Skip to content

in_opentelemetry: fix handling of content-length (CVE-2024-50609) #8

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 25, 2025
Merged

in_opentelemetry: fix handling of content-length (CVE-2024-50609) #8

merged 1 commit into from
Mar 25, 2025
+7 −0

Conversation

swapneils
Copy link

@swapneils swapneils commented Mar 25, 2025
edited
Loading

Original commit: fluent@104be94

CVE-2024-50609 was discovered via fuzzing on later versions, so uncertain whether it applies to 1.9.10. Still, the validation added as a fix is trivial and doesn't seem to meaningfully affect valid use-cases, so no harm in backporting it just in case.

Note: The original PR also fixed CVE-2024-50608. This is irrelevant to us, as our version does not have the in_prometheus_remote_write plugin.

Enter [N/A] in the box, if an item is not applicable to your change.

Testing
Before we can approve your change; please submit the following in a comment:

  • Example configuration file for the change
  • Debug log output from testing the change
  • Attached Valgrind output that shows no leaks or memory corruption was found

If this is a change to packaging of containers or native binaries then please confirm it works for all targets.

  • Run local packaging test showing all targets (including any new ones) build.
  • Set ok-package-test label to test for all targets (requires maintainer to do).

Documentation

  • Documentation required for this feature

Backporting

  • Backport to latest stable release.

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

@swapneils swapneils force-pushed the 1.9.10_otel-cve-fix-2025-03-25 branch from e3d018f to 97bda52 Compare March 25, 2025 23:12
@swapneils swapneils merged commit e4a311c into 1.9.10 Mar 25, 2025
9 of 14 checks passed
@ShelbyZ ShelbyZ mentioned this pull request Mar 27, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@singholt singholt singholt approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@swapneils @singholt