| Summary: | app-admin/fluentd: remote code execution via crafted JSON payloads | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | major | CC: | mgorny, ruby, treecleaner, williamh |
| Priority: | Normal | Keywords: | PMASKED, PullRequest |
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://github.com/fluent/fluentd/security/advisories/GHSA-fppq-mj76-fpj2 | ||
| See Also: | https://github.com/gentoo/gentoo/pull/34757 | ||
| Whiteboard: | ~1 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
|
Description
John Helmert III
2022-11-02 14:57:27 UTC
Ping! I have updated fluentd to 1.14.6, EAPI 8, and ruby32. Unfortunately some tests fail, but this was already the case for 1.14.4. Hopefully this update will make it easier to add 1.15 or 1.16 to address this security issue. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=be5fa907eede6ea6961249477a4cb6b19aa5c9d0 commit be5fa907eede6ea6961249477a4cb6b19aa5c9d0 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2023-12-31 10:34:02 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2023-12-31 10:46:12 +0000 package.mask: Last rite app-admin/fluentd Bug: https://bugs.gentoo.org/879181 Signed-off-by: Michał Górny <mgorny@gentoo.org> profiles/package.mask | 8 ++++++++ 1 file changed, 8 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ed3b9a199f7d32bff1d280dc5f10ef403d5d34cc commit ed3b9a199f7d32bff1d280dc5f10ef403d5d34cc Author: Jaco Kroon <jaco@uls.co.za> AuthorDate: 2023-12-04 14:03:52 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-01-10 15:49:43 +0000 app-admin/fluentd: add 1.16.3 Bug: https://bugs.gentoo.org/879181 Signed-off-by: Jaco Kroon <jaco@uls.co.za> Closes: https://github.com/gentoo/gentoo/pull/34126 Signed-off-by: Sam James <sam@gentoo.org> app-admin/fluentd/Manifest | 1 + app-admin/fluentd/fluentd-1.16.3.ebuild | 70 +++++++++++++++++++++++++++++++++ 2 files changed, 71 insertions(+) There is no current stable in-tree so we just remove <1.16? There was a stable request for 1.14, which I think we should shelf for the time being. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e379896e502fca4405cbdd01d178212a6840b8bb commit e379896e502fca4405cbdd01d178212a6840b8bb Author: Jaco Kroon <jaco@uls.co.za> AuthorDate: 2024-01-11 14:59:33 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-01-20 13:30:14 +0000 app-admin/fluentd: drop 1.14.4, 1.14.6 Bug: https://bugs.gentoo.org/879181 Signed-off-by: Jaco Kroon <jaco@uls.co.za> Closes: https://github.com/gentoo/gentoo/pull/34757 Signed-off-by: Sam James <sam@gentoo.org> app-admin/fluentd/Manifest | 2 - app-admin/fluentd/files/fluent.conf | 139 -------------------------------- app-admin/fluentd/fluentd-1.14.4.ebuild | 63 --------------- app-admin/fluentd/fluentd-1.14.6.ebuild | 63 --------------- 4 files changed, 267 deletions(-) (In reply to Jaco Kroon from comment #5) > There is no current stable in-tree so we just remove <1.16? There was a > stable request for 1.14, which I think we should shelf for the time being. Looks like there never was a stable version. I've updated the whiteboard accordingly and that means we're all done here. Thanks! |