1.28.5-patch0

Solo build of Istio version 1.28.5-patch0 patch release.

This release note describes what’s different between Solo builds of Istio versions 1.28.5 and 1.28.5-patch0.

Security Notice

• Envoy Transformation Filter CONNECT Request Crash: (Severity: High): A vulnerability exists in Solo’s transformation filter. When a route or virtual host is configured with a transformation rule that includes a path-based request matcher, an unauthenticated attacker can send an HTTP CONNECT request, causing Envoy to crash. This is a potential Denial of Service (DoS) attack vector. The crash can be triggered only if you have a transformation with a path matcher defined. This is only possible with an EnvoyFilter with a transformation that includes a path matcher:

patch:
  operation: MERGE
  value:
    typed_per_filter_config:
    io.solo.transformation:
        "@type": "type.googleapis.com/transformation.options.gloo.solo.io.TransformationPerRoute"
        staged_transformations:
        regular:
            request_transforms:
            - matcher:
                prefix: '/'
            request_transformation: {}

General Changes

• Built against upstream Istio commit 0a4f135afc0260487053ae1f8548ac7cbb973b6a. Compare.

Solo Flavor Changes

• Added two new environment variables PEERING_EXCLUDED_LABELS and PEERING_EXCLUDED_ANNOTATIONS that define a comma-delimited string of labels and annotations which are excluded from auto-generated peering resources’ metadata.

• Added support for running istioctl multicluster check against extracted bug-report directories, enabling offline multicluster analysis without direct cluster access.

• Fixed an issue where adding the draining annotation to the East-West Gateway caused a restart. Fixed an issue where adding the traffic distribution annotation to a Gateway (waypoint) caused a restart.

• Fixed an issue where adding a service-type annotation to the East-West Gateway caused a restart.

FIPS Flavor Changes

No changes in this section.