enterprise-2.16.5
May 5, 2025
The 2.16.5 stable point release addresses CVE-2025-43915 and includes additional dependency upgrades.
Previous release: enterprise-2.16.4.
Supported Kubernetes versions
For this release, the minimum supported Kubernetes version remains 1.22, and the maximum supported Kubernetes version remains 1.31.
Who should upgrade?
Customers who are affected by CVE-2025-43915 should upgrade. All other customers should upgrade at their convenience. Note that there is a minor breaking change in this release, in order to mitigate this CVE. See upgrade guidance below.
Upgrade guidance
This is a stable point release designed to introduce minimal change. However,
remediating CVE-2025-43915 requires disabling
the authority label on inbound metrics by default. If you make use of these
metrics labels, you must explicitly re-enable them in this release via following
the instructions outlined
here. Please
see the instructions in
Upgrading BEL for how to upgrade.
To upgrade with BEL’s lifecycle automation operator, you will need Buoyant Extension version v0.35.0 or later.
Changelog
- Add option to control whether inbound authority labels are populated
- Update distroless/cc-debian12 from db46784 to 3c62069
- Update golang from 1.24.1-alpine to 1.24.2-alpine
- Update library/ubuntu from focal-20241011 to focal-20250404
- Update curlimages/curl from 8.12.1 to 8.13.0
- Update library/ubuntu from focal-20241011 to focal-20250404
- Bump golang.org/x/net to 0.39.0 to remediate GHSA-vvgc-356p-c3xw and GHSA-qxp5-gwg8-xv66
- bump golang.org/x/crypto to v0.37.0 to remediate GHSA-v778-237x-gjrc and GHSA-hcg3-q754-cr77
- Bump helm.sh/helm/v3 to v3.17.3 remediate GHSA-4hfp-h4cw-hj8p and GHSA-5xqw-8hwv-wg92
- Bump github.com/containerd/containerd to v1.7.27 to remediate CVE-2024-40635 and GHSA-265r-hfxg-fhmg
- Bump to github.com/docker/docker to v26.1.5 to remediate GHSA-v23v-6jw2-98fq