Bug 1072314 – [security:logging] CVE-2017-10906: fluentd: Escape sequence injection in filter_parser.rb:filter_stream can lead to arbitrary command execution when processing logs

Bug 1072314 - (CVE-2017-10906) [security:logging] CVE-2017-10906: fluentd: Escape sequence injection in filter_parser.rb:filter_stream can lead to arbitrary command execution when processing logs

(CVE-2017-10906)
Summary:	[security:logging] CVE-2017-10906: fluentd: Escape sequence injection in filt...

Status:	RESOLVED FIXED

Classification:	openSUSE
Product:	openSUSE Distribution
Classification:	openSUSE
Component:	Other
Version:	Leap 42.3
Hardware:	Other Other

Priority:	P5 - None Severity: Minor (vote)
Target Milestone:	---
Assigned To:	Klaus Kämpf
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/196385/
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2017-12-12 07:22 UTC by Marcus Meissner
Modified:	2017-12-12 08:09 UTC (History)
CC List:	0 users

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2017-12-12 07:22:47 UTC

rh#1524783

Escape sequence injection vulnerability in Fluentd versions 0.12.29 through
0.12.40 may allow an attacker to change the terminal UI or execute arbitrary
commands on the device via unspecified vectors.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1524783
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-10906
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10906
https://github.com/fluent/fluentd/blob/v0.12/CHANGELOG.md#bug-fixes
https://github.com/fluent/fluentd/pull/1733
https://jvn.jp/en/vu/JVNVU95124098/index.html

Comment 1 Klaus Kämpf 2017-12-12 08:09:08 UTC

Package updated to 1.0.0