oss-sec mailing list archives
Re: 5 CVE's fixed in Fluent Bit
From: Christian Brabandt <cb () 256bit org>
Date: Tue, 2 Dec 2025 16:56:06 +0100
On Di, 02 Dez 2025, Christian Fischer wrote:
there seems to be indeed some confusion/inconsistencies about the possible fixes: 1. [1] lists 4.2, 4.1.1 and 4.0.14 as fixes 2. [2] lists 4.0.12, 4.1.1 and 4.2.0 as fixes 3. In this thread 4.0.13 (among 4.1.1 and 4.2.0) is now listed as a fix But if we check [3] version 4.0.13 only contains two changelog entries shared with version 4.1.1. Furthermore 4.0.12 was released more closely to 4.1.1 then 4.0.13 so the fixed versions on [2] might be the correct ones (4.0.12, 4.1.1 and 4.2.0). Regards, [1] https://fluentbit.io/blog/2025/10/28/security-vulnerabilities-addressed-in-fluent-bit-v4.1-and-backported-to-v4.0/ [2] https://kb.cert.org/vuls/id/761751 [3] https://github.com/fluent/fluent-bit/releases
Well, I have asked upstream https://github.com/fluent/fluent-bit/issues/11230 and they have confirmed and updated the blog post[1] to mention 4.0.13 as the proper backported fix. I did not check or even verify the other versions. Thanks, Christian -- evakuieren: zeigt eindeutig, daß der Menschen erstes Milchvieh "o'muh" sagte.
Current thread:
- 5 CVE's fixed in Fluent Bit Alan Coopersmith (Nov 26)
- Re: 5 CVE's fixed in Fluent Bit Christian Brabandt (Dec 01)
- Re: 5 CVE's fixed in Fluent Bit Christian Fischer (Dec 02)
- Re: 5 CVE's fixed in Fluent Bit Christian Brabandt (Dec 02)
- Re: 5 CVE's fixed in Fluent Bit Christian Fischer (Dec 03)
- Re: 5 CVE's fixed in Fluent Bit Christian Fischer (Dec 02)
- Re: 5 CVE's fixed in Fluent Bit Christian Brabandt (Dec 01)