Skip to content

1.29.2

Page as Markdown
Solo build of Istio version 1.29.2 patch release.
This release note describes what’s different between Solo builds of Istio versions 1.29.1-patch0 and 1.29.2.
Security Notice

This release bumps the Go version to 1.25.9, which includes fixes for the following security vulnerabilities in the Go crypto packages:
  • CVE-2026-32280 (CVSS 7.5, High) (crypto/x509): During chain building, the amount of work performed is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.
  • CVE-2026-32281 (Unscored, Undergoing Analysis) (crypto/x509): Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains.
  • CVE-2026-32283 (Unscored, Undergoing Analysis) (crypto/tls): If one side of a TLS 1.3 connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service.
  • CVE-2026-33810 (Unscored, Undergoing Analysis) (crypto/x509): When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs that use a different case than the constraint. For example, if a certificate contains the DNS name *.example.com and the excluded DNS name EXAMPLE.COM, the constraint will not be applied. This only affects validation of otherwise trusted certificate chains.
General Changes

  • Built against upstream Istio version 1.29.2, release note can be found here.
  • Built against upstream Istio commit COMMIT. See the commit and history here.
Solo Flavor Changes

  • Added a --revision (-r) flag to istioctl bootstrap, allowing users to target a specific
control plane revision. When set, the command looks up istiod-{revision} instead of the default
istiod service.
  • Fixed an issue where the ECS controller did not respect custom system namespace configurations,
now properly using the configured namespace instead of defaulting to istio-system.
FIPS Flavor Changes

No changes in this section.
1.29.2-patch01.29.1-patch0