|
| 1 | +--- |
| 2 | +title: Announcing Istio 1.24.4 |
| 3 | +linktitle: 1.24.4 |
| 4 | +subtitle: Patch Release |
| 5 | +description: Istio 1.24.3 patch release. |
| 6 | +publishdate: 2025-03-20 |
| 7 | +release: 1.24.4 |
| 8 | +--- |
| 9 | + |
| 10 | + |
| 11 | +This release contains bug fixes to improve robustness. This release note describes what’s different between Istio 1.24.3 and Istio 1.24.4. |
| 12 | + |
| 13 | +{{< relnote >}} |
| 14 | + |
| 15 | +## Changes |
| 16 | + |
| 17 | +- **Fixed** a bug with mixed-case Hosts in Gateway and TLS redirect resulted in stale RDS. |
| 18 | + ([Issue #49638](https://github.com/istio/istio/issues/49638)) |
| 19 | + |
| 20 | +- **Fixed** an issue where Ambient `PeerAuthentication` policies were overly strict. |
| 21 | + ([Issue #53884](https://github.com/istio/istio/issues/53884)) |
| 22 | + |
| 23 | +- **Fixed** failure to patch managed gateway/waypoint deployments during upgrade to 1.24. |
| 24 | + ([Issue #54145](https://github.com/istio/istio/issues/54145)) |
| 25 | + |
| 26 | +- **Fixed** a bug in where multiple STRICT port-level mTLS rules in an ambient mode PeerAuthentication policy would effectively result |
| 27 | +in a permissive policy due to incorrect evaluation logic (AND vs. OR). |
| 28 | + ([Issue #54146](https://github.com/istio/istio/issues/54146)) |
| 29 | + |
| 30 | +- **Fixed** the wording of the status message when L7 rules are present in an AuthorizationPolicy which is bound to ztunnel, to be clearer. |
| 31 | + ([Issue #54334](https://github.com/istio/istio/issues/54334)) |
| 32 | + |
| 33 | +- **Fixed** a bug where the request mirror filter incorrectly computed the percentage. |
| 34 | + ([Issue #54357](https://github.com/istio/istio/issues/54357)) |
| 35 | + |
| 36 | +- **Fixed** an issue where using a tag in the `istio.io/rev` label on a gateway caused the gateway to be improperly programmed, and to lack status. |
| 37 | + ([Issue #54458](https://github.com/istio/istio/issues/54458)) |
| 38 | + |
| 39 | +- **Fixed** an issue where out-of-order ztunnel disconnects could put `istio-cni` in a state where it believes it has no connections. |
| 40 | + ([Issue #54544](https://github.com/istio/istio/issues/54544)),([Issue #53843](https://github.com/istio/istio/issues/53843)) |
| 41 | + |
| 42 | +- **Fixed** an issue where access log order caused instability during connection draining. |
| 43 | + ([Issue #54672](https://github.com/istio/istio/issues/54672)) |
| 44 | + |
| 45 | +- **Fixed** an issue in the gateway chart where `--set platform` worked but `--set global.platform` did not. |
| 46 | + |
| 47 | +- **Fixed** an issue where ingress gateways did not use WDS discovery to retrieve metadata for ambient mode destinations. |
| 48 | + |
| 49 | +- **Fixed** an issue causing the `istio-iptables` command to fail when a non-built-in table is present in the system. |
| 50 | + |
| 51 | +- **Fixed** an issue causing configuration to be rejected when there is a partial overlap between IP addresses across multiple services. |
| 52 | +For example, a Service with `[IP-A]` and one with `[IP-B, IP-A]`. ([Issue #52847](https://github.com/istio/istio/issues/52847)) |
| 53 | + |
| 54 | +- **Fixed** DNS traffic (UDP and TCP) is now affected by traffic annotations like `traffic.sidecar.istio.io/excludeOutboundIPRanges` and `traffic.sidecar.istio.io/excludeOutboundPorts`. Before, UDP/DNS traffic would uniquely ignore these traffic annotations, even if a DNS port was specified, because of the rule structure. The behavior change actually happened in the 1.23 release series, but was left out of the release notes for 1.23. |
| 55 | + ([Issue #53949](https://github.com/istio/istio/issues/53949)) |
| 56 | + |
| 57 | +- **Fixed** validation webhook rejecting an otherwise valid configuration `connectionPool.tcp.IdleTimeout=0s`. |
| 58 | + ([Issue #55409](https://github.com/istio/istio/issues/55409)) |
0 commit comments