [here](https://istio.io/latest/news/releases/1.27.x/announcing-1.27.3/). ## Solo Flavor Changes No changes in this section. ## FIPS Flavor Changes No changes in this section. ]]> https://docs.solo.io/gloo-mesh-enterprise/latest/reference/changelog/solo-istio/ https://github.com/solo-io/istio/releases/tag/1.27.4 Thu, 04 Dec 2025 00:00:00 GMT Patch Release
Solo build of Istio version 1.27.4 patch release.

This release note describes what’s different between Solo builds of Istio versions 1.27.3-patch0 and 1.27.4. ## Security Notice This build includes a fix of Envoy CVEs: - __[CVE-2025-66220](https://nvd.nist.gov/vuln/detail/CVE-2025-66220)__: (CVSS score 8.1, High): TLS certificate matcher for `match_typed_subject_alt_names` may incorrectly treat certificates with `OTHERNAME` SANs containing an embedded null byte as valid. - __[CVE-2025-64527](https://nvd.nist.gov/vuln/detail/CVE-2025-64527)__: (CVSS score 6.5, Medium): Envoy crashes when JWT authentication is configured with the remote JWKS fetching. - __[CVE-2025-64763](https://nvd.nist.gov/vuln/detail/CVE-2025-64763)__: (CVSS score 5.3, Medium): Potential request smuggling from early data after the CONNECT upgrade. ## General Changes - Built against upstream Istio version 1.27.4, release note can be found [here](https://istio.io/latest/news/releases/1.27.x/announcing-1.27.4/). ## Solo Flavor Changes - **Added** network configuration validation to `istioctl multicluster check`. - **Added** validation for the compatibility of intermediate certificates between peered clusters using `istioctl multicluster check`. - **Added** support for generating Gateway manifests for multiple contexts at once using `istioctl multicluster link --generate`. - **Fixed** an issue where the protocol was reset to TCP on global services after an istiod restart. When using waypoints, this could suddenly stop `HTTPRoutes` or other L7 policies from applying. - **Fixed** an issue where traffic would skip local waypoints when there were no healthy endpoints. The traffic will now fail. - **Fixed** an issue with peering with a flat network, when `istio.io/use-waypoint` was set on the namespace (in the local cluster), with Services in both the local and remote clusters, the Waypoint specified by the remote cluster incorrectly took precedence over what was specified in the local cluster. - **Fixed** an issue with peering with a flat network, when `istio.io/use-waypoint` was NOT set on the local cluster for a Service or Namespace, but remote clusters did specify it, we would use no waypoint at all. Now, if the local cluster doesn't specify anything, we will use information from the remote cluster. To intentionally skip using remote waypoints from the local cluster, set `istio.io/use-waypoint: none`. - **Fixed** an issue with flat-network peering not cleaning up stale endpoints from remote clusters. - **Fixed** a rare issue where peered service ports or other settings would get stuck in an incorrect state when the Service is created both locally and in a peered cluster in nearly identical timeframe. - **Fixed** an issue where sidecars and gateways did not respect load balancing settings or performing locality load balancing when sending to a waypoint. ## FIPS Flavor Changes No changes in this section. ]]> https://docs.solo.io/gloo-mesh-enterprise/latest/reference/changelog/solo-istio/ https://github.com/solo-io/istio/releases/tag/1.27.5-patch0 Fri, 30 Jan 2026 00:00:00 GMT Patch Release
Solo build of Istio version 1.27.5-patch0 patch release.

This release note describes what’s different between Solo builds of Istio versions 1.27.5 and 1.27.5-patch0. ## Security Notice When using peered global services in sidecar environments, the generated Envoy cluster configuration was missing the `tlsMode: istio` transport socket match causing local sidecar-to-sidecar traffic to be sent as plaintext. In environments where strict mTLS was used, connectivity would break. ## General Changes - Built against upstream Istio version 1.27.5-patch0, release note can be found [here](https://istio.io/latest/news/releases/1.27.x/announcing-1.27.5/). - Built against upstream [Istio commit `199ed8c485d2eec26cb87c8863dfff6b0b2cc8b7`](https://github.com/istio/istio/commits/199ed8c485d2eec26cb87c8863dfff6b0b2cc8b7/). [Compare](https://github.com/istio/istio/compare/1.27.5..199ed8c485d2eec26cb87c8863dfff6b0b2cc8b7). ## Solo Flavor Changes - **Improved** `istioctl multicluster check` to show gateway addresses, peer cluster addresses, and globally shared services. - **Improved** `istioctl multicluster check` by skipping the stale workload check unless flat-network is detected. - **Added** support to retry failed remote peer creation or updates when `PEERING_AUTOMATIC_LOCAL_GATEWAY` is enabled. - **Fixed** an issue where the remote peer did not have its address updated when `PEERING_AUTOMATIC_LOCAL_GATEWAY` is enabled. - - **Fixed** an issue where istiod would generate invalid `WorkloadEntry` resources when remote services had unnamed ports. - **Fixed** east-west gateway TLS listeners showing an incorrect `UnsupportedProtocol` status when `PILOT_ENABLE_ALPHA_GATEWAY_API` was disabled. - **Fixed** an issue causing envoy clusters for peered global services to not have the tlsMode-istio transport socket configured. - **Fixed** an issue where the control plane did not immediately reconnect when the address in the istio-remote `Gateway` resource was updated. ## FIPS Flavor Changes No changes in this section. ]]> https://docs.solo.io/gloo-mesh-enterprise/latest/reference/changelog/solo-istio/ https://github.com/solo-io/istio/releases/tag/1.27.5 Mon, 22 Dec 2025 00:00:00 GMT Patch Release
Solo build of Istio version 1.27.5 patch release.

This release note describes what’s different between Solo builds of Istio versions 1.27.3-patch0 and 1.27.4. ## Security Notice This build includes a fix of a CVE in the c-ares dependency of Envoy: - __[CVE-2025-62408](https://github.com/c-ares/c-ares/security/advisories/GHSA-jq53-42q6-pqr5)__: (CVSS score 5.9, Medium): Use after free due to connection being cleaned up after error. ## General Changes - Built against upstream Istio version 1.27.5, release note can be found [here](https://istio.io/latest/news/releases/1.27.x/announcing-1.27.5/). ## Solo Flavor Changes No changes in this section. ## FIPS Flavor Changes No changes in this section. ]]> https://docs.solo.io/gloo-mesh-enterprise/latest/reference/changelog/solo-istio/ https://github.com/solo-io/istio/releases/tag/1.27.7 Wed, 18 Feb 2026 00:00:00 GMT Patch Release
Solo build of Istio version 1.27.7 patch release.

This release note describes what’s different between Solo builds of Istio versions 1.27.5-patch0 and 1.27.7. ## Security Notice - [CVE-2025-61732](https://github.com/advisories/GHSA-8jvr-vh7g-f8gx) (CVSS score 8.6, High): A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary. - [CVE-2025-68121](https://github.com/advisories/GHSA-h355-32pf-p2xm) (CVSS score 4.8, Moderate): A flaw in `crypto/tls` session resumption allows resumed handshakes to succeed when they should fail if ClientCAs or RootCAs are mutated between the initial and resumed handshake. This can occur when using `Config.Clone` with mutations or `Config.GetConfigForClient`. As a result, clients may resume sessions with unintended servers, and servers may resume sessions with unintended clients. ## General Changes - Built against upstream [Istio commit `907c5bdcf7d00be35f7406904f1415dcbf0956a3`](https://github.com/istio/istio/commits/907c5bdcf7d00be35f7406904f1415dcbf0956a3/). [Compare](https://github.com/istio/istio/compare/199ed8c485d2eec26cb87c8863dfff6b0b2cc8b7..907c5bdcf7d00be35f7406904f1415dcbf0956a3). ## Solo Flavor Changes - **Added** support to retrieve connections from east-west gateway via the `istioctl ztunnel-config connections` subcommand. - **Added** enhanced validation checks in `istioctl multicluster check` for flat network configurations. - **Added** support for the east-west gateway to break connections to pods that are terminated. - **Added** the ability to specify authorized namespaces for debug endpoints when `ENABLE_DEBUG_ENDPOINT_AUTH=true`. Enable by setting `DEBUG_ENDPOINT_AUTH_ALLOWED_NAMESPACES` to a comma separated list of authorized namespaces. The system namespace (typically `istio-system`) is always authorized. - **Fixed** the `istioctl bootstrap` command to respect the `-i` istio system namespace flag. - **Fixed** the `istioctl ecs add-service` command to respect the `-i` istio system namespace flag. ## FIPS Flavor Changes No changes in this section. ]]> https://docs.solo.io/gloo-mesh-enterprise/latest/reference/changelog/solo-istio/ https://github.com/solo-io/istio/releases/tag/1.28.0-patch0 Mon, 24 Nov 2025 00:00:00 GMT Patch Release
Solo build of Istio version 1.28.0-patch0 patch release.

This release note describes what’s different between Solo builds of Istio versions 1.28.0 and 1.28.0-patch0. ## General Changes - Built against upstream [Istio commit `58e3a8858ba42d5a5633c321d335c0ba95247b67`](https://github.com/istio/istio/commits/58e3a8858ba42d5a5633c321d335c0ba95247b67/). [Compare](https://github.com/istio/istio/compare/1bbe8a0e88b1cc1f8217408192b54ee374edc479..58e3a8858ba42d5a5633c321d335c0ba95247b67). ## Solo Flavor Changes - **Added** a new CLI option, `--data-plane-service-type`, to the`istioctl multicluster expose` command. This option allows specifying a comma-delimited list of the dataplane service types that peers can use to connect with the exposed gateway. Valid values are: `loadbalancer` or `nodeport`, with the default being `loadbalancer`. - **Added** a new CLI option, `--preferred-data-plane-service-type`, to the`istioctl multicluster link` command. This option allows specifying the preferred dataplane service type to use when peering with the remote cluster. Valid values are: `loadbalancer` or `nodeport`, with the default being `loadbalancer`. - **Added** support for generating `Gateway` manifests for multiple contexts at once using `istioctl multicluster link --generate`. - **Fixed** an issue where traffic would skip local waypoints when there were no healthy endpoints. The traffic will now fail. - **Fixed** an issue when draining is enabled and no cluster name is found. A warning is now issued. - **Fixed** an issue where `ServiceInfo` events were not propagated after its `HboneNodePort` field changed. This caused NodePort peering to be broken when a gateway was annotated after its initial creation. - **Fixed** an issue where the status field on Segment resources was not updating. - **Fixed** an issue where the `istioctl ecs add-service` command incorrectly reported that a task definition did not have an `executionRoleArn` defined. - **Removed** the explicit requirement for specifying an HBONE listener on an istio-remote gateway resource. If an istio-remote gateway's preferred dataplane service type is `loadbalancer`, a network gateway is created with the well-known HBONE port value 15008. Backwards compatibility is maintained by still allowing an HBONE listener to be specified on an istio-remote gateway resource. ## FIPS Flavor Changes No changes in this section. ]]> https://docs.solo.io/gloo-mesh-enterprise/latest/reference/changelog/solo-istio/ https://github.com/solo-io/istio/releases/tag/1.28.0 Thu, 13 Nov 2025 00:00:00 GMT Patch Release
Solo build of Istio version 1.28.0 patch release.

This release note describes what’s different between Solo builds of Istio versions 1.27.0 and 1.28.0. ## General Changes - Built against upstream [Istio commit `1bbe8a0e88b1cc1f8217408192b54ee374edc479`](https://github.com/istio/istio/commits/1bbe8a0e88b1cc1f8217408192b54ee374edc479/). [Compare](https://github.com/istio/istio/compare/1.27.0..1bbe8a0e88b1cc1f8217408192b54ee374edc479). ## Solo Flavor Changes - **Improved** `istioctl multicluster check` with the following enhancements: - Check the `gloo.solo.io/PeeringSucceeded` remote gateway condition for installations below 1.27 - Find stale endpoints from remote clusters that point to Pods that no longer exist - Check that the environment variables on istiod do not conflict with multi-cluster functionality - **Added** the ability to mark a cluster as draining. - The annotation, `solo.io/draining-weight: `, specifies the amount of traffic to drain - The annotation can be set on: 1. the `istio-eastwest` gateway to prevent inbound traffic from remote clusters 2. the `istio-remote` gateway to prevent outbound traffic to the remote cluster - If a weight is set on both the `istio-eastwest` and `istio-remote` gateways for a given cluster, the maximum weight is applied - **Improved** the `solo.io/service-scope` label semantics to control service visibility within the mesh. You can apply this label to namespaces or individual services, with labels on individual services taking precedence over the namespace label. Service takeover is now separated from scope and has been extracted to a dedicated `solo.io/service-takeover: true|false` (default: false) label. The takeover label only has effect within the same segment, even if scope is set to global. You can choose between the following scope values: - `cluster` to limit service visibility to apps within the same cluster. This can be useful to opt out individual services from being globally available if the entire namespace's scope is set to `global`. - `segment` to limit service visibility to apps within the same segment. - `global` to make services available across all peered clusters. - `global-only` has been deprecated in favor of using `solo.io/service-takeover` for service takeover use cases, but will still work. - **Added** a new CRD, `Segment`, allowing clusters to declare a custom domain suffix and allow addressing individual groups of clusters. - **Added** an environment variable to istiod, `DISABLE_LEGACY_MULTICLUSTER`, to disable legacy OSS multicluster discovery mechanisms that use remote secrets. OSS multicluster uses remote secrets (containing kubernetes configurations) to watch resources on remote clusters, which is fundamentally incompatible with peering's decentralized, push-based model. This variable ensures istiod ignores remote secrets and doesn't attempt to set up Kubernetes clients to connect to them. When migrating from legacy OSS multicluster to peering, set this on the new revision of the control plane. For installations without remote secrets, this serves as a recommended safety measure. - **Added** multi-cluster and cross-account support to ECS platform discovery. - **Added** support for peering multiple clusters using NodePort `istio-eastwest` gateway services: - You can enable this feature with the following annotations: - `peering.solo.io/data-plane-service-type: NodePort` on the `istio-eastwest` gateway resource, propagated to the corresponding Kubernetes service. - `peering.solo.io/preferred-data-plane-service-type: NodePort` on the `istio-remote` gateway resource. - When peering via NodePort is enabled, only nodes where an `istio-eastwest` gateway pod is provisioned will be considered targets for traffic. - Like LoadBalancer gateways, NodePort gateways support traffic from Envoy-based ingress gateways, waypoints, and sidecars. - A new gateway status condition indicates what data plane service type is currently being used for peering. - **Fixed** a race condition that occasionally missed global Services when peering from remote clusters. - **Fixed** changes to Service resources not being propagated to their associated global services. - **Fixed** an issue where any external modification of auto-generated resources for multi-cluster peering are restored to their original state. - **Fixed** an issue where a service only existing in a remote cluster would not have an L7 policy properly applied if the remote service did not properly declare an L7 protocol via the port name or `appProtocol` field. - **Fixed** an issue where Services with `solo.io/service-scope=global-only` were not reachable via standard Kubernetes service hostnames, regardless of whether the local cluster had a copy of the Service or not. - **Fixed** a race condition where gateway status updates were conflicting with gateway updates. Retries are now attempted when an error occurs. - **Fixed** an istiod crash when supplying a license to a FIPS-compliant version using a license secret. - **Fixed** an issue where deleting a remote service did not delete the corresponding ServiceEntry in the local cluster. - **Fixed** protocol being reset to TCP on global services after an istiod restart. When using waypoints, this could suddenly stop `HTTPRoutes` or other L7 policies from applying. - **Fixed** an issue where "to-workload" traffic through a waypoint would fail when peering is enabled (regardless of actual multi-cluster installation or traffic). - **Fixed** traffic routing through the local cluster's waypoint proxy when a service exists only on a remote cluster, but the same waypoint is also deployed remotely. Traffic now correctly routes to remote waypoint proxies when the service only exists remotely. - **Fixed** traffic breaking when a waypoint from the local cluster was deleted while one still existed in the remote cluster. - **Fixed** an issue with connections to `istio-eastwest` gateways from Envoy proxies (sidecar, waypoint, ingress) where the outer HBONE connection used port 15008 rather than the HBONE port specified in the `istio-remote` gateway. This presented a problem when specifying NodePort `istio-eastwest` gateways. - **Fixed** missing gateway reconciliation for service-type changes. - **Fixed** invalid ServiceEntry generation when the service port is not named. - **Fixed** locality information not being propagated for peered multi-cluster resources when the `istio-remote` Gateway's `topology.istio.io/subzone` was specified. - **Fixed** ambient workloads attempting to send HBONE to plaintext workloads on other clusters when using a flat-network multicluster setup. - **Fixed** an issue with flat networking where traffic would not traverse remote-only waypoints. - **Fixed** an issue with peering with a flat network for the case when the `istio.io/use-waypoint` label was set on a namespace in the local cluster that had services in both the local and remote clusters. In these cases, the waypoint specified by the remote cluster incorrectly took precedence over what was specified in the local cluster. - **Fixed** an issue with peering with a flat network for the case when the `istio.io/use-waypoint` label was NOT set on the local cluster for a service or namespace, but remote clusters did have the label. In such cases, no waypoint was used at all. Now, if the local cluster doesn't set the label, the information from the remote cluster is used. To intentionally skip using remote waypoints from the local cluster, set `istio.io/use-waypoint: none`. - **Fixed** an issue with flat-network peering where stale endpoints were not properly cleaned up from remote clusters. - **Fixed** an issue where an incorrect trust domain was set on peered flat-networking workloads. - **Fixed** a rare issue where peered service ports or other settings would get stuck in an incorrect state when the Service is created both locally and in a peered cluster in a nearly identical timeframe. - **Fixed** sidecars and gateways not respecting load balancing settings or performing locality load balancing when sending traffic to a waypoint. - **Fixed** local `istio-eastwest` gateways not being translated into `NetworkGateway`s when the cluster name matched the network ID. - **Removed** incorrect `UnsupportedProtocol` warning from `istio-eastwest` Gateway resources. ## FIPS Flavor Changes No changes in this section. ]]> https://docs.solo.io/gloo-mesh-enterprise/latest/reference/changelog/solo-istio/ https://github.com/solo-io/istio/releases/tag/1.28.1-patch0 Mon, 08 Dec 2025 00:00:00 GMT Patch Release
Solo build of Istio version 1.28.1-patch0 patch release.

This release note describes what’s different between Solo builds of Istio versions 1.28.1 and 1.28.1-patch0. ## General Changes - Built against upstream [Istio commit `76dffd9e3f54ed697dff9403ef3724abcc57e899`](https://github.com/istio/istio/commits/76dffd9e3f54ed697dff9403ef3724abcc57e899/). [Compare](https://github.com/istio/istio/compare/1.28.1..76dffd9e3f54ed697dff9403ef3724abcc57e899). ## Solo Flavor Changes - **Fixed** NodePort peering selection of node IP address types. Only internal IP addresses are now considered. - **Fixed** an istiod crashing bug that could occur when attempting to use Waypoint interop with Sidecar and Gateway proxies. - **Fixed** istiod generating invalid `WorkloadEntry` resources when remote services had unnamed ports. ## FIPS Flavor Changes No changes in this section. ]]> https://docs.solo.io/gloo-mesh-enterprise/latest/reference/changelog/solo-istio/ https://github.com/solo-io/istio/releases/tag/1.28.1 Thu, 04 Dec 2025 00:00:00 GMT Patch Release
Solo build of Istio version 1.28.1 patch release.

This release note describes what’s different between Solo builds of Istio versions 1.28.0-patch0 and 1.28.1. ## Security Notice This build includes a fix of Envoy CVEs: - __[CVE-2025-66220](https://nvd.nist.gov/vuln/detail/CVE-2025-66220)__: (CVSS score 8.1, High): TLS certificate matcher for `match_typed_subject_alt_names` may incorrectly treat certificates with `OTHERNAME` SANs containing an embedded null byte as valid. - __[CVE-2025-64527](https://nvd.nist.gov/vuln/detail/CVE-2025-64527)__: (CVSS score 6.5, Medium): Envoy crashes when JWT authentication is configured with the remote JWKS fetching. - __[CVE-2025-64763](https://nvd.nist.gov/vuln/detail/CVE-2025-64763)__: (CVSS score 5.3, Medium): Potential request smuggling from early data after the CONNECT upgrade. ## General Changes - Built against upstream Istio version 1.28.1, release note can be found [here](https://istio.io/latest/news/releases/1.28.x/announcing-1.28.1/). ## Solo Flavor Changes - **Added** network configuration validation to `istioctl multicluster check`. - **Added** validation for the compatibility of intermediate certificates between peered clusters using `istioctl multicluster check`. - **Fixed** an issue encountered during upgrades from 1.27, where `WorkloadEntry` resources for Pods in remote clusters were not reachable on the same network. ## FIPS Flavor Changes No changes in this section. ]]> https://docs.solo.io/gloo-mesh-enterprise/latest/reference/changelog/solo-istio/ https://github.com/solo-io/istio/releases/tag/1.28.2 Tue, 23 Dec 2025 00:00:00 GMT Patch Release
Solo build of Istio version 1.28.2 patch release.

This release note describes what’s different between Solo builds of Istio versions 1.28.1-patch0 and 1.28.2. ## Security Notice This build includes a fix of a CVE in the c-ares dependency of Envoy: - __[CVE-2025-62408](https://github.com/c-ares/c-ares/security/advisories/GHSA-jq53-42q6-pqr5)__: (CVSS score 5.9, Medium): Use after free due to connection being cleaned up after error. ## General Changes - Built against upstream [Istio commit `5ee02944487b3047e7a637309829834ae36b186b`](https://github.com/istio/istio/commits/5ee02944487b3047e7a637309829834ae36b186b/). [Compare](https://github.com/istio/istio/compare/76dffd9e3f54ed697dff9403ef3724abcc57e899..5ee02944487b3047e7a637309829834ae36b186b). ## Solo Flavor Changes - **Improved** `istioctl` command help descriptions and examples with clearer guidance for `bootstrap`, `ecs service-add`, `multicluster check`, `multicluster expose`, and `multicluster link` commands. - **Added** a mesh-wide escape hatch based on port matching for outbound traffic being impacted by ztunnel capture. Configure via `AMBIENT_EXCLUDE_OUTBOUND_PORTS` environment variable (for example, `AMBIENT_EXCLUDE_OUTBOUND_PORTS="1443,16000-16010"`). ## FIPS Flavor Changes No changes in this section. ]]> https://docs.solo.io/gloo-mesh-enterprise/latest/reference/changelog/solo-istio/ https://github.com/solo-io/istio/releases/tag/1.28.3-patch0 Fri, 30 Jan 2026 00:00:00 GMT Patch Release
Solo build of Istio version 1.28.3-patch0 patch release.

This release note describes what’s different between Solo builds of Istio versions 1.28.3 and 1.28.3-patch0. ## Security Notice When using peered global services in sidecar environments, the generated Envoy cluster configuration was missing the `tlsMode: istio` transport socket match causing local sidecar-to-sidecar traffic to be sent as plaintext. In environments where strict mTLS was used, connectivity would break. ## General Changes - Built against upstream [Istio commit `1eed297fa93eb92203d5e934a8d9f22573202fac`](https://github.com/istio/istio/commits/1eed297fa93eb92203d5e934a8d9f22573202fac/). [Compare](https://github.com/istio/istio/compare/fea0e6ad9627a241a299afcd793a3da000e18f1b..1eed297fa93eb92203d5e934a8d9f22573202fac). ## Solo Flavor Changes - **Improved** `istioctl multicluster check` to show gateway addresses, peer cluster addresses, and globally shared services. - **Added** ztunnel helm support for `dnsPolicy` and `dnsConfig` customization. - **Fixed** an issue where traffic was sent to pods peered for flat-network multi-cluster which were `Not Ready` or `Terminating`. - **Fixed** an issue in NodePort peering where a comma-delimited value for the solo annotation `peering.solo.io/data-plane-service-type` would prevent node workloads from being sent to peers. - **Fixed** an issue causing envoy clusters for peered global services to not have the tlsMode-istio transport socket configured. - **Fixed** an issue in NodePort peering where the generated `ServiceEntry` and node `WorkloadEntry` resources fail to be cleaned up when the istio-remote gateway's `peering.solo.io/preferred-data-plane-service-type` annotation was no longer set to "NodePort". - **Fixed** an issue where the control plane did not immediately reconnect when the address in the istio-remote `Gateway` resource was updated. - **Fixed** an issue where node `WorkloadEntry` resources failed to be created when NodePort peering was enabled after the peer initially connected via a `LoadBalancer` for an extended period of time. Node events received before the NodePort `ServiceEntry` existed were eventually dropped and never re-processed once NodePort peering was enabled. ## FIPS Flavor Changes No changes in this section. ]]> https://docs.solo.io/gloo-mesh-enterprise/latest/reference/changelog/solo-istio/ https://github.com/solo-io/istio/releases/tag/1.28.3 Wed, 21 Jan 2026 00:00:00 GMT Patch Release
Solo build of Istio version 1.28.3 patch release.

This release note describes what’s different between Solo builds of Istio versions 1.28.2 and 1.28.3. ## General Changes - Built against upstream [Istio commit `fea0e6ad9627a241a299afcd793a3da000e18f1b`](https://github.com/istio/istio/commits/fea0e6ad9627a241a299afcd793a3da000e18f1b/). [Compare](https://github.com/istio/istio/compare/1.28.2..fea0e6ad9627a241a299afcd793a3da000e18f1b). ## Solo Flavor Changes - **Improved** `istioctl multicluster check` command by skipping the stale workload check unless flat-network is detected. - **Added** support to retry failed remote peer creation or updates when `PEERING_AUTOMATIC_LOCAL_GATEWAY` is enabled. - **Fixed** an issue where the remote peer did not have its address updated when `PEERING_AUTOMATIC_LOCAL_GATEWAY` was enabled. - **Fixed** an issue in NodePort peering where a node that entered a `NotReady` state was still used for multi-cluster traffic routing. - **Fixed** east-west gateway TLS listeners showing an incorrect `UnsupportedProtocol` status when `PILOT_ENABLE_ALPHA_GATEWAY_API` was disabled. - **Fixed** flat-network multi-cluster peering to properly peer user `WorkloadEntry`-based endpoints across clusters for multi-cluster traffic. This fixes VMs and external workloads being reachable for proxies configured by control planes in different clusters. ## FIPS Flavor Changes No changes in this section. ]]> https://docs.solo.io/gloo-mesh-enterprise/latest/reference/changelog/solo-istio/ https://github.com/solo-io/istio/releases/tag/1.28.4 Wed, 18 Feb 2026 00:00:00 GMT Patch Release
Solo build of Istio version 1.28.4 patch release.

This release note describes what’s different between Solo builds of Istio versions 1.28.3 and 1.28.4. ## Security Notice - [CVE-2025-61732](https://github.com/advisories/GHSA-8jvr-vh7g-f8gx) (CVSS score 8.6, High): A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary. - [CVE-2025-68121](https://github.com/advisories/GHSA-h355-32pf-p2xm) (CVSS score 4.8, Moderate): A flaw in `crypto/tls` session resumption allows resumed handshakes to succeed when they should fail if ClientCAs or RootCAs are mutated between the initial and resumed handshake. This can occur when using `Config.Clone` with mutations or `Config.GetConfigForClient`. As a result, clients may resume sessions with unintended servers, and servers may resume sessions with unintended clients. ## General Changes - Built against upstream [Istio commit `4ae866ba2a361ecfa4de835136c13895437364d0`](https://github.com/istio/istio/commits/fea0e6ad9627a241a299afcd793a3da000e18f1b/). [Compare](https://github.com/istio/istio/compare/fea0e6ad9627a241a299afcd793a3da000e18f1b..4ae866ba2a361ecfa4de835136c13895437364d0). ## Solo Flavor Changes - **Improved** `istioctl multicluster check` to show gateway addresses, peer cluster addresses, and globally shared services. - **Added** ztunnel helm support for `dnsPolicy` and `dnsConfig` customization. - **Added** support to retrieve connections from east-west gateway via the `istioctl ztunnel-config connections` subcommand. - **Added** enhanced validation checks in `istioctl multicluster check` for flat-network configurations. - **Added** support for the east-west gateway to break connections to pods that are terminated. - **Added** the ability to specify authorized namespaces for debug endpoints when `ENABLE_DEBUG_ENDPOINT_AUTH=true`. Enable by setting `DEBUG_ENDPOINT_AUTH_ALLOWED_NAMESPACES` to a comma separated list of authorized namespaces. The system namespace (typically `istio-system`) is always authorized. - **Fixed** sending traffic to pods peered for flat-network multi-cluster which are `Not Ready` or `Terminating`. - **Fixed** an issue in NodePort peering where a comma-delimited value for the Solo annotation `peering.solo.io/data-plane-service-type` would prevent node workloads from being sent to peers. - **Fixed** an issue causing Envoy clusters for peered global services to not have the `tlsMode-istio` transport socket configured. - **Fixed** an issue in NodePort peering where simultaneous processing of node `WorkloadEntry` and gateway-derived `ServiceEntry` delete events could cause the node `WorkloadEntry` to persist. - **Fixed** an issue in NodePort peering where the generated `ServiceEntry` and node `WorkloadEntry` fail to be cleaned up when the istio-remote gateway's `peering.solo.io/preferred-data-plane-service-type` annotation was no longer set to `NodePort`. - **Fixed** an issue where updating the address in the istio-remote Gateway resource would not prompt the control plane to connect to the new address. - **Fixed** the `istioctl bootstrap` command to respect the `-i` istio system namespace flag. - **Fixed** the `istioctl ecs add-service` command to respect the `-i` istio system namespace flag. - **Fixed** an issue where node `WorkloadEntry` resources failed to be created when NodePort peering was enabled after the peer initially connected via LoadBalancer for an extended period of time. Node events received before the NodePort `ServiceEntry` existed were eventually dropped and never re-processed once NodePort peering was enabled. ## FIPS Flavor Changes No changes in this section. ]]> https://docs.solo.io/gloo-mesh-enterprise/latest/reference/changelog/solo-istio/ https://github.com/solo-io/istio/releases/tag/1.29.0 Tue, 24 Feb 2026 00:00:00 GMT Minor Release
Solo build of Istio version 1.29.0 patch release.

This release note describes what’s different between Solo builds of Istio versions 1.28.0 and 1.29.0. ## Upgrade Notes ### Manual configuration of ECS platform discovery If you install Istio using Helm, Gloo Operator, or istioctl, no action is required. If you manually configure ECS platform discovery by setting the `ECS_ACCOUNTS` environment variable, you will need to add an array of regions for each account. For example: ```shell # old ECS_ACCOUNTS="example.acme,arn:aws:iam::1111111111:role/istiod" # new ECS_ACCOUNTS="example.acme,arn:aws:iam::1111111111:role/istiod,[us-east-1 us-east-2]" ``` If you wish to continue using the default region of the associated AWS role, simply use the empty array `[]`. For example: ```shell ECS_ACCOUNTS="example1.acme,arn:aws:iam::1111111111:role/istiod,[]" ``` ## General Changes - Built against upstream [Istio commit `704e74ee3d20aca29cf4826d3fd5d8e516c59b20`](https://github.com/istio/istio/commits/704e74ee3d20aca29cf4826d3fd5d8e516c59b20/). - **Updated** requirements for using FIPS and LTS flavors of Istio. Using either of these will now require a valid license. ## Solo Flavor Changes - **Added** `aliases` to the `Segment` custom resource, enabling a high degree of customization of hostnames for global services. Aliases allow peered multi-cluster services to be addressed by user-defined names, providing flexibility in how services are discovered and routed across clusters. - **Improved** the `istioctl multicluster check` command with the following enhancements: - Show gateway addresses, peer cluster addresses, and globally shared services - Skip the stale workload check unless flat-network is detected - Network configuration validation - Validation for the compatibility of intermediate certificates between peered clusters - Enhanced validation checks for flat-network configurations - **Added** several enhancements to `istioctl ztunnel-config`: - New `endpoints` subcommand (aliases: `ep`, `endpoint`) to retrieve endpoint information for a specific service, accepting `--service`, `--hostname`, and `--service-namespace` flags with table, JSON, and YAML output - `NETWORK` and `NETWORK GATEWAY` columns to the `workloads` subcommand output for better visibility into workload network configuration - Support to retrieve connections from an east-west gateway via the `connections` subcommand - **Added** new CLI options to the `istioctl multicluster expose` and `link` commands: - `--data-plane-service-type` on `expose`: specifies a comma-delimited list of data plane service types peers can use (`loadbalancer` or `nodeport`, default `loadbalancer`) - `--preferred-data-plane-service-type` on `link`: specifies the preferred data plane service type when peering with a remote cluster (`loadbalancer` or `nodeport`, default `loadbalancer`) - `--generate` on `link`: generates Gateway manifests for multiple contexts at once - **Added** ambient and ztunnel enhancements: - Ztunnel Helm support for `dnsPolicy` and `dnsConfig` customization - A mesh-wide escape hatch based on port matching for outbound traffic impacted by ztunnel capture, configured via `AMBIENT_EXCLUDE_OUTBOUND_PORTS` environment variable (e.g., `AMBIENT_EXCLUDE_OUTBOUND_PORTS="1443,16000-16010"`) - Native nftables support for the port exclusion escape hatch (`AMBIENT_EXCLUDE_OUTBOUND_PORTS` now works with both iptables and nftables backends) - **Added** several east-west gateway improvements: - Support for breaking connections to pods that are terminated - `PodDisruptionBudget` and `HorizontalPodAutoscaler` resources to the kube-eastwest gateway template, customizable via the gateway class `ConfigMap` - **Added** a new peering Helm chart for managing istio-eastwest and istio-remote gateways. This chart provides an alternative to using `istioctl multicluster expose` and `istioctl multicluster link` commands, supporting declarative management of east-west and remote peering gateways via Helm. - **Added** peering metrics to monitor the health and performance of peer cluster connections: - `peer_connection_state`: Gauge metric tracking the connection state of peer clusters (1 = connected, 0 = disconnected), labeled by `peer` and `source` cluster. - `peer_xds_config_size_bytes`: Distribution metric tracking the size of XDS configuration received from peer clusters, labeled by `peer`, `source`, and `type`. - `peer_convergence_time`: Distribution metric tracking the time from sending an XDS request to a peer until receiving a response, labeled by `peer`, `source`, `type`, and `success`. - **Added** the `solo.io/prefer-other` `ServiceEntry` annotation to enable preference-based `ServiceEntry` conflict resolution across namespaces. When multiple `ServiceEntry` resources define the same hostname, this annotation indicates that Istio should prefer any `ServiceEntry` without the annotation, regardless of namespace. This allows for better behavior in migration scenarios where legacy `ServiceEntry` resources can be marked as fallbacks while new `ServiceEntry` resources take priority. - **Added** namespace-level traffic distribution annotation. Services inherit traffic distribution from namespace annotation when not explicitly set on the service. - **Added** multi-region support to ECS platform discovery. Previously only ECS resources within the default region of the configured AWS role would be discovered. - **Added** the ability to specify authorized namespaces for debug endpoints when `ENABLE_DEBUG_ENDPOINT_AUTH=true`. Enable by setting `DEBUG_ENDPOINT_AUTH_ALLOWED_NAMESPACES` to a comma-separated list of authorized namespaces. The system namespace (typically `istio-system`) is always authorized. - **Added** support to retry failed remote peer creation or updates when `PEERING_AUTOMATIC_LOCAL_GATEWAY` is enabled. - **Removed** the explicit requirement for specifying an HBONE listener on an istio-remote gateway resource. If an istio-remote gateway's preferred data plane service type is `loadbalancer`, a network gateway is created with the well-known HBONE port value 15008. Backwards compatibility is maintained by still allowing an HBONE listener to be specified. - **Improved** `istioctl` command help, refreshing CLI descriptions and examples with clearer guidance for `bootstrap`, `ecs service-add`, and `multicluster`'s `check`, `expose`, and `link` commands. - **Fixed** multiple NodePort peering issues: - `ServiceInfo` events not propagated after the `HboneNodePort` field changed, which broke NodePort peering when a gateway was annotated after its initial creation - Nodes in a `NotReady` state still being used for multi-cluster traffic routing - Node IP address type selection now only considers internal IP addresses - A comma-delimited value for the `peering.solo.io/data-plane-service-type` annotation preventing node workloads from being sent to peers - Simultaneous processing of node `WorkloadEntry` and gateway-derived `ServiceEntry` delete events causing the node `WorkloadEntry` to persist - Generated `ServiceEntry` and node `WorkloadEntry` not being cleaned up when the istio-remote gateway's `peering.solo.io/preferred-data-plane-service-type` annotation was no longer set to `NodePort` - Node `WorkloadEntry` resources failing to be created when NodePort peering was enabled after the peer initially connected via LoadBalancer for an extended period of time - **Fixed** several waypoint interop issues: - Traffic skipping local waypoints when there were no healthy endpoints (traffic will now fail) - An istiod crash when attempting to use Waypoint interop with sidecar and gateway proxies - Ingress gateways applying the waypoint's `DestinationRule` instead of the service's own `DestinationRule` regardless of whether the `istio.io/ingress-use-waypoint` label was set - `ingress-use-waypoint` label propagation from namespace to federated service - **Fixed** various `istioctl` command issues: - The `bootstrap` and `ecs add-service` commands now respect the `-i` istio system namespace flag - The `ecs add-service` command no longer incorrectly reports that a task definition does not have an `executionRoleArn` defined - **Fixed** flat-network multi-cluster peering issues: - User `WorkloadEntry`-based endpoints not being properly peered across clusters, preventing VMs and external workloads from being reachable from proxies in different clusters - Traffic being sent to pods peered for flat-network multi-cluster which are `Not Ready` or `Terminating` - **Fixed** an issue where services with takeover enabled (`solo.io/service-takeover=true` or `solo.io/service-scope=global-only`) did not default their traffic distribution to `PreferNetwork`. This makes takeover service traffic distribution consistent with federated service behavior. - **Fixed** east-west gateway TLS listeners showing an incorrect "UnsupportedProtocol" status when `PILOT_ENABLE_ALPHA_GATEWAY_API` was disabled. - **Fixed** an issue with upgrading from 1.27 that created `WorkloadEntry` resources for Pods in remote clusters that are not reachable on the same network. - **Fixed** an issue causing Envoy clusters for peered global services to not have the `tlsMode-istio` transport socket configured. - **Fixed** an issue where istiod would generate invalid `WorkloadEntry` when remote services have unnamed ports. - **Fixed** an issue where istiod would refuse to peer with clusters when the remote cluster tries to declare a Segment's domain as one that overlaps with another Segment's domain. - **Fixed** an issue where status on `Segment` resources was not updating. - **Fixed** an issue where the remote peer did not have its address updated when `PEERING_AUTOMATIC_LOCAL_GATEWAY` is enabled. - **Fixed** an issue where updating the address in the istio-remote Gateway resource would not prompt the control plane to connect to the new address. - **Fixed** an issue that occurred when draining was enabled and no cluster name was found. A warning is now issued. - **Fixed** an issue where deleting an active ECS `ServiceEntry` or `WorkloadEntry` caused it to be recreated. ## FIPS Flavor Changes No changes in this section. ]]>