On 12/2/25 4:56 PM, Christian Brabandt wrote:
Well, I have asked upstream
https://github.com/fluent/fluent-bit/issues/11230 and they have
confirmed and updated the blog post[1] to mention 4.0.13 as the proper
backported fix.
I did not check or even verify the other versions.
Thanks a lot for the reference, this was a missing link so far.
As it only includes "I think it should be 4.0.13" and as i noticed that
the linked blog post includes links to the relevant pull requests on
GitHub i did a short own analysis here (also attached as plain text for
archiving purposes):
https://github.com/fluent/fluent-bit/issues/11230#issuecomment-3606609133
My initial assumption/assessment is that four out of the five issues /
CVEs are actually already fixed in 4.0.12 while one requires 4.0.13 for
a "full" fix and 4.1.1 is currently still partly affected by that one.
I have forwarded this information to the Fluent Bit Security Team and
asked them to publish official advisories for these CVEs as this could
largely clear up some confusion / inconsistencies on the affected and
fixed versions.Hello,
and sorry for the short follow-up but i noticed that
https://fluentbit.io/blog/2025/10/28/security-vulnerabilities-addressed-in-fluent-bit-v4.1-and-backported-to-v4.0/
includes links to the related / relevant PRs:
- https://github.com/fluent/fluent-bit/pull/10961
- https://github.com/fluent/fluent-bit/pull/10967
- https://github.com/fluent/fluent-bit/pull/10969
- https://github.com/fluent/fluent-bit/pull/10972
- https://github.com/fluent/fluent-bit/pull/10973
and if we check / follow these we can see each backport to the 4.0.x branch:
- https://github.com/fluent/fluent-bit/pull/10982
- https://github.com/fluent/fluent-bit/pull/10991
- https://github.com/fluent/fluent-bit/pull/10983
- https://github.com/fluent/fluent-bit/pull/10984
- https://github.com/fluent/fluent-bit/pull/10986
If finally checking https://github.com/fluent/fluent-bit/releases/tag/v4.0.12
we can see that these PRs are actually included in 4.0.12 and not in 4.0.13.
Only for the last issue (CWE 306 - Missing authentication in in_forward)
mentioned on the blog post follow-up fixes have been made via these for 4.2.0:
- https://github.com/fluent/fluent-bit/pull/11026
- https://github.com/fluent/fluent-bit/pull/11028
which ended up via this PR in 4.0.13:
- https://github.com/fluent/fluent-bit/pull/11029
My initial assumption is that four out of the five issues / CVEs are actually
already fixed in 4.0.12 while one requires 4.0.13 for a "full" fix and 4.1.1 is
currently still partly affected by that one.
I think a publication of security advisories on
https://github.com/fluent/fluent-bit/security with relevant affected and fixed
versions with a follow-up update to the blog post could largely clear up some
confusion / inconsistencies on the affected and fixed versions.
