From 252467c9919e4029ba6a8dd0c069b4503e8c3cc9 Mon Sep 17 00:00:00 2001 From: Paul Meyer Date: Thu, 10 Oct 2024 14:51:35 +0200 Subject: [PATCH 1/5] Updated fluent-bit to upstream 3.1.9 --- SPECS/fluent-bit/fluent-bit.signatures.json | 2 +- SPECS/fluent-bit/fluent-bit.spec | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/SPECS/fluent-bit/fluent-bit.signatures.json b/SPECS/fluent-bit/fluent-bit.signatures.json index 15168d78cea..698bfe786fc 100644 --- a/SPECS/fluent-bit/fluent-bit.signatures.json +++ b/SPECS/fluent-bit/fluent-bit.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "fluent-bit-3.0.6.tar.gz": "2cad0ac1e04646bc084b7bb3d5552589fa1997eaa5ba3fe2137a65ecf101cd9f" + "fluent-bit-3.1.9.tar.gz": "ac3a3e235e7f8a92d35f10c99f400f0b0571417a92e3c4caa467073733d42547" } } diff --git a/SPECS/fluent-bit/fluent-bit.spec b/SPECS/fluent-bit/fluent-bit.spec index d752a5444ed..a77a2d6ce0f 100644 --- a/SPECS/fluent-bit/fluent-bit.spec +++ b/SPECS/fluent-bit/fluent-bit.spec @@ -1,6 +1,6 @@ Summary: Fast and Lightweight Log processor and forwarder for Linux, BSD and OSX Name: fluent-bit -Version: 3.0.6 +Version: 3.1.9 Release: 1%{?dist} License: Apache-2.0 Vendor: Microsoft Corporation From a6a28b0adb00ecc87621cd58e7adb4237e722891 Mon Sep 17 00:00:00 2001 From: Paul Meyer Date: Thu, 10 Oct 2024 14:54:12 +0200 Subject: [PATCH 2/5] Allow lua plugin using system libraries (instead of pulling in a vendored version of luajit) --- SPECS/fluent-bit/fluent-bit.spec | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/SPECS/fluent-bit/fluent-bit.spec b/SPECS/fluent-bit/fluent-bit.spec index a77a2d6ce0f..7c5176635e5 100644 --- a/SPECS/fluent-bit/fluent-bit.spec +++ b/SPECS/fluent-bit/fluent-bit.spec @@ -23,6 +23,7 @@ BuildRequires: pkgconfig BuildRequires: systemd-devel BuildRequires: systemd-rpm-macros BuildRequires: zlib-devel +BuildRequires: luajit-devel %description @@ -57,7 +58,7 @@ Development files for %{name} -DFLB_DEBUG=Off \ -DFLB_TLS=On \ -DFLB_JEMALLOC=On \ - -DFLB_LUAJIT=Off \ + -DFLB_PREFER_SYSTEM_LIBS=On %cmake_build @@ -65,7 +66,7 @@ Development files for %{name} %cmake_install %check -%ctest --exclude-regex "flb-rt-in_podman_metrics|flb-rt-filter_lua|.*\\.sh" +%ctest --exclude-regex "flb-rt-in_podman_metrics|.*\\.sh" %files %license LICENSE @@ -80,6 +81,9 @@ Development files for %{name} %{_libdir}/fluent-bit/*.so %changelog +* Thu Oct 10 2024 Paul Meyer - 3.1.9-1 +- Update to 3.1.9 to enable Lua filter plugin using system luajit library. + * Tue May 28 2024 Neha Agarwal - 3.0.6-1 - Update to v3.0.6 to fix CVE-2024-4323. From f8063997750b697566e7ca84e98b66d4e82b2c0c Mon Sep 17 00:00:00 2001 From: Paul Meyer Date: Thu, 10 Oct 2024 15:29:18 +0200 Subject: [PATCH 3/5] Updated cgmanifest --- cgmanifest.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cgmanifest.json b/cgmanifest.json index bd38ff8b244..ddc96111d11 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -3678,8 +3678,8 @@ "type": "other", "other": { "name": "fluent-bit", - "version": "3.0.6", - "downloadUrl": "https://github.com/fluent/fluent-bit/archive/refs/tags/v3.0.6.tar.gz" + "version": "3.1.9", + "downloadUrl": "https://github.com/fluent/fluent-bit/archive/refs/tags/v3.1.9.tar.gz" } } }, From 3b9bfe5c18a085e64c1b558b0565a03fc753d934 Mon Sep 17 00:00:00 2001 From: Daniel McIlvaney Date: Tue, 5 Nov 2024 13:47:49 -0800 Subject: [PATCH 4/5] Update to latest --- SPECS/fluent-bit/CVE-2024-25629.patch | 19 ------ SPECS/fluent-bit/CVE-2024-28182.patch | 91 --------------------------- SPECS/fluent-bit/fluent-bit.spec | 3 +- 3 files changed, 1 insertion(+), 112 deletions(-) delete mode 100644 SPECS/fluent-bit/CVE-2024-25629.patch delete mode 100644 SPECS/fluent-bit/CVE-2024-28182.patch diff --git a/SPECS/fluent-bit/CVE-2024-25629.patch b/SPECS/fluent-bit/CVE-2024-25629.patch deleted file mode 100644 index 86758d5fd74..00000000000 --- a/SPECS/fluent-bit/CVE-2024-25629.patch +++ /dev/null @@ -1,19 +0,0 @@ -diff --git a/lib/c-ares-1.24.0/src/lib/ares__read_line.c b/lib/c-ares-1.24.0/src/lib/ares__read_line.c -index d65ac1fcf..018f55e8b 100644 ---- a/lib/c-ares-1.24.0/src/lib/ares__read_line.c -+++ b/lib/c-ares-1.24.0/src/lib/ares__read_line.c -@@ -59,6 +59,14 @@ ares_status_t ares__read_line(FILE *fp, char **buf, size_t *bufsize) - return (offset != 0) ? 0 : (ferror(fp)) ? ARES_EFILE : ARES_EOF; - } - len = offset + ares_strlen(*buf + offset); -+ -+ /* Probably means there was an embedded NULL as the first character in -+ * the line, throw away line */ -+ if (len == 0) { -+ offset = 0; -+ continue; -+ } -+ - if ((*buf)[len - 1] == '\n') { - (*buf)[len - 1] = 0; - break; diff --git a/SPECS/fluent-bit/CVE-2024-28182.patch b/SPECS/fluent-bit/CVE-2024-28182.patch deleted file mode 100644 index e75a5551b68..00000000000 --- a/SPECS/fluent-bit/CVE-2024-28182.patch +++ /dev/null @@ -1,91 +0,0 @@ -diff --git a/lib/nghttp2/lib/includes/nghttp2/nghttp2.h b/lib/nghttp2/lib/includes/nghttp2/nghttp2.h -index 66ea3c63c..5378daf43 100644 ---- a/lib/nghttp2/lib/includes/nghttp2/nghttp2.h -+++ b/lib/nghttp2/lib/includes/nghttp2/nghttp2.h -@@ -440,7 +440,12 @@ typedef enum { - * exhaustion on server side to send these frames forever and does - * not read network. - */ -- NGHTTP2_ERR_FLOODED = -904 -+ NGHTTP2_ERR_FLOODED = -904, -+ /** -+ * When a local endpoint receives too many CONTINUATION frames -+ * following a HEADER frame. -+ */ -+ NGHTTP2_ERR_TOO_MANY_CONTINUATIONS = -905, - } nghttp2_error; - - /** -diff --git a/lib/nghttp2/lib/nghttp2_helper.c b/lib/nghttp2/lib/nghttp2_helper.c -index 93dd4754b..b3563d98e 100644 ---- a/lib/nghttp2/lib/nghttp2_helper.c -+++ b/lib/nghttp2/lib/nghttp2_helper.c -@@ -336,6 +336,8 @@ const char *nghttp2_strerror(int error_code) { - "closed"; - case NGHTTP2_ERR_TOO_MANY_SETTINGS: - return "SETTINGS frame contained more than the maximum allowed entries"; -+ case NGHTTP2_ERR_TOO_MANY_CONTINUATIONS: -+ return "Too many CONTINUATION frames following a HEADER frame"; - default: - return "Unknown error code"; - } -diff --git a/lib/nghttp2/lib/nghttp2_session.c b/lib/nghttp2/lib/nghttp2_session.c -index c0d86026a..51ed4494e 100644 ---- a/lib/nghttp2/lib/nghttp2_session.c -+++ b/lib/nghttp2/lib/nghttp2_session.c -@@ -496,6 +496,7 @@ static int session_new(nghttp2_session **session_ptr, - (*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN; - (*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM; - (*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS; -+ (*session_ptr)->max_continuations = NGHTTP2_DEFAULT_MAX_CONTINUATIONS; - - if (option) { - if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) && -@@ -6778,6 +6779,8 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in, - } - } - session_inbound_frame_reset(session); -+ -+ session->num_continuations = 0; - } - break; - } -@@ -6899,6 +6902,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in, - } - #endif /* DEBUGBUILD */ - -+ if (++session->num_continuations > session->max_continuations) { -+ return NGHTTP2_ERR_TOO_MANY_CONTINUATIONS; -+ } -+ - readlen = inbound_frame_buf_read(iframe, in, last); - in += readlen; - -diff --git a/lib/nghttp2/lib/nghttp2_session.h b/lib/nghttp2/lib/nghttp2_session.h -index b119329a0..ef8f7b27d 100644 ---- a/lib/nghttp2/lib/nghttp2_session.h -+++ b/lib/nghttp2/lib/nghttp2_session.h -@@ -110,6 +110,10 @@ typedef struct { - #define NGHTTP2_DEFAULT_STREAM_RESET_BURST 1000 - #define NGHTTP2_DEFAULT_STREAM_RESET_RATE 33 - -+/* The default max number of CONTINUATION frames following an incoming -+ HEADER frame. */ -+#define NGHTTP2_DEFAULT_MAX_CONTINUATIONS 8 -+ - /* Internal state when receiving incoming frame */ - typedef enum { - /* Receiving frame header */ -@@ -290,6 +294,12 @@ struct nghttp2_session { - size_t max_send_header_block_length; - /* The maximum number of settings accepted per SETTINGS frame. */ - size_t max_settings; -+ /* The maximum number of CONTINUATION frames following an incoming -+ HEADER frame. */ -+ size_t max_continuations; -+ /* The number of CONTINUATION frames following an incoming HEADER -+ frame. This variable is reset when END_HEADERS flag is seen. */ -+ size_t num_continuations; - /* Next Stream ID. Made unsigned int to detect >= (1 << 31). */ - uint32_t next_stream_id; - /* The last stream ID this session initiated. For client session, diff --git a/SPECS/fluent-bit/fluent-bit.spec b/SPECS/fluent-bit/fluent-bit.spec index 6153d2aaf9b..f626ec9a48f 100644 --- a/SPECS/fluent-bit/fluent-bit.spec +++ b/SPECS/fluent-bit/fluent-bit.spec @@ -8,8 +8,6 @@ Distribution: Azure Linux URL: https://fluentbit.io Source0: https://github.com/fluent/%{name}/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Patch0: CVE-2024-34250.patch -Patch1: CVE-2024-25629.patch -Patch2: CVE-2024-28182.patch BuildRequires: bison BuildRequires: cmake BuildRequires: cyrus-sasl-devel @@ -86,6 +84,7 @@ Development files for %{name} %changelog * Tue Nov 05 2024 Paul Meyer - 3.1.9-1 - Update to 3.1.9 to enable Lua filter plugin using system luajit library. +- Remove patches for CVE-2024-25629 and CVE-2024-28182 as they are fixed in 3.1.9. * Tue Oct 15 2024 Chris Gunn - 3.0.6-2 - CVE-2024-34250 From 2efdfef08203f6dfba507cb186af0b6b5aa8684b Mon Sep 17 00:00:00 2001 From: Daniel McIlvaney Date: Mon, 18 Nov 2024 11:28:03 -0800 Subject: [PATCH 5/5] Re-order deps --- SPECS/fluent-bit/fluent-bit.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SPECS/fluent-bit/fluent-bit.spec b/SPECS/fluent-bit/fluent-bit.spec index f626ec9a48f..d53d88689a4 100644 --- a/SPECS/fluent-bit/fluent-bit.spec +++ b/SPECS/fluent-bit/fluent-bit.spec @@ -18,13 +18,13 @@ BuildRequires: gnutls-devel BuildRequires: graphviz BuildRequires: libpq-devel BuildRequires: libyaml-devel +BuildRequires: luajit-devel BuildRequires: make BuildRequires: openssl-devel BuildRequires: pkgconfig BuildRequires: systemd-devel BuildRequires: systemd-rpm-macros BuildRequires: zlib-devel -BuildRequires: luajit-devel %description