RATATOSKRATATOSK
Sign in

Releases

AI-analyzed release notes for CNCF graduated and incubating projects.

Project: FluentdClear ×

Fluentd

ObservabilityJun 25, 2026

Fluentd v1.19.3 is a security and hardening patch that tightens input validation in out_http, buffer/in_http, and output tag handling, and locks down default access for in_monitor_agent and in_debug_agent. The rest of the release is routine bug fixes and small dependency/CI cleanup.

  • securityStricter input validation across out_http, buffer/in_http, and output tag paths

    Applies unconditionally in v1.19.3. out_http now strictly validates hostnames for dynamic endpoints, buffer and in_http enforce size limits on decompressed payloads, and output enforces strict path boundary checks on tag values. Together these close off request-smuggling and decompression-bomb style abuse paths; review any configs that build hosts, tags, or payload sizes from untrusted input.

  • breakingin_monitor_agent and in_debug_agent defaults now expose less by default

    Applies unconditionally in v1.19.3. in_monitor_agent changes default visibility of config, retry, and debug info, and in_debug_agent now accepts connections only from the local machine by default. If you relied on remote access to either agent or exposed their full output externally, update firewall rules or explicit config options to restore the access you need.

Key changes (7)
  • Security hardening (medium severity): strict host validation in out_http for dynamic endpoints.
  • Security hardening (medium severity): buffer and in_http enforce size limits on decompressed payloads, closing a decompression-bomb style risk.
  • Security hardening (medium severity): output enforces strict path boundary validation on tag values.
  • Default access change: in_monitor_agent now restricts default visibility of config, retry, and debug info.
  • Default access change: in_debug_agent accepts connections only from the local machine by default.
  • Bug fixes: storage_local non-ASCII read encoding error, parser_csv now skips empty/unparseable lines, out_forward stops reusing closed keepalive sockets, buffer resumes correctly with square brackets in its path.
  • Plus minor items: win32-registry added as a Ruby 4.1 runtime dependency, a duplicated word removed from an error message, a shorter Windows shutdown timeout check, a timekey default warning, an antivirus exclusion doc note, and various CI fixes.
Source

Fluentd

ObservabilityFeb 19, 2026

Fluentd v1.19.2 delivers critical bug fixes for socket leaks and connection timeouts, with Ruby 4.0 compatibility improvements. Priority fix for production stability issues affecting out_forward and HTTP server plugins.

  • securityUpgrade immediately to fix socket leak vulnerability

    HTTP server plugin had socket leaks in POST requests that could lead to resource exhaustion. This is a critical fix for production environments using HTTP input plugins. Update immediately and monitor socket usage after deployment.

  • breakingUpdate out_forward configurations for timeout handling

    The out_forward plugin now properly handles connection timeouts to prevent infinite loops. Review your forward output configurations and monitor for any connection behavior changes, especially in high-throughput environments where connection stability is critical.

  • enhancementPrepare for Ruby 4.0 migration

    This release adds Ruby 4.0 compatibility with updated gem dependencies including ostruct and net-http. Plan your Ruby upgrade path and test this version in staging environments if you're planning to move to Ruby 4.0.

Key changes (5)
  • Fixed out_forward plugin timeout issue preventing infinite connection loops
  • Resolved socket leaks in HTTP server plugin POST requests
  • Fixed in_tail plugin errors when encountering unreadable files in glob patterns
  • Added Ruby 4.0 compatibility with updated gem dependencies
  • Fixed duplicate config file loading in config_include_dir
Source