CLAassistant
commented
3 months ago
All committers have signed the CLA.
Closed simonhoellein closed 3 months ago
CLAassistant
commented
3 months ago
All committers have signed the CLA.
davidgit
commented
3 months ago Hello @simonhoellein,
We truly appreciate the effort you've put into submitting this PR.
As specified in CVE-2024-4323:
Memory corruption vulnerability has been found in Fluent Bit versions 2.0.7 through 3.0.3.
Given that the FluentBit version for Windows currently pinned is 1.9.3, the identified vulnerability doesn’t impact our infra agent.
The New Relic team supporting FluentBit is currently evaluating the merits of upgrading the FluentBit version for Windows. However, we are unable to commit to a definitive timeline for this yet. When deciding to address a problem, we consider various factors such as the nature of the problem, its impact on customers, and the needed development effort.
To take your feature request further, we suggest filing a Feature Request (FR). When submitting your FR, please reference this GitHub issue.
Thank you!
simonhoellein
commented
3 months ago Hello @davidgit
This may be true for the windows release but the Linux one uses the NewRelic FluentBit version 1.19.1 which is equal to the FluentBit version 2.2.0 (which is impacted by the CVE).
Please reconsider this PR
bumped FluentBit version to 2.0.0 (which includes fluentbit 3.0.4) to fix CVE-2024-4323
Additional information about the CVE can be found here: https://fluentbit.io/blog/2024/05/21/statement-on-cve-2024-4323-and-its-fix/