content/en/news/releases/1.8.x/announcing-1.8.6/index.md
This release fixes the security vulnerabilities described in our May 11th posts, ISTIO-SECURITY-2021-005 and ISTIO-SECURITY-2021-006.
{{< relnote >}}
{{< tip >}} This is the final release of 1.8. Please upgrade your Istio installation to a supported version. {{< /tip >}}
{{< tip >}} The first 2 CVEs are highly related. {{< /tip >}}
%2F or %5C) could potentially bypass an Istio authorization policy when path based authorization rules are used. See the ISTIO-SECURITY-2021-005 bulletin for more details.
AUTO_PASSTHROUGH routing configuration. See the ISTIO-SECURITY-2021-006 bulletin for more details.
Fixed istiod so it will no longer generate listeners for privileged gateway ports (<1024) if the gateway Pod does not have sufficient permissions. Issue 27566
Fixed an issue where transport socket parameters are now taken into account when configured in EnvoyFilter. Issue 28996
Fixed PeerAuthentication to not turn off mTLS while using multi-network, non-mTLS endpoints from the cross-network load-balancing endpoints to prevent 500 errors. Issue 28798
Fixed a bug causing runaway logs in istiod after disabling the default ingress controller. Issue 31336
Fixed the Kubernetes API server so it is now considered to be cluster-local by default . This means that any pod attempting to reach kubernetes.default.svc will always be directed to the in-cluster server. Issue 31340
Fixed Istio operator to prune resources that do not belong to the specific Istio operator CR. Issue 30833
As part of the fixes for ISTIO-SECURITY-2021-006, the previously deprecated .global stub domain for multicluster will no longer work.
This change can be temporarily disabled if desired by setting the environment variable PILOT_ENABLE_LEGACY_AUTO_PASSTHROUGH=true in Istiod. However, this is strongly discouraged, as it negates the fix to ISTIO-SECURITY-2021-006.
Please follow the Multicluster Installation documentation for more information.