This release note describes what’s different between Solo builds of Istio versions 1.28.3 and 1.28.4.

Security Notice

  • CVE-2025-61732 (CVSS score 8.6, High): A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary.
  • CVE-2025-68121 (CVSS score 4.8, Moderate): A flaw in crypto/tls session resumption allows resumed handshakes to succeed when they should fail if ClientCAs or RootCAs are mutated between the initial and resumed handshake. This can occur when using Config.Clone with mutations or Config.GetConfigForClient. As a result, clients may resume sessions with unintended servers, and servers may resume sessions with unintended clients.

General Changes

Solo Flavor Changes

  • Improved istioctl multicluster check to show gateway addresses, peer cluster addresses, and globally shared services.

  • Added ztunnel helm support for dnsPolicy and dnsConfig customization.

  • Added support to retrieve connections from east-west gateway via the istioctl ztunnel-config connections subcommand.

  • Added enhanced validation checks in istioctl multicluster check for flat-network configurations.

  • Added support for the east-west gateway to break connections to pods that are terminated.

  • Added the ability to specify authorized namespaces for debug endpoints when ENABLE_DEBUG_ENDPOINT_AUTH=true. Enable by setting DEBUG_ENDPOINT_AUTH_ALLOWED_NAMESPACES to a comma separated list of authorized namespaces. The system namespace (typically istio-system) is always authorized.

  • Fixed sending traffic to pods peered for flat-network multi-cluster which are Not Ready or Terminating.

  • Fixed an issue in NodePort peering where a comma-delimited value for the Solo annotation peering.solo.io/data-plane-service-type would prevent node workloads from being sent to peers.

  • Fixed an issue causing Envoy clusters for peered global services to not have the tlsMode-istio transport socket configured.

  • Fixed an issue in NodePort peering where simultaneous processing of node WorkloadEntry and gateway-derived ServiceEntry delete events could cause the node WorkloadEntry to persist.

  • Fixed an issue in NodePort peering where the generated ServiceEntry and node WorkloadEntry fail to be cleaned up when the istio-remote gateway’s peering.solo.io/preferred-data-plane-service-type annotation was no longer set to NodePort.

  • Fixed an issue where updating the address in the istio-remote Gateway resource would not prompt the control plane to connect to the new address.

  • Fixed the istioctl bootstrap command to respect the -i istio system namespace flag.

  • Fixed the istioctl ecs add-service command to respect the -i istio system namespace flag.

  • Fixed an issue where node WorkloadEntry resources failed to be created when NodePort peering was enabled after the peer initially connected via LoadBalancer for an extended period of time. Node events received before the NodePort ServiceEntry existed were eventually dropped and never re-processed once NodePort peering was enabled.

FIPS Flavor Changes

No changes in this section.