Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix CVE-2021-32740 #119

Merged
merged 5 commits into from
Jul 21, 2021
Merged

Fix CVE-2021-32740 #119

merged 5 commits into from
Jul 21, 2021

Conversation

danielhoherd
Copy link
Member

Fix CVE-2021-32740 in fluentd

@vishwas-astro
Copy link

@danielhoherd Do we need to update the version with this?

@danielhoherd
Copy link
Member Author

@vishwas-astro good catch!

@danielhoherd
Copy link
Member Author

danielhoherd commented Jul 16, 2021
edited
Loading

Unfortunately the addressable package is also installed by a dependency and it installs an outdated version.

var/lib/gems/2.7.0/gems/fluent-plugin-kubernetes_metadata_filter-2.7.1/Gemfile.lock (bundler)
=============================================================================================
Total: 1 (HIGH: 1, CRITICAL: 0)

+-------------+------------------+----------+-------------------+---------------+---------------------------------------+
|   LIBRARY   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+-------------+------------------+----------+-------------------+---------------+---------------------------------------+
| addressable | CVE-2021-32740   | HIGH     | 2.7.0             | 2.8.0         | rubygem-addressable:                  |
|             |                  |          |                   |               | ReDoS in templates                    |
|             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-32740 |
+-------------+------------------+----------+-------------------+---------------+---------------------------------------+

@danielhoherd
Copy link
Member Author

I've opened an issue and a pr upstream.

@danielhoherd
Copy link
Member Author

@vishwas-astro @andriisoldatenko @pgvishnuram The last vulnerable package was fixed upstream via fabric8io/fluent-plugin-kubernetes_metadata_filter#300

@danielhoherd danielhoherd merged commit a8bc897 into main Jul 21, 2021
@danielhoherd danielhoherd deleted the fluentd-CVE-2021-32740 branch July 21, 2021 18:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vishwas-astro vishwas-astro vishwas-astro approved these changes

@andriisoldatenko andriisoldatenko andriisoldatenko approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@danielhoherd @vishwas-astro @andriisoldatenko