Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency fluentd to v1.15.3 [security] (main) #10839

Merged
merged 1 commit into from Oct 10, 2023
Merged

chore(deps): update dependency fluentd to v1.15.3 [security] (main) #10839

merged 1 commit into from Oct 10, 2023

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Oct 10, 2023
edited

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
fluentd (source) '1.14.2' -> '1.15.3' age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-39379

Impact

A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads.

Fluentd setups are only affected if the environment variable FLUENT_OJ_OPTION_MODE is explicitly set to object.

Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability.

Patches

v1.15.3

Workarounds

Do not use FLUENT_OJ_OPTION_MODE=object.

References

  • GHSL-2022-067

Release Notes

fluent/fluentd (fluentd)

v1.15.3

Compare Source

Bug Fix
Misc

v1.15.2

Compare Source

Enhancement
Bug Fix
Misc

v1.15.1

Compare Source

Bug Fix
Misc

v1.15.0

Compare Source

Enhancement
Bug fixes
Misc

v1.14.6

Compare Source

Enhancement
Bug fixes
Misc

v1.14.5

Compare Source

Enhancement
Bug fixes

v1.14.4

Compare Source

Enhancement
Bug fix

v1.14.3

Compare Source

Enhancement
Bug fix
Misc

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot requested a review from a team as a code owner October 10, 2023 09:18
@renovate renovate bot added area/security dependencies Pull requests that update a dependency file labels Oct 10, 2023
@kavirajk kavirajk merged commit b2c4511 into main Oct 10, 2023
10 checks passed
@kavirajk kavirajk deleted the deps-update/main-rubygems-fluentd-vulnerability branch October 10, 2023 14:12
rhnasc pushed a commit to inloco/loki that referenced this pull request Apr 12, 2024
@renovate @rhnasc
chore(deps): update dependency fluentd to v1.15.3 [security] (main) (g…
3f1a762 
…rafana#10839)

[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [fluentd](https://www.fluentd.org/)
([source](https://togithub.com/fluent/fluentd)) | `'1.14.2'` ->
`'1.15.3'` |
[![age](https://developer.mend.io/api/mc/badges/age/rubygems/fluentd/1.15.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/rubygems/fluentd/1.15.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/rubygems/fluentd/'1.14.2'/1.15.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/rubygems/fluentd/'1.14.2'/1.15.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2022-39379](https://togithub.com/fluent/fluentd/security/advisories/GHSA-fppq-mj76-fpj2)

### Impact
A remote code execution (RCE) vulnerability in non-default
configurations of Fluentd allows unauthenticated attackers to execute
arbitrary code via specially crafted JSON payloads.

Fluentd setups are only affected if the environment variable
`FLUENT_OJ_OPTION_MODE` is explicitly set to `object`.

Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd
version 1.13.2. Earlier versions of Fluentd are not affected by this
vulnerability.

### Patches
v1.15.3

### Workarounds
Do not use `FLUENT_OJ_OPTION_MODE=object`.

### References

* GHSL-2022-067

---

### Release Notes

<details>
<summary>fluent/fluentd (fluentd)</summary>

###
[`v1.15.3`](https://togithub.com/fluent/fluentd/blob/HEAD/CHANGELOG.md#Release-v1153---20221102)

[Compare
Source](https://togithub.com/fluent/fluentd/compare/v1.15.2...v1.15.3)

##### Bug Fix

-   Support glob for `!include` directive in YAML config format

[fluent/fluentd#3917
-   Remove meaningless oj options

[fluent/fluentd#3929
-   Fix log initializer to correctly create per-process files on Windows

[fluent/fluentd#3939
-   out_file: Fix the multi-worker check with `<worker 0-N>` directive

[fluent/fluentd#3942

##### Misc

-   Fix broken tests on Ruby 3.2

[fluent/fluentd#3883

###
[`v1.15.2`](https://togithub.com/fluent/fluentd/blob/HEAD/CHANGELOG.md#Release-v1152---20220822)

[Compare
Source](https://togithub.com/fluent/fluentd/compare/v1.15.1...v1.15.2)

##### Enhancement

-   Add a new system configuration `enable_jit`

[fluent/fluentd#3857

##### Bug Fix

-   out_file: Fix append mode with `--daemon` flag

[fluent/fluentd#3864
-   child_process: Plug file descriptor leak

[fluent/fluentd#3844

##### Misc

-   Drop win32-api gem to support Ruby 3.2

[fluent/fluentd#3849

###
[`v1.15.1`](https://togithub.com/fluent/fluentd/blob/HEAD/CHANGELOG.md#Release-v1151---20220727)

[Compare
Source](https://togithub.com/fluent/fluentd/compare/v1.15.0...v1.15.1)

##### Bug Fix

-   Add support for concurrent append in out_file

[fluent/fluentd#3808

##### Misc

-   in_tail: Show more information on skipping update_watcher

[fluent/fluentd#3829

###
[`v1.15.0`](https://togithub.com/fluent/fluentd/blob/HEAD/CHANGELOG.md#Release-v1150---20220629)

[Compare
Source](https://togithub.com/fluent/fluentd/compare/v1.14.6...v1.15.0)

##### Enhancement

-   in_tail: Add log throttling in files based on group rules

[fluent/fluentd#3535
-   Add `dump` command to fluent-ctl

[fluent/fluentd#3680
-   Handle YAML configuration format on configuration file

[fluent/fluentd#3712
- Add `restart_worker_interval` parameter in `<system>` directive to set
interval to restart workers that has stopped for some
reas[fluent/fluentd#3768

##### Bug fixes

-   out_forward: Fix to update timeout of cached sockets

[fluent/fluentd#3711
- in_tail: Fix a possible crash on file rotation when `follow_inodes
true`

[fluent/fluentd#3754
-   output: Fix a possible crash of flush thread

[fluent/fluentd#3755
-   in_tail: Fix crash bugs on Ruby 3.1 on Windows

[fluent/fluentd#3766
- in_tail: Fix a bug that in_tail cannot open non-ascii path on Windows

[fluent/fluentd#3774
- Fix a bug that fluentd doesn't release its own log file even after
rotated by
external
to[fluent/fluentd#3782

##### Misc

-   in_tail: Simplify TargetInfo related code

[fluent/fluentd#3489
-   Fix a wrong issue number in CHANGELOG

[fluent/fluentd#3700
-   server helper: Add comments to linger_timeout behavior about Windows

[fluent/fluentd#3701
-   service_discovery: Fix typo

[fluent/fluentd#3724
-   test: Fix unstable tests and warnings

[fluent/fluentd#3745

###
[`v1.14.6`](https://togithub.com/fluent/fluentd/blob/HEAD/CHANGELOG.md#Release-v1146---20220331)

[Compare
Source](https://togithub.com/fluent/fluentd/compare/v1.14.5...v1.14.6)

##### Enhancement

-   Enable server plugins to specify socket-option `SO_LINGER`

[fluent/fluentd#3644
-   Add `--umask` command line parameter

[fluent/fluentd#3671

##### Bug fixes

-   Fix metric name typo

[fluent/fluentd#3630
- Apply modifications in pipeline to the records being passed to
`@ERROR` label

[fluent/fluentd#3631
-   Fix wrong calculation of retry interval

[fluent/fluentd#3640
-   Support IPv6 address for `rpc_endpoint` in `system` config

[fluent/fluentd#3641

##### Misc

-   CI: Support Ruby 3.1 except Windows

[fluent/fluentd#3619
-   Switch to GitHub Discussions

[fluent/fluentd#3654
-   Fix CHANGELOG.md heading styles

[fluent/fluentd#3648
-   Declare `null_value_pattern` as `regexp`

[fluent/fluentd#3650

###
[`v1.14.5`](https://togithub.com/fluent/fluentd/blob/HEAD/CHANGELOG.md#Release-v1145---20220209)

[Compare
Source](https://togithub.com/fluent/fluentd/compare/v1.14.4...v1.14.5)

##### Enhancement

-   Add support for "application/x-ndjson" to `in_http`

[fluent/fluentd#3616
-   Add support for ucrt binary for Windows

[fluent/fluentd#3613

##### Bug fixes

-   Don't retry when `retry_max_times == 0`

[fluent/fluentd#3608
-   Fix hang-up issue during TLS handshake in `out_forward`

[fluent/fluentd#3601
-   Bump up required ServerEngine to v2.2.5

[fluent/fluentd#3599
-   Fix "invalid byte sequence is replaced" warning on Kubernetes

[fluent/fluentd#3596
- Fix "ArgumentError: unknown keyword: :logger" on Windows with Ruby 3.1

[fluent/fluentd#3592

###
[`v1.14.4`](https://togithub.com/fluent/fluentd/blob/HEAD/CHANGELOG.md#Release-v1144---20220106)

[Compare
Source](https://togithub.com/fluent/fluentd/compare/v1.14.3...v1.14.4)

##### Enhancement

-   `in_tail`: Add option to skip long lines (`max_line_size`)

[fluent/fluentd#3565

##### Bug fix

- Incorrect BufferChunkOverflowError when each event size is <
`chunk_limit_size`

[fluent/fluentd#3560
- On macOS with Ruby 2.7/3.0, `out_file` fails to write events if
`append` is true.

[fluent/fluentd#3579
-   test: Fix unstable test cases

[fluent/fluentd#3574

###
[`v1.14.3`](https://togithub.com/fluent/fluentd/blob/HEAD/CHANGELOG.md#Release-v1143---20211126)

[Compare
Source](https://togithub.com/fluent/fluentd/compare/v1.14.2...v1.14.3)

##### Enhancement

-   Changed to accept `http_parser.rb` 0.8.0.
    `http_parser.rb` 0.8.0 is ready for Ractor.

[fluent/fluentd#3544

##### Bug fix

-   in_tail: Fixed a bug that no new logs are read when
    `enable_stat_watcher true` and `enable_watch_timer false` is set.

[fluent/fluentd#3541
-   in_tail: Fixed a bug that the beginning and initial lines are lost
after startup when `read_from_head false` and path includes wildcard
'\*'.[fluent/fluentd#3542
-   Fixed a bug that processing messages were lost when
    BufferChunkOverflowError was thrown even though only a specific
message size exceeds
chunk_limi[fluent/fluentd#3553

##### Misc

-   Bump up required version of `win32-service` gem.
newer version is required to implement additional `fluent-ctl` commands.

[fluent/fluentd#3556

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/grafana/loki).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy44LjEiLCJ1cGRhdGVkSW5WZXIiOiIzNy44LjEiLCJ0YXJnZXRCcmFuY2giOiJtYWluIn0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kavirajk kavirajk kavirajk approved these changes

Assignees
No one assigned
Labels
area/security dependencies Pull requests that update a dependency file size/XS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@kavirajk