Update dependency fluentd to v1.15.3 [SECURITY] (release-2.9.x) - autoclosed #10882
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
renovate
bot
added
area/security
dependencies
renovate
bot
changed the title
renovate
bot
deleted the
deps-update/release-2.9.x-rubygems-fluentd-vulnerability
branch
renovate
bot
changed the title
renovate
bot
restored the
deps-update/release-2.9.x-rubygems-fluentd-vulnerability
branch
renovate
bot
force-pushed
the
deps-update/release-2.9.x-rubygems-fluentd-vulnerability
branch
from
7df5a4f to
0441b23
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
deleted the
deps-update/release-2.9.x-rubygems-fluentd-vulnerability
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
'1.14.2'->'1.15.3'fluentd vulnerable to remote code execution due to insecure deserialization (in non-default configuration)
CVE-2022-39379 / GHSA-fppq-mj76-fpj2
More information
Details
Impact
A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads.
Fluentd setups are only affected if the environment variable
FLUENT_OJ_OPTION_MODEis explicitly set toobject.Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability.
Patches
v1.15.3
Workarounds
Do not use
FLUENT_OJ_OPTION_MODE=object.References
Severity
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
fluent/fluentd (fluentd)
v1.15.3Compare Source
Bug Fix
!includedirective in YAML config formathttps://github.com/fluent/fluentd/pull/39173917
https://github.com/fluent/fluentd/pull/39293929
https://github.com/fluent/fluentd/pull/39393939
<worker 0-N>directivehttps://github.com/fluent/fluentd/pull/39423942
Misc
https://github.com/fluent/fluentd/pull/38833https://github.com/fluent/fluentd/pull/3922ull/3922
v1.15.2Compare Source
Enhancement
enable_jithttps://github.com/fluent/fluentd/pull/38573857
Bug Fix
--daemonflaghttps://github.com/fluent/fluentd/pull/38643864
https://github.com/fluent/fluentd/pull/38443844
Misc
https://github.com/fluent/fluentd/pull/38493https://github.com/fluent/fluentd/pull/3866ull/3866
v1.15.1Compare Source
Bug Fix
https://github.com/fluent/fluentd/pull/38083808
Misc
https://github.com/fluent/fluentd/pull/38293829
v1.15.0Compare Source
Enhancement
https://github.com/fluent/fluentd/pull/35353https://github.com/fluent/fluentd/pull/3771ull/3771
dumpcommand to fluent-ctlhttps://github.com/fluent/fluentd/pull/36803680
https://github.com/fluent/fluentd/pull/37123712
restart_worker_intervalparameter in<system>directive to setinterval to restart workers that has stopped for some reashttps://github.com/fluent/fluentd/pull/3768ull/3768
Bug fixes
https://github.com/fluent/fluentd/pull/37113711
follow_inodes truehttps://github.com/fluent/fluentd/pull/37543754
https://github.com/fluent/fluentd/pull/37553755
https://github.com/fluent/fluentd/pull/37663766
https://github.com/fluent/fluentd/pull/37743774
external tohttps://github.com/fluent/fluentd/pull/3782ull/3782
Misc
https://github.com/fluent/fluentd/pull/34893489
https://github.com/fluent/fluentd/pull/37003700
https://github.com/fluent/fluentd/pull/37013701
https://github.com/fluent/fluentd/pull/37243724
https://github.com/fluent/fluentd/pull/37453https://github.com/fluent/fluentd/pull/3753uhttps://github.com/fluent/fluentd/pull/3767thttps://github.com/fluent/fluentd/pull/3783lhttps://github.com/fluent/fluentd/pull/3784nhttps://github.com/fluent/fluentd/pull/3785fhttps://github.com/fluent/fluentd/pull/3787com/test_child_process: Try to fix unstable tests fluent/fluentd#3787
v1.14.6Compare Source
Enhancement
SO_LINGERhttps://github.com/fluent/fluentd/pull/36443644
--umaskcommand line parameterhttps://github.com/fluent/fluentd/pull/36713https://github.com/fluent/fluentd/pull/3679ull/3679
Bug fixes
https://github.com/fluent/fluentd/pull/36303https://github.com/fluent/fluentd/pull/3673ull/3673
@ERRORlabelhttps://github.com/fluent/fluentd/pull/36313631
https://github.com/fluent/fluentd/pull/36403https://github.com/fluent/fluentd/pull/3649uhttps://github.com/fluent/fluentd/pull/3685thttps://github.com/fluent/fluentd/pull/3686luentd/pull/3686
rpc_endpointinsystemconfighttps://github.com/fluent/fluentd/pull/36413641
Misc
https://github.com/fluent/fluentd/pull/36193619
https://github.com/fluent/fluentd/pull/36543654
https://github.com/fluent/fluentd/pull/36483648
null_value_patternasregexphttps://github.com/fluent/fluentd/pull/36503650
v1.14.5Compare Source
Enhancement
in_httphttps://github.com/fluent/fluentd/pull/36163616
https://github.com/fluent/fluentd/pull/36133613
Bug fixes
retry_max_times == 0https://github.com/fluent/fluentd/pull/36083608
out_forwardhttps://github.com/fluent/fluentd/pull/36013601
https://github.com/fluent/fluentd/pull/35993599
https://github.com/fluent/fluentd/pull/35963596
https://github.com/fluent/fluentd/pull/35923592
v1.14.4Compare Source
Enhancement
in_tail: Add option to skip long lines (max_line_size)https://github.com/fluent/fluentd/pull/35653565
Bug fix
chunk_limit_sizehttps://github.com/fluent/fluentd/pull/35603560
out_filefails to write events ifappendis true.https://github.com/fluent/fluentd/pull/35793579
https://github.com/fluent/fluentd/pull/35743https://github.com/fluent/fluentd/pull/3577ull/3577
v1.14.3Compare Source
Enhancement
http_parser.rb0.8.0.http_parser.rb0.8.0 is ready for Ractor.https://github.com/fluent/fluentd/pull/35443544
Bug fix
enable_stat_watcher trueandenable_watch_timer falseis set.https://github.com/fluent/fluentd/pull/35413541
after startup when
read_from_head falseand path includes wildcard '*'.https://github.com/fluent/fluentd/pull/3542/3542BufferChunkOverflowError was thrown even though only a specific
message size exceeds chunk_limihttps://github.com/fluent/fluentd/pull/3553thttps://github.com/fluent/fluentd/pull/3562luentd/pull/3562
Misc
win32-servicegem.newer version is required to implement additional
fluent-ctlcommands.https://github.com/fluent/fluentd/pull/35563556
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.