This release note describes what’s different between Solo builds of Istio versions 1.27.3-patch0 and 1.27.4.

Security Notice

This build includes a fix of Envoy CVEs:

  • CVE-2025-66220: (CVSS score 8.1, High): TLS certificate matcher for match_typed_subject_alt_names may incorrectly treat certificates with OTHERNAME SANs containing an embedded null byte as valid.
  • CVE-2025-64527: (CVSS score 6.5, Medium): Envoy crashes when JWT authentication is configured with the remote JWKS fetching.
  • CVE-2025-64763: (CVSS score 5.3, Medium): Potential request smuggling from early data after the CONNECT upgrade.

General Changes

  • Built against upstream Istio version 1.27.4, release note can be found here.

Solo Flavor Changes

  • Added network configuration validation to istioctl multicluster check.

  • Added validation for the compatibility of intermediate certificates between peered clusters using istioctl multicluster check.

  • Added support for generating Gateway manifests for multiple contexts at once using istioctl multicluster link --generate.

  • Fixed an issue where the protocol was reset to TCP on global services after an istiod restart. When using waypoints, this could suddenty stop HTTPRoutes or other L7 policies from applying.

  • Fixed an issue where traffic would skip local waypoints when there were no healthy endpoints. The traffic will now fail.

  • Fixed an issue with peering with a flat network, when istio.io/use-waypoint was set on the namespace (in the local cluster), with Services in both the local and remote cluster(s), the Waypoint specified by the remote cluster incorrectly took precedence over what was specified in the local cluster.

  • Fixed an issue with peering with a flat network, when istio.io/use-waypoint was NOT set on the the local cluster for a Service or Namespace, but remote clusters did specify it, we would use no waypoint at all. Now, if the local cluster doesn’t specify anything, we will use information from the remote cluster. To intentionally skip using remote waypoints from the local cluster, set istio.io/use-waypoint: none.

  • Fixed an issue with flat-network peering not cleaning up stale endpoints from remote clusters.

  • Fixed a rare issue where peered service ports or other settings would get stuck in an incorrect state when the Service is created both locally and in a peered cluster in nearly identical timeframe.

  • Fixed an issue where sidecars and gateways did not respect load balancing settings or performing locality load balancing when sending to a waypoint.

FIPS Flavor Changes

No changes in this section.