The Istio project has pushed out v1.3.5 of its eponymous service mesh, plugging a fistful of bugs but not quite fixing the DoS vulnerability it disclosed last week.
Fixes include one for an issue discovered back in May which caused stale endpoints to remain, even when a deployment was scaled to 0 replicas. A bug disclosed in September which caused a crash in Pilot when an invalid configuration is generated has also been fixed.
Other fixes include an issue with the destination_service_name label not being populated for TCP metrics related to BlackHole/Passthrough clusters, and an issue with telemetry not reporting metrics for BlackHole/Passthrough clusters when fall through filter chains were invoked. Also fixed is a bug causing a Headless service instance LDS NACK with duplicate listener error discovered back in October.
The update also flags up the DoS vulnerability in the 1.3 series, which was disclosed last week. However, whilst a workaround is flagged up again, a promised fix is not yet available.
However, fans also get a brace of minor enhancements. First up is added support for Istio’s authentication component Citadel to periodically check the root certificate remaining lifetime and rotate expiring root certificates. Second is the addition of a PILOT_BLOCK_HTTP_ON_443 boolean environment variable to Pilot, which, if enabled, prevents HTTP services from running on port 443 in order to prevent conflicts with external HTTP services.
Meanwhile, the project team has announced that support for Istio 1.2 will end on December 13. Yes that is a Friday, which we think makes it particularly important that, in line with its regular policy, “we will stop back-porting fixes for security issues and critical bugs to 1.2, so we encourage you to upgrade to the latest version of Istio (1.3.5).” If you don’t, “you may put yourself in the position of having to do a major upgrade on a short timeframe to pick up a critical fix.”