content/en/news/releases/1.2.x/announcing-1.2.10/index.md
This release contains fixes for the security vulnerability described in our December 10th, 2019 news post. This release note describes what’s different between Istio 1.2.9 and Istio 1.2.10.
{{< relnote >}}
CVE-2019-18801: Fix a vulnerability affecting Envoy's processing of large HTTP/2 request headers. A successful exploitation of this vulnerability could lead to a denial of service, escalation of privileges, or information disclosure. CVE-2019-18802: Fix a vulnerability resulting from whitespace after HTTP/1 header values which could allow an attacker to bypass Istio's policy checks, potentially resulting in information disclosure or escalation of privileges. CVE-2019-18838: Fix a vulnerability resulting from malformed HTTP request missing the "Host" header. An encoder filter that invokes Envoy's route manager APIs that access request's "Host" header will cause a NULL pointer to be dereferenced and result in abnormal termination of the Envoy process.