oss-sec mailing list archives

Re: 5 CVE's fixed in Fluent Bit

From: Christian Fischer <christian.fischer () greenbone net>
Date: Wed, 3 Dec 2025 13:43:40 +0100

On 12/2/25 4:56 PM, Christian Brabandt wrote:

Well, I have asked upstream
https://github.com/fluent/fluent-bit/issues/11230 and they have
confirmed and updated the blog post[1] to mention 4.0.13 as the proper
backported fix.

I did not check or even verify the other versions.


Thanks a lot for the reference, this was a missing link so far.

As it only includes "I think it should be 4.0.13" and as i noticed thatthe linked blog post includes links to the relevant pull requests onGitHub i did a short own analysis here (also attached as plain text forarchiving purposes):


https://github.com/fluent/fluent-bit/issues/11230#issuecomment-3606609133

My initial assumption/assessment is that four out of the five issues /CVEs are actually already fixed in 4.0.12 while one requires 4.0.13 fora "full" fix and 4.1.1 is currently still partly affected by that one.

I have forwarded this information to the Fluent Bit Security Team andasked them to publish official advisories for these CVEs as this couldlargely clear up some confusion / inconsistencies on the affected andfixed versions.

Attachment: fluentbit_analysis.txt
Description:

Current thread:

5 CVE's fixed in Fluent Bit Alan Coopersmith (Nov 26)
- Re: 5 CVE's fixed in Fluent Bit Christian Brabandt (Dec 01)
  - Re: 5 CVE's fixed in Fluent Bit Christian Fischer (Dec 02)
    - Re: 5 CVE's fixed in Fluent Bit Christian Brabandt (Dec 02)
    - Re: 5 CVE's fixed in Fluent Bit Christian Fischer (Dec 03)