1.27.7
Solo build of Istio version 1.27.7 patch release.
This release note describes what’s different between Solo builds of Istio versions 1.27.5-patch0 and 1.27.7.
Security Notice
- CVE-2025-61732 (CVSS score 8.6, High): A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.
- CVE-2025-68121 (CVSS score 4.8, Moderate): A flaw in
crypto/tlssession resumption allows resumed handshakes to succeed when they should fail if ClientCAs or RootCAs are mutated between the initial and resumed handshake. This can occur when usingConfig.Clonewith mutations orConfig.GetConfigForClient. As a result, clients may resume sessions with unintended servers, and servers may resume sessions with unintended clients.
General Changes
- Built against upstream Istio commit
907c5bdcf7d00be35f7406904f1415dcbf0956a3. Compare.
Solo Flavor Changes
Added support to retrieve connections from east-west gateway via the
istioctl ztunnel-config connectionssubcommand.Added enhanced validation checks in
istioctl multicluster checkfor flat network configurations.Added support for the east-west gateway to break connections to pods that are terminated.
Added the ability to specify authorized namespaces for debug endpoints when
ENABLE_DEBUG_ENDPOINT_AUTH=true. Enable by settingDEBUG_ENDPOINT_AUTH_ALLOWED_NAMESPACESto a comma separated list of authorized namespaces. The system namespace (typicallyistio-system) is always authorized.Fixed the
istioctl bootstrapcommand to respect the-iistio system namespace flag.Fixed the
istioctl ecs add-servicecommand to respect the-iistio system namespace flag.
FIPS Flavor Changes
No changes in this section.