Fluentd v1.19.3 is a security and hardening patch that tightens input validation in out_http, buffer/in_http, and output tag handling, and locks down default access for in_monitor_agent and in_debug_agent. The rest of the release is routine bug fixes and small dependency/CI cleanup.
securityStricter input validation across out_http, buffer/in_http, and output tag paths
Applies unconditionally in v1.19.3. out_http now strictly validates hostnames for dynamic endpoints, buffer and in_http enforce size limits on decompressed payloads, and output enforces strict path boundary checks on tag values. Together these close off request-smuggling and decompression-bomb style abuse paths; review any configs that build hosts, tags, or payload sizes from untrusted input.
breakingin_monitor_agent and in_debug_agent defaults now expose less by default
Applies unconditionally in v1.19.3. in_monitor_agent changes default visibility of config, retry, and debug info, and in_debug_agent now accepts connections only from the local machine by default. If you relied on remote access to either agent or exposed their full output externally, update firewall rules or explicit config options to restore the access you need.
主な変更 (7)
- Security hardening (medium severity): strict host validation in out_http for dynamic endpoints.
- Security hardening (medium severity): buffer and in_http enforce size limits on decompressed payloads, closing a decompression-bomb style risk.
- Security hardening (medium severity): output enforces strict path boundary validation on tag values.
- Default access change: in_monitor_agent now restricts default visibility of config, retry, and debug info.
- Default access change: in_debug_agent accepts connections only from the local machine by default.
- Bug fixes: storage_local non-ASCII read encoding error, parser_csv now skips empty/unparseable lines, out_forward stops reusing closed keepalive sockets, buffer resumes correctly with square brackets in its path.
- Plus minor items: win32-registry added as a Ruby 4.1 runtime dependency, a duplicated word removed from an error message, a shorter Windows shutdown timeout check, a timekey default warning, an antivirus exclusion doc note, and various CI fixes.