diff --git a/_service b/_service
index 7834beb..31f2211 100644
--- a/_service
+++ b/_service
@@ -3,7 +3,7 @@
https://github.com/istio/istio
git
.git
- 1.20.2
+ 1.20.3
@PARENT_TAG@
disable
@@ -16,6 +16,6 @@
gz
- istio-1.20.2.obscpio
+ istio-1.20.3.obscpio
diff --git a/istio-1.20.2.obscpio b/istio-1.20.2.obscpio
deleted file mode 100644
index 187dd42..0000000
--- a/istio-1.20.2.obscpio
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:58f240df50eaec071ed880450723fb553c0f34f334310937a0359f67cb74a7cd
-size 30276621
diff --git a/istio-1.20.3.obscpio b/istio-1.20.3.obscpio
new file mode 100644
index 0000000..3180381
--- /dev/null
+++ b/istio-1.20.3.obscpio
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3bb7e27cfc330f137368d98b06d3e517c011edcf79c4fd7f377f5690571f7a76
+size 30283277
diff --git a/istio.obsinfo b/istio.obsinfo
index f3c3bcf..27e250e 100644
--- a/istio.obsinfo
+++ b/istio.obsinfo
@@ -1,4 +1,4 @@
name: istio
-version: 1.20.2
-mtime: 1704268501
-commit: 5f5d657c72d30a97cae97938de3a6831583e9f15
+version: 1.20.3
+mtime: 1706836300
+commit: 692e556046b48ebc471205211c68a2c69e74a321
diff --git a/istioctl.changes b/istioctl.changes
index 56f089d..77dcb7d 100644
--- a/istioctl.changes
+++ b/istioctl.changes
@@ -1,3 +1,29 @@
+-------------------------------------------------------------------
+Fri Feb 9 19:19:21 UTC 2024 - Johannes Kastl
+
+- update to 1.20.3:
+ https://istio.io/latest/news/releases/1.20.x/announcing-1.20.3/
+ * Improved graceful termination abort logic when the Envoy
+ process terminates early. (Issue #36686)
+ * Fixed an issue where updating a service’s TargetPort does not
+ trigger an xDS push. (Issue #48580)
+ * Fixed an issue where in-cluster analysis was unnecessarily
+ performed when there’s no configuration change. (Issue #48665)
+ * Fixed an issue where the webhook generated with istioctl tag
+ set is unexpectedly removed by the installer. (Issue #47423)
+ * Fixed a bug that results in the incorrect generation of
+ configurations for pods without associated services, which
+ includes all services within the same namespace. This can
+ occasionally lead to conflicting inbound listeners error.
+ * Fixed a bug that made PeerAuthentication too restrictive in
+ ambient mode.
+ * Fixed an issue causing Istio CNI to stop functioning on
+ minimal/locked down nodes (such as no sh binary). The new logic
+ runs with no external dependencies, and will attempt to
+ continue if errors are encountered (which could be caused by
+ things like SELinux rules). In particular, this fixes running
+ Istio on Bottlerocket nodes. (Issue #48746)
+
-------------------------------------------------------------------
Wed Jan 10 19:23:07 UTC 2024 - Johannes Kastl
diff --git a/istioctl.spec b/istioctl.spec
index 2a4ff93..d9676c9 100644
--- a/istioctl.spec
+++ b/istioctl.spec
@@ -19,7 +19,7 @@
%define __arch_install_post export NO_BRP_STRIP_DEBUG=true
Name: istioctl
-Version: 1.20.2
+Version: 1.20.3
Release: 0
Summary: CLI for the istio servic mesh in Kubernetes
License: Apache-2.0
diff --git a/vendor.tar.gz b/vendor.tar.gz
index df21962..d5b7b12 100644
--- a/vendor.tar.gz
+++ b/vendor.tar.gz
@@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
-oid sha256:3ed4f80a7636e440c70a66df9f63ebfca740127f5bb8848a3d444a5fb88ba561
-size 24419967
+oid sha256:3f511977fbd4f0cd314ab95eb4501fe173a12f830361508caff1ae9ae5204c21
+size 24359808