1.12.15
·
9717 commits
to main
since this release
v1.12.15
jrajahalme
Jarno Rajahalme
This tag was signed with the committer’s verified signature.
jrajahalme
Jarno Rajahalme
We are pleased to release Cilium v1.12.15. This is bug fix release addressing the recent HTTP/2 Stream Cancellation Attack (CVE-2023-44487) and other bugs:
- Envoy GHSA-jhv4-f7mr-xx76
- Go GHSA-qppj-fm5r-hxr3
Summary of Changes
Minor Changes:
- bump grpc dependency to 1.56.3 to fix security vulnerability GHSA-qppj-fm5r-hxr3 (#28529, @aanm)
- vendor, azure: Bump Azure SDK to Aug 2021 (Backport PR #28317, Upstream PR #28311, @christarazi)
Bugfixes:
- Add drop notifications for various error paths in the datapath. (Backport PR #28437, Upstream PR #25183, @julianwiedmann)
- Add drop notifications from various error paths in the BPF datapath. (Backport PR #28444, Upstream PR #26956, @julianwiedmann)
- bpf: fix error handling for invoke_tailcall_if() (Backport PR #28414, Upstream PR #26118, @julianwiedmann)
- bpf: lxc: fix one missing drop notification in CT lookup tail calls (Backport PR #28351, Upstream PR #26115, @julianwiedmann)
- envoy: Sync supported resources to fix not found issue (Backport PR #28351, Upstream PR #28272, @sayboras)
- Fix a bug that causes pod-to-pod traffic between nodes to be dropped when IPsec is enabled and kube-proxy installed rules in both iptables-nft and iptables-legacy. (Backport PR #28444, Upstream PR #28258, @pchaigno)
- Fix missing drop notifications on conntrack lookup failures when IPv4 and IPv6 are both enabled or socket-level load balancing is disabled. (Backport PR #28295, Upstream PR #25426, @bleggett)
- Fix the trace notification for hairpinned reply traffic, to indicate the correct security identity for the client. (Backport PR #28295, Upstream PR #28133, @julianwiedmann)
- Fixes a bug causing panic when counting IPsec keys number via "cilium encrypt status". (Backport PR #28295, Upstream PR #27996, @jschwinger233)
- pkg/node: Updates GetIPv6AllocCIDRs() to Properly Return Secondary CIDRs (Backport PR #28104, Upstream PR #27855, @danehans)
CI Changes:
- [v1.12] ci: Add a call to the update label backport action (#27879, @pippolo84)
- [v1.14] GHA: Add clustermesh upgrade and downgrade tests (Backport PR #28564, Upstream PR #28355, @giorio94)
- CI: Add conn-disrupt-test action for reuse (Backport PR #28152, Upstream PR #27567, @jschwinger233)
- CI: Add conn-disrupt-test action for reuse (Backport PR #28295, Upstream PR #27567, @jschwinger233)
- CI: Add IPsec key rotation test (Backport PR #28152, Upstream PR #27203, @jschwinger233)
- CI: Move IPsec CI jobs into separate pipelines (Backport PR #28152, Upstream PR #26730, @jschwinger233)
- ci: Run BPF lints on workflow definition changes (Backport PR #28295, Upstream PR #28122, @qmonnet)
- ci: update k8s versions support for v1.12 (#28246, @nbusseneau)
- Do not hardcode the AWS VPC CNI plugin version in the conformance-aws-cni GHA workflow (Backport PR #28444, Upstream PR #28392, @giorio94)
- Refactor CiliumExecContext() Retry Logic (Backport PR #28295, Upstream PR #28131, @carnerito)
- Update image registry to quay.io (Backport PR #28295, Upstream PR #23093, @oxxenix)
- v1.12: manual backport of #27193 (#28227, @nbusseneau)
- workflows/ipsec: Add missing
--flush-ctfor key rotation (Backport PR #28152, Upstream PR #27883, @pchaigno)
Misc Changes:
- chore(deps): update all github action dependencies (v1.12) (patch) (#28114, @renovate[bot])
- chore(deps): update all github action dependencies to v3 (v1.12) (major) (#28116, @renovate[bot])
- chore(deps): update all lvh-images main (v1.12) (patch) (#27948, @renovate[bot])
- chore(deps): update all lvh-images main (v1.12) (patch) (#28215, @renovate[bot])
- chore(deps): update aws-actions/configure-aws-credentials action to v4 (v1.12) (#28117, @renovate[bot])
- chore(deps): update dependency cilium/hubble to v0.12.1 (v1.12) (#28526, @renovate[bot])
- chore(deps): update dependency cilium/hubble to v0.12.2 (v1.12) (#28568, @renovate[bot])
- chore(deps): update docker.io/library/golang docker tag to v1.20.10 (v1.12) (#28517, @renovate[bot])
- chore(deps): update docker.io/library/golang:1.20.8 docker digest to 700d726 (v1.12) (#28113, @renovate[bot])
- chore(deps): update docker.io/library/ubuntu:20.04 docker digest to 0b5642e (v1.12) (#28582, @renovate[bot])
- chore(deps): update docker/build-push-action action to v4.2.1 (v1.12) (#28115, @renovate[bot])
- chore(deps): update docker/build-push-action action to v5 (v1.12) (#28118, @renovate[bot])
- chore(deps): update myrotvorets/set-commit-status-action action to v2 (v1.12) (#28119, @renovate[bot])
- chore(deps): update quay.io/cilium/hubble docker tag to v0.12.1 (v1.12) (#28544, @renovate[bot])
- chore(deps): update quay.io/cilium/hubble docker tag to v0.12.2 (v1.12) (#28573, @renovate[bot])
- ci: fix AWS EKS K8s versions comment (Backport PR #28295, Upstream PR #28249, @nbusseneau)
- docs: Add more details for the Cluster Mesh key rotation (Backport PR #28295, Upstream PR #28145, @margamanterola)
- docs: egressgw: document incompatibility with Clustermesh (Backport PR #28104, Upstream PR #27918, @julianwiedmann)
- docs: Makefile, check-build.sh clean-ups and perf improvements (Backport PR #28295, Upstream PR #28161, @qmonnet)
- docs: Mention
RouteTableInterfacesOffsetin system requirements (Backport PR #28444, Upstream PR #28358, @gandro) - docs: Update Sphinx and its dependencies, Cilium theme (Backport PR #28295, Upstream PR #28172, @qmonnet)
- Fix potential nil pointer dereference in SelectorManager implementation (Backport PR #28104, Upstream PR #27805, @learnitall)
- fix(deps): update module golang.org/x/net to v0.17.0 [security] (#28552, @aanm)
- install/kubernetes: add the
cilium/values.yamltarget to.PHONY(Backport PR #28295, Upstream PR #28225, @nbusseneau) - ipsec: Atomically upgrade XFRM states with new output-mark (Backport PR #28564, Upstream PR #28485, @pchaigno)
- Update docs theme (Backport PR #28444, Upstream PR #28403, @raphink)
- Update Hubble UI from v0.11.0 to v0.12.1 (#28536, @rolinh)
Other Changes:
Contributors
gandro, raphink, and 19 other contributors