The team behind Istio has pushed out v.1.0.6 of the service mesh, fixing a trio of security vulnerabilities alongside a number of robustness improvements.

The new release updates Go requests, relating to a vulnerability that could have helped remote attackers expose credentials by sniffing the network, and urllib3 libraries, that could also have led to credentials being exposed. The update also fixes vulnerabilities that could expose username and password in Grafana and Kiali.

Lastly, v1.0.6 removes in-memory service registry in Pilot, which could allow endpoints to be added to proxy configurations from within a cluster through a Pilot debug API.

Three of the robustness improvements also relate to Pilot, the core component used for traffic management. These include fixing an issue that means Pilot failed to push a configuration under load, for example a bevy of pods restarting in a development cluster.

Similarly, the team has fixed a race condition which would lead Pilot to crash and restart. A pair of memory leaks – one in Pilot, one in Mixer – have also been plugged.

The release is the first from Istio this year, after 1.0.5 back in December. Istio was declared production ready with 1.0 back in July, a year after the initial 0.1 release. It was promptly weaved into Red Hat’s OpenShift platform.

Istio’s key backers are Google, IBM, and Lyft, who launched the project in May 2017. The aim is to create networks of deployed (micro-) services which include load balancing and monitoring functionalities, as well as means of authentication and communication between the services, access and traffic control.