istio · linsun · Oct 8, 2019 · Oct 8, 2019 · Oct 8, 2019 · Oct 8, 2019
@@ -154,6 +154,7 @@ CVE-2019-9513
 CVE-2019-9514
 CVE-2019-9515
 CVE-2019-9518
+CVE-2019-15226
 Datadog
 datapath
 CVEs
@@ -278,6 +279,7 @@ IPv4
 IPv6
 Istio
 istio.io
+ISTIO-SECURITY-2019-005
 ISTIO-SECURITY-2019-004
 ISTIO-SECURITY-2019-003
 istio.io.

@@ -0,0 +1,20 @@
+---
+title: Announcing Istio 1.1.16
+description: Istio 1.1.16 patch release.
+publishdate: 2019-10-08
+attribution: The Istio Team
+release: 1.1.16
+---
+
+We're pleased to announce the availability of Istio 1.1.16. Please see below for what's changed.
+
+{{< relnote >}}
+
+## Security update
+
+This release contains fixes for the security vulnerability described in [our October 8th, 2019 news post](/news/2019/istio-security-2019-005).  Specifically:
+
+__ISTIO-SECURITY-2019-005__:  A DoS vulnerability has been discovered by the Envoy community.
+  * __[CVE-2019-15226](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15226)__: After investigation, the Istio team has found that this issue could be leveraged for a DoS attack in Istio if an attacker uses a high quantity of very small headers.
+
+Nothing else is included in this release except for the above security fix.
@@ -0,0 +1,23 @@
+---
+title: Announcing Istio 1.2.7
+description: Istio 1.2.7 patch release.
+publishdate: 2019-10-08
+attribution: The Istio Team
+release: 1.2.7
+---
+
+We're pleased to announce the availability of Istio 1.2.7. Please see below for what's changed.
+
+{{< relnote >}}
+
+## Security update
+
+This release contains fixes for the security vulnerability described in [our October 8th, 2019 news post](/news/2019/istio-security-2019-005).  Specifically:
+
+__ISTIO-SECURITY-2019-005__:  A DoS vulnerability has been discovered by the Envoy community.
+  * __[CVE-2019-15226](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15226)__: After investigation, the Istio team has found that this issue could be leveraged for a DoS attack in Istio if an attacker uses a high quantity of very small headers.
+
+## Bug fix
+
+- Fix a bug where `nodeagent` was failing to start when using citadel ([Issue 15876](https://github.com/istio/istio/issues/17108))
+
@@ -0,0 +1,20 @@
+---
+title: Announcing Istio 1.3.2
+description: Istio 1.3.2 patch release.
+publishdate: 2019-10-08
+attribution: The Istio Team
+release: 1.3.2
+---
+
+We're pleased to announce the availability of Istio 1.3.2. Please see below for what's changed.
+
+{{< relnote >}}
+
+## Security update
+
+This release contains fixes for the security vulnerability described in [our October 8th, 2019 news post](/news/2019/istio-security-2019-005).  Specifically:
+
+__ISTIO-SECURITY-2019-005__:  A DoS vulnerability has been discovered by the Envoy community.
+  * __[CVE-2019-15226](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15226)__: After investigation, the Istio team has found that this issue could be leveraged for a DoS attack in Istio if an attacker uses a high quantity of very small headers.
+
+Nothing else is included in this release except for the above security fix.
@@ -1,5 +1,5 @@
 ---
-title: Security Update - ISTIO-SECURITY-003 and ISTIO-SECURITY-004
+title: Security Update - ISTIO-SECURITY-2019-003 and ISTIO-SECURITY-2019-004
 description: Security vulnerability disclosure for multiple CVEs.
 publishdate: 2019-08-13
 attribution: The Istio Team

@@ -0,0 +1,37 @@
+---
+title: Security Update - ISTIO-SECURITY-2019-005
+description: Security vulnerability disclosure for CVE-2019-15226.
+publishdate: 2019-10-08
+attribution: The Istio Team
+---
+
+Today we are releasing three new Istio versions: 1.1.16, 1.2.7, and 1.3.2. These new Istio versions address vulnerabilities that can be used to mount Denial of Service (DoS) attacks against services using Istio.
+
+__ISTIO-SECURITY-2019-005__: Envoy, and subsequently Istio, are vulnerable to the following DoS attack:
+* __[CVE-2019-15226](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15226)__: Upon receiving each incoming request, Envoy will iterate over the request headers to verify that the total size of the headers stays below a maximum limit. A remote attacker may craft a request that stays below the maximum request header size but consists of many thousands of small headers to consume CPU and result in a denial-of-service attack.
+
+## Affected Istio Releases
+
+The following Istio releases are vulnerable:
+
+* 1.1, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.1.9, 1.1.10, 1.1.11, 1.1.12, 1.1.13, 1.1.14, 1.1.15
+* 1.2, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6
+* 1.3, 1.3.1
+
+## Impact Score
+
+Overall CVSS score: 7.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
+
+## Vulnerability impact and Detection
+
+Both Istio gateways and sidecars are vulnerable to this issue. If you are running one of the versions listed above, your cluster is vulnerable.
+
+## Mitigation
+
+* For Istio 1.1.x deployments: update all control plane components (Pilot, Mixer, Citadel, and Galley) and then [upgrade the data plane](/docs/setup/upgrade/steps/#sidecar-upgrade) to a minimum version of [Istio 1.1.16](/news/2019/announcing-1.1.16).
+* For Istio 1.2.x deployments: update all control plane components (Pilot, Mixer, Citadel, and Galley) and then [upgrade the data plane](/docs/setup/upgrade/steps/#sidecar-upgrade) to a minimum version of (/news/2019/announcing-1.2.7).
+* For Istio 1.3.x deployments: update all control plane components (Pilot, Mixer, Citadel, and Galley) and then [upgrade the data plane](/docs/setup/upgrade/steps/#sidecar-upgrade) to a minimum version of (/news/2019/announcing-1.3.2).
+
+We'd like to remind our community to follow the [vulnerability reporting process](/about/security-vulnerabilities/) to report any bug that can result in a security vulnerability.
+
+
diff --git a/data/args.yml b/data/args.yml
@@ -2,7 +2,7 @@
 version: "1.3"
 
 # The full Istio version identifier the docs describe
-full_version: "1.3.1"
+full_version: "1.3.2"
 
 # The previous Istio version identifier the docs describe, used for upgrade documentation
 previous_version: "1.2"