Cilium - v1.11.19

Security

We are pleased to release Cilium v1.11.19.

This release addresses the following security issues:
- https://github.com/envoyproxy/envoy/security/advisories/GHSA-pvgm-7jpg-pw5g
- https://github.com/envoyproxy/envoy/security/advisories/GHSA-69vr-g55c-v2v4
- https://github.com/envoyproxy/envoy/security/advisories/GHSA-mc6h-6j9x-v3gq
- https://github.com/envoyproxy/envoy/security/advisories/GHSA-7mhv-gr67-hq55

This release includes a security fix for Envoy and improvements to Network Policies.

See the notes below for a full description of the changes.

:warning: Warning - IPsec :warning:

Do NOT upgrade to this release if you are using IPsec.

Summary of Changes

Bugfixes:
* client, health/client: set dummy host header on unix:// local communication (Backport PR #26917, Upstream PR #26800, @tklauser)
* Fix bug that caused transient IPsec packet drops on upgrades when tunneling is enabled. (Backport PR #26872, Upstream PR #26708, @pchaigno)
* Fix bug where CNI gets installed even if cni.install=false (Backport PR #26419, Upstream PR #26278, @joestringer)
* Fix path asymmetry when using pod-to-pod encryption with IPsec and tunnel mode. (Backport PR #26872, Upstream PR #25440, @pchaigno)
* Fixed Cilium agent crash when policy refers to a non-existing Envoy listener. (Backport PR #26419, Upstream PR #25969, @jrajahalme)
* Fixed proxy redirect policy implementation when any deny rule prevents them. (Backport PR #26752, Upstream PR #26344, @jrajahalme)
* ipsec: Split removeStaleXFRMOnce to fix deprioritization issue (Backport PR #26419, Upstream PR #26113, @jschwinger233)

CI Changes:
* ariane: don't skip verifier and l4lb tests on vendor/ changes (Backport PR #26801, Upstream PR #26715, @tklauser)
* hostfw tests flake workaround (Backport PR #25557, Upstream PR #25323, @tommyp1ckles)
* test: Fix and unquarantine Skip conntrack test (Backport PR #27030, Upstream PR #25038, @pchaigno)
* v1.11: ci: increase ginkgo kernel test timeout (#26921, @mhofstetter)
* v1.11: ci: use Ariane to trigger workflows (#26578, @nbusseneau)

Misc Changes:
* Add cilium bpf nodeid list to bugtool and print nodeid in hex in ipcache dump (Backport PR #26419, Upstream PR #26130, @brb)
* chore(deps): update actions/setup-go action to v4 (v1.11) (#26391, @renovate[bot])
* chore(deps): update all github action dependencies (v1.11) (minor) (#26452, @renovate[bot])
* chore(deps): update all github action dependencies (v1.11) (patch) (#26449, @renovate[bot])
* chore(deps): update docker.io/library/alpine docker tag to v3.16.6 (v1.11) (#26450, @renovate[bot])
* chore(deps): update docker.io/library/alpine docker tag to v3.16.6 (v1.11) (#26451, @renovate[bot])
* chore(deps): update docker.io/library/ubuntu:20.04 docker digest to c9820a4 (v1.11) (#26448, @renovate[bot])
* chore(deps): update hubble cli to v0.12.0 (v1.11) (minor) (#26769, @renovate[bot])
* docker: Detect default "desktop-linux" builder (Backport PR #26419, Upstream PR #25908, @jrajahalme)
* docs/ipsec: Clarify limitation on number of nodes (Backport PR #26872, Upstream PR #26810, @pchaigno)
* docs/ipsec: Document RSS limitation (Backport PR #27030, Upstream PR #26979, @pchaigno)
* docs/ipsec: Extend troubleshooting section (Backport PR #27030, Upstream PR #26808, @pchaigno)
* docs: clarify that L3 DNS policies require L7 proxy enabled (Backport PR #26419, Upstream PR #26180, @wedaly)
* docs: Pick up PyYAML 6.0.1 (Backport PR #26917, Upstream PR #26883, @michi-covalent)
* docs: reword incorrect L7 policy description (Backport PR #26419, Upstream PR #26092, @peterj)
* docs: Specify Helm chart version in "cilium install" commands (Backport PR #27030, Upstream PR #26934, @michi-covalent)
* Fix "make -C Documentation builder-image" (Backport PR #26917, Upstream PR #26874, @michi-covalent)
* test/provision/compile.sh: Make usable from dev VM (Backport PR #25557, Upstream PR #25352, @jrajahalme)

Other Changes:
* envoy: Bump envoy to v1.24.9 (#26807, @sayboras)
* envoy: Bump envoy version to v1.23.10 (#25891, @mhofstetter)
* envoy: Bump envoy version to v1.24.10 (#27067, @sayboras)
* envoy: Bump minor version to v1.24.x (#26329, @sayboras)
* install: Update image digests for v1.11.18 (#26268, @qmonnet)
* v1.11 docs: Use stable-v0.14.txt for cilium-cli version (#26467, @michi-covalent)

Docker Manifests

cilium

docker.io/cilium/cilium:v1.11.19@sha256:f71c973a9159158704012e1a065a3d484353ff4c2b4e05e10a03382f055adad4
quay.io/cilium/cilium:v1.11.19@sha256:f71c973a9159158704012e1a065a3d484353ff4c2b4e05e10a03382f055adad4

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.11.19@sha256:9346b296322036d2df98bd0ebdc721f4fafd5449030c7fd5dc53b20103758eee
quay.io/cilium/clustermesh-apiserver:v1.11.19@sha256:9346b296322036d2df98bd0ebdc721f4fafd5449030c7fd5dc53b20103758eee

docker-plugin

docker.io/cilium/docker-plugin:v1.11.19@sha256:dc5eb50a89ef4fc31596f922fb63149f1e2d68a563ae5844cd83b61d7da7c04e
quay.io/cilium/docker-plugin:v1.11.19@sha256:dc5eb50a89ef4fc31596f922fb63149f1e2d68a563ae5844cd83b61d7da7c04e

hubble-relay

docker.io/cilium/hubble-relay:v1.11.19@sha256:8c1032dfb03359e0576061502196e06eefb8ef12743d602e075e7f97f56667e4
quay.io/cilium/hubble-relay:v1.11.19@sha256:8c1032dfb03359e0576061502196e06eefb8ef12743d602e075e7f97f56667e4

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.11.19@sha256:9cb60d9362a362b58bb33da6b7a4b73f7882d0bc580af74c91c50d3112a74e2e
quay.io/cilium/operator-alibabacloud:v1.11.19@sha256:9cb60d9362a362b58bb33da6b7a4b73f7882d0bc580af74c91c50d3112a74e2e

operator-aws

docker.io/cilium/operator-aws:v1.11.19@sha256:b121c72160abc99112bf155d05f3c09fca266a3ea026143d86da7376654f708b
quay.io/cilium/operator-aws:v1.11.19@sha256:b121c72160abc99112bf155d05f3c09fca266a3ea026143d86da7376654f708b

operator-azure

docker.io/cilium/operator-azure:v1.11.19@sha256:13c1030a90f38c483ae5b0696e0597c4129697f3af81e1eeb238d7d5a04e326e
quay.io/cilium/operator-azure:v1.11.19@sha256:13c1030a90f38c483ae5b0696e0597c4129697f3af81e1eeb238d7d5a04e326e

operator-generic

docker.io/cilium/operator-generic:v1.11.19@sha256:79b622067205037489dcfc3280a2b9a19b0ede9a1c83eb5b3064926fa6af6a23
quay.io/cilium/operator-generic:v1.11.19@sha256:79b622067205037489dcfc3280a2b9a19b0ede9a1c83eb5b3064926fa6af6a23

operator

docker.io/cilium/operator:v1.11.19@sha256:26f479a21f3079eb0da4700b9ffd012dfce9b38d635486998bbe352b8f8df740
quay.io/cilium/operator:v1.11.19@sha256:26f479a21f3079eb0da4700b9ffd012dfce9b38d635486998bbe352b8f8df740

Security

Security wording was detected, but no CVEs were found.

Details

date
July 27, 2023, 10:23 p.m.
name
1.11.19
type
Patch
official page
https://github.com/cilium/cilium/releases/tag/v1.11.19
👇
Register or login to:
  • 🔍View and search all Cilium releases.
  • 🛠️Create and share lists to track your tools.
  • 🚨Setup notifications for major, security, feature or patch updates.
  • 🚀Much more coming soon!
Continue with GitHub
Continue with Google
or