Bug Fix

📋 Recommended Actions ⚠️ Action Required Immediate upgrade to Istio 1.28.5 is strongly recommended for all users due to critical security patches addressing JWT forgery, XDS debug endpoint authentication bypasses, and WasmPlugin SSRF vulnerabilities. Review changes to XDS debug endpoints if you rely on unauthenticated plaintext access, as this behavior now requires explicit configuration or authentication. 📝 Summary Istio 1.28.5 lands with crucial security updates and significant enhancements across the mesh. This release patches a critical vulnerability where Istio’s JWT authentication fallback mechanism could leak a private key, enabling attackers to forge tokens. A high-severity fix now secures XDS debug endpoints (like syncz and config_dump), preventing unauthenticated access on plaintext ports. Additionally, WasmPlugin image fetching is fortified with SSRF protection, closing another potential attack vector. Beyond security, the Gateway API sees improvements, specifically addressing issues where InferencePool configurations were lost during VirtualService merges. Ambient Mesh deployments get smarter port discovery for native sidecars, ensuring correct inbound listener configuration, and gain new flexibility with a ZtunnelNamespace flag. These updates combine critical fixes with valuable operational improvements, making 1.28.5 a vital upgrade for a more secure and robust service mesh. ...

📋 Recommended Actions ⚠️ Action Required Immediate upgrade to Istio 1.28.4 is strongly recommended to address critical security vulnerabilities and enhance mesh stability. Operations engineers should review the new debug endpoint authorization policy (enabled by default) and consider its impact on existing monitoring or tooling that accesses Istiod debug endpoints from non-system namespaces. Enabling ambient.enableAmbientDetectionRetry in the CNI chart is also recommended for increased ambient mesh robustness against transient failures. ...

📋 Recommended Actions ⚠️ Action Required Immediate action required for environments utilizing debug endpoints from non-system namespaces, or if you’re using sidecar.istio.io/proxy* annotations. Review upgrade notes carefully for the debug endpoint authorization feature. For all users, upgrading is strongly recommended to apply critical security fixes and enhancements. 📝 Summary Istio 1.27.6 rolls out critical security enhancements, significantly bolstering the control plane’s resilience against potential vulnerabilities. This patch release introduces robust safeguards to the gateway deployment controller, preventing unauthorized resource creation via template injection. Furthermore, a critical fix addresses a template injection vector in sidecar.istio.io/proxy* annotations, rejecting malicious control characters. Security around debug endpoints is tightened, with namespace-based authorization now enabled by default, restricting access from non-system namespaces. This change requires review if your tooling interacts with these endpoints. Lastly, a bug fix ensures correct application of minimum TLS protocol versions. These updates collectively enhance Istio’s security posture and gateway management, making this a vital upgrade for all deployments. ...

📋 Recommended Actions ⚠️ Action Required Immediate upgrade is recommended to address a high-severity DNS-01 solver stability issue (GHSA-gx3x-vq4p-mhhv) and ensure robust certificate issuance validation. 📝 Summary Cert-manager v1.18.5 delivers critical updates. It fixes a high-severity DNS-01 solver panic (GHSA-gx3x-vq4p-mhhv), preventing service disruptions. It also adds robust validation for issued certificates, ensuring public keys match CSRs, and improves HTTP-01 IPv6 handling. Upgrade now for enhanced stability and security! 🔒 High-Severity Fix: ACME DNS-01 Solver Panic (GHSA-gx3x-vq4p-mhhv) A critical vulnerability identified as GHSA-gx3x-vq4p-mhhv has been addressed in this release, preventing potential denial-of-service scenarios for the ACME DNS-01 solver. Previously, the solver would incorrectly assume that DNS SOA records would always be the first entry in a DNS query response. If a DNS provider returned the SOA record at a different position, cert-manager’s DNS-01 solver could panic and crash, making it unable to process new challenges and disrupting certificate issuance. ...

📋 Recommended Actions ⚠️ Action Required Immediate review recommended for all users. Upgrade promptly to benefit from critical security hardening, fix potential denial-of-service vectors, and enhance certificate issuance reliability. 📝 Summary cert-manager v1.19.3 delivers crucial security enhancements and improved issuance robustness. This release directly addresses GHSA-gx3x-vq4p-mhhv, preventing a potential panic in the ACME DNS solver that could lead to denial-of-service. This high-severity fix solidifies the reliability of your ACME challenges. We’ve also introduced a vital new check: certificate issuance will now fail if the public key in the signed certificate doesn’t match the original Certificate Signing Request (CSR). This prevents infinite re-issuance loops with misconfigured external issuers, ensuring cryptographic integrity. Furthermore, the HTTP-01 solver gained more robust handling of IPv6 address literals, improving compliance and reliability for diverse network configurations. Essential tooling updates, including Go 1.25.6 and Kind 0.31.0, round out this focused release. Upgrade to boost the security and stability of your certificate management. ...

📋 Recommended Actions ⚠️ Action Required For users leveraging Istio’s ambient multicluster, an immediate upgrade is highly recommended to address persistent informer errors and improve stability. All users should review the new gateway Helm chart feature for enhanced deployment flexibility. 📝 Summary Istio 1.28.3 significantly bolsters ambient multicluster reliability, rectifying a critical issue where remote cluster informer errors previously necessitated an Istiod restart. This update means your multicluster deployments will operate with much greater resilience, ensuring smoother operations and reduced downtime. Additionally, the Istio Gateway Helm chart introduces new service.selectorLabels functionality. This empowers operators with granular control, simplifying complex deployment patterns like revision-based migrations by allowing custom labels on gateway service selectors. Core component updates for proxy and ztunnel alongside nftables ensure overall stability and security. This release focuses on crucial bug fixes for multicluster environments and key enhancements for gateway management, making it a valuable upgrade for improved operational robustness and deployment agility. Review the details to leverage these improvements. ...

📋 Recommended Actions ✅ No Immediate Action Required No immediate action required. Review updates to better support your users, especially if using headless services with multiple IPs in a multicluster setup. 📝 Summary Istio 1.27.5 delivers a crucial bug fix, significantly improving DNS resolution for headless services. This update addresses an issue where pods with multiple IP addresses in headless service configurations, especially across multicluster setups, were not always correctly represented in the DNS name table. Now, Istio ensures all relevant IP addresses are correctly aggregated and prioritized for local clusters, providing more reliable service discovery. This means your applications will experience more robust connectivity to headless services. Additionally, this release includes important dependency bumps for core components like proxy, ztunnel, istio.io/api, and istio.io/client-go, along with updated build tools. These maintenance updates ensure stability, performance, and compatibility within the Istio ecosystem. Review these changes to understand their impact on your deployments. ...

📋 Recommended Actions ✅ No Immediate Action Required No immediate action required. Review updates to better support your users. 📝 Summary Istio 1.27.4 delivers a targeted release focused on bolstering the stability and reliability of the control plane, particularly for Gateway API users and those with multi-revision deployments. This update resolves critical issues such as route resource status conflicts in multi-revision setups, preventing inconsistent states. Users leveraging the experimental XListenerSet will find TLS secret access fixed, ensuring secure gateway configurations. Furthermore, a crucial bug where HTTPS servers could impede HTTP route creation on the same port but different bind addresses has been eliminated, enabling more flexible deployments. Networking stack improvements include fixes for nftables TPROXY rules and faster CNI repair for better packet capture and pod readiness. These 10+ targeted fixes enhance overall operational predictability and resource management for Istio users, improving the robustness of your service mesh. ...

📋 Recommended Actions ✅ No Immediate Action Required No immediate action required. This release primarily provides stability and quality-of-life improvements. Review the updates to leverage enhanced certificate handling and improve your troubleshooting experience. 📝 Summary cert-manager(v1.18.3) boosts reliability and user experience. It now supports significantly larger certificates and chains, crucial for complex deployments with many SANs. A critical fix prevents unnecessary certificate re-issuance stemming from IssuerRef defaulting. Plus, clearer error messages for malformed PEM data greatly simplify troubleshooting. Upgrade for a more stable and robust certificate management experience. ...

📋 Recommended Actions ⚠️ Action Required Immediate review is required due to security enhancements for Gateway API TLS secret access. Operations engineers should update to ensure gateways continue to function correctly, especially if relying on previous implicit permissions. Also, review the new ENABLE_PROXY_FIND_POD_BY_IP flag for potential future impacts. 📝 Summary Istio 1.26.5 delivers crucial security and stability enhancements. This release significantly hardens Kubernetes Gateway API TLS secret access, now requiring both namespace and service account matching for referenced secrets—a vital update for secure operations. You’ll also find improved installation flexibility as the Istio CNI no longer depends directly on Pilot, streamlining deployments. For ambient mode users, ServiceEntry named port mapping logic is now correctly aligned with sidecar behavior, resolving previous inconsistencies. Additionally, a new feature flag, ENABLE_PROXY_FIND_POD_BY_IP, grants more control over pod-proxy association, with future versions defaulting it to ‘off’. Critical bug fixes address issues like XDS cache corruption during SDS config dumps and Gateway API meshconfig reconciliation, ensuring a more robust and predictable service mesh. Review these updates promptly to maintain a secure and efficient Istio environment. ...

📋 Recommended Actions ⚠️ Action Required Immediate review required for Gateway API users managing TLS secrets. Verify existing ReferenceGrants or ServiceAccount configurations to avoid disruptions. For other users, review CNI and Ambient updates for improved reliability and multicluster stability. 📝 Summary Istio 1.27.2 hardens security for Kubernetes Gateway API users by tightening TLS secret access. Gateway API deployments now require service account matching or ReferenceGrant for TLS secrets, preventing unauthorized access to sensitive credentials. This update significantly improves CNI and Ambient mesh resilience during upgrades and reboots, with graceful handling of missing IPv6 support and decoupled CNI installation from Pilot. Critical goroutine leaks in multicluster KRT collections are also resolved, boosting stability and resource efficiency. Developers and operators will appreciate the fixed header validation allowing underscores and streamlined ServiceEntry resolution in ztunnel. This release delivers essential stability, security, and operational improvements for your Istio deployments. ...

📋 Recommended Actions ✅ No Immediate Action Required Upgrade recommended for improved stability and corrected behavior, especially for users of Istio Gateway API and mixed IPv4/IPv6 environments. 📝 Summary Istio 1.26.4 is here, delivering essential bug fixes and stability enhancements for your service mesh deployments. This patch release addresses a critical istio-iptables issue that previously ignored IPv4 state in mixed environments, ensuring more robust traffic interception for all users. We’ve also resolved a significant bug in the tag watcher, which now correctly handles defaultRevision logic, leading to more reliable Kubernetes Gateway programming. This means your gateways will function as expected without unexpected configuration discrepancies. For HTTP/1.x traffic, a subtle but important fix prevents PreserveHttp1HeaderCase from overriding other vital protocol options, maintaining precise control over your traffic. Additionally, we’ve updated the Gateway Helm chart schema to ensure full compatibility with Helm v3.18.5 and beyond, smoothing out installation processes. Numerous dependency updates, including Kubernetes client libraries, further bolster the mesh’s foundational stability. This release focuses on refining existing functionality and ensuring a more predictable and stable Istio experience. ...

📋 Recommended Actions ✅ No Immediate Action Required No immediate action required. Review these updates to better support your users, especially regarding Gateway API status improvements and Ambient mesh enhancements. 📝 Summary Istio 1.26.3 rolls out important stability and compatibility enhancements across the mesh. This patch release brings significant improvements to Gateway API status reporting, ensuring more reliable and deterministic updates for HTTPRoute resources, even in multi-controller environments. Operations engineers will appreciate the increased clarity and robustness here, simplifying Gateway API management. For Ambient mesh users, this release is critical. It fixes an edge case in CNI pod deletion, preventing orphaned entries in ztunnel and boosts multi-revision deployments with revision-aware configuration filtering for Ambient waypoints. This ensures policies like AuthorizationPolicy are correctly applied based on the Istio revision. Additionally, OpenShift users gain better TProxy compatibility through automated privileged SCC assignment for test environments, addressing a key platform-specific challenge. Internal fixes in Pilot’s telemetry reinitialization and status worker pools further enhance control plane stability. These targeted updates ensure a more resilient and predictable Istio experience for both traditional and Ambient mesh deployments. ...

📋 Recommended Actions ⚠️ Action Required Immediate upgrade recommended to ensure certificate name constraints are correctly applied, enhancing the security and validity of issued certificates. cert-manager v1.17.4 is a targeted patch release addressing a critical bug in how URI name constraints are applied during certificate signing request (CSR) generation. Previously, Permitted.URIDomains were incorrectly treated as excluded, potentially leading to misconfigurations in certificate issuance policies. This fix ensures that your defined URI name constraints are honored as intended, bolstering the integrity and security of your issued certificates. ...

📋 Recommended Actions ⚠️ Action Required Immediate review of your cert-manager Helm chart deployment is required due to a significant RBAC reversion. Users relying on the ‘disableHTTPChallengesRole’ flag must update their manifests. Review the certificate name constraints fix to ensure correct certificate issuance. 📝 Summary cert-manager v1.18.2 lands with critical updates, most notably a significant reversion of RBAC changes introduced in v1.18.1. This patch release removes the global.rbac.disableHTTPChallengesRole Helm value, consolidating HTTP-01 and DNS-01 challenge-related ClusterRoles into a single, unified controller role. If your deployments relied on disableHTTPChallengesRole to limit permissions, you must immediately review and update your Helm manifests. This reversion effectively means that HTTP-01 challenge permissions, such as creating pods and services, are now always included within the primary challenge controller role, potentially granting broader permissions than you previously configured or intended. Beyond RBAC, this release also delivers a crucial bug fix. It corrects an issue where certificate name constraints for URI domains were being mistakenly interpreted as ExcludedURIDomains instead of PermittedURIDomains in generated Certificate Signing Requests. This fix ensures that your certificates are issued with the exact URI name constraints you specify, preventing unexpected validation failures. Operations engineers should promptly examine their Helm values and RBAC configurations to prevent unintended permission shifts and ensure correct certificate issuance behavior. ...

📋 Recommended Actions ✅ No Immediate Action Required No immediate action required for most users. OpenShift users leveraging TPROXY mode should review the update for critical fixes. All Gateway API users should be aware of internal VirtualService naming changes for generated resources. 📝 Summary Istio 1.26.2 delivers targeted fixes and crucial consistency improvements, especially for OpenShift and Gateway API users. A significant bug has been resolved for OpenShift deployments utilizing TPROXY mode, which previously suffered from incorrect UID and GID assignments for sidecar containers. This fix ensures proper operation and security context enforcement. The release also brings enhanced robustness to Gateway API status reconciliation. Internal logic now intelligently compares desired and live states before writing, dramatically reducing redundant status updates and handling concurrent modifications more gracefully. This means a more stable control plane experience. Furthermore, the naming convention for auto-generated VirtualServices from HTTPRoutes has been refined for consistency, adopting a new scheme that directly reflects the merge key. While an internal detail, this can impact tools relying on generated resource names. Finally, internal integration tests gain greater flexibility with a new flag to control Gateway API deployment, alongside a fix for Kind cluster registry redirection. This patch release focuses on improving stability and correctness for specific deployment scenarios and advanced users. ...

📋 Recommended Actions ⚠️ Action Required Review your Gateway API configurations, particularly AllowedRoutes.namespaces.from settings, as None is no longer supported and will cause validation errors. For pluginca users, ensure your cacerts bundle is complete to avoid istiod startup failures due to new, stricter validation. Upgrading is recommended for improved stability and security hardening. 📝 Summary Istio 1.26.1 lands with crucial updates, primarily focusing on robust Gateway API integration and enhanced security. This release promotes Gateway API to v1.3.0, alongside a critical fix that resolves istiod panics when processing complex Gateway API hostnames. Notably, a breaking change from upstream Gateway API means AllowedRoutes.namespaces.from: None is no longer valid, requiring configuration updates. ...

📋 Recommended Actions ⚠️ Action Required Immediate upgrade recommended for all users relying on Cloudflare DNS01 challenges to restore functionality and ensure uninterrupted certificate issuance. This cert-manager v1.17.1 patch release delivers a crucial fix for users leveraging Cloudflare DNS01 challenges. Due to a recent breaking API change from Cloudflare, cert-manager v1.17.0 and earlier versions were experiencing issues with certificate issuance via this method. This update ensures seamless operation for your ACME certificates, alongside a standard bump to the Go toolchain to v1.23.6. ...