Announcing Istio 1.13.9

This release contains a fix for CVE-2022-39278 and bug fixes to improve robustness. This release note describes what is different between Istio 1.13.8 and Istio 1.13.9.

{{< relnote >}}

Security update

• Patch for CVE-2022-41715. Replaces all uses of stdlib regexp with the Go 1.19.2 stdlib implementation. This will guard against DOS via malformed regular expressions.

Changes

• Fixed an issue where the user can not delete the Istio Operator resource with revision if istiod is not running. (Issue #40796)

• Fixed a bug where the return dynamically generated by jwks was not base64 encoded, causing Envoy to fail to parse it.

• Fixed an issue where a root namespace Sidecar configuration would be ignored.

• Fixed the gateway API integration to not fail when the v1alpha2 version is removed.