CVE-2022-39379: Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. A remote code execution (RCE) vulnerability in non-default configurations of Fluentd allows unauthenticated attackers to execute arbitrary code via specially crafted JSON payloads. Fluentd setups are only affected if the environment variable `FLUENT_OJ_OPTION_MODE` is explicitly set to `object`. Please note: The option FLUENT_OJ_OPTION_MODE was introduced in Fluentd version 1.13.2. Earlier versions of Fluentd are not affected by this vulnerability. This issue was patched in version 1.15.3. As a workaround do not use `FLUENT_OJ_OPTION_MODE=object`. Please bump to 1.15.3.
Ping!
I have updated fluentd to 1.14.6, EAPI 8, and ruby32. Unfortunately some tests fail, but this was already the case for 1.14.4. Hopefully this update will make it easier to add 1.15 or 1.16 to address this security issue.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=be5fa907eede6ea6961249477a4cb6b19aa5c9d0 commit be5fa907eede6ea6961249477a4cb6b19aa5c9d0 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2023-12-31 10:34:02 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2023-12-31 10:46:12 +0000 package.mask: Last rite app-admin/fluentd Bug: https://bugs.gentoo.org/879181 Signed-off-by: Michał Górny <mgorny@gentoo.org> profiles/package.mask | 8 ++++++++ 1 file changed, 8 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ed3b9a199f7d32bff1d280dc5f10ef403d5d34cc commit ed3b9a199f7d32bff1d280dc5f10ef403d5d34cc Author: Jaco Kroon <jaco@uls.co.za> AuthorDate: 2023-12-04 14:03:52 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-01-10 15:49:43 +0000 app-admin/fluentd: add 1.16.3 Bug: https://bugs.gentoo.org/879181 Signed-off-by: Jaco Kroon <jaco@uls.co.za> Closes: https://github.com/gentoo/gentoo/pull/34126 Signed-off-by: Sam James <sam@gentoo.org> app-admin/fluentd/Manifest | 1 + app-admin/fluentd/fluentd-1.16.3.ebuild | 70 +++++++++++++++++++++++++++++++++ 2 files changed, 71 insertions(+)
There is no current stable in-tree so we just remove <1.16? There was a stable request for 1.14, which I think we should shelf for the time being.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e379896e502fca4405cbdd01d178212a6840b8bb commit e379896e502fca4405cbdd01d178212a6840b8bb Author: Jaco Kroon <jaco@uls.co.za> AuthorDate: 2024-01-11 14:59:33 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-01-20 13:30:14 +0000 app-admin/fluentd: drop 1.14.4, 1.14.6 Bug: https://bugs.gentoo.org/879181 Signed-off-by: Jaco Kroon <jaco@uls.co.za> Closes: https://github.com/gentoo/gentoo/pull/34757 Signed-off-by: Sam James <sam@gentoo.org> app-admin/fluentd/Manifest | 2 - app-admin/fluentd/files/fluent.conf | 139 -------------------------------- app-admin/fluentd/fluentd-1.14.4.ebuild | 63 --------------- app-admin/fluentd/fluentd-1.14.6.ebuild | 63 --------------- 4 files changed, 267 deletions(-)
(In reply to Jaco Kroon from comment #5) > There is no current stable in-tree so we just remove <1.16? There was a > stable request for 1.14, which I think we should shelf for the time being. Looks like there never was a stable version. I've updated the whiteboard accordingly and that means we're all done here. Thanks!
