fix: update fluent-bit

[genofire]

the current version has Critical CVEs ...

updating fluent-bit to 1.9.10 newest patchlevel.

there is also 2.0.9 landed already

[genofire]

Fixed Version:      1.1.1n-0+deb11u3                                                                                                                 
Installed Version:  1.1.1n-0+deb11u2                                                                                                                 
Links:                                                                                                                                               
Primary Link:       https://avd.aquasec.com/nvd/cve-2022-2068                                                                                        
Resource:           libssl1.1                                                                                                                        
Score:              6.7                                                                                                                              
Severity:           CRITICAL                                                                                                                         
Target:             fluent/fluent-bit:1.9.5 (debian 11.3)                                   
Title:              openssl: the c_rehash script allows command injection                                                                            
Vulnerability ID:   CVE-2022-2068                                                                                                                    
Description:        The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue.

[genofire]

Fixed Version:      4.16.0-2+deb11u1                                                                                                                 
Installed Version:  4.16.0-2                                                                                                                         
Links:                                                                                                                                               
Primary Link:       https://avd.aquasec.com/nvd/cve-2021-46848                                                                                       
Resource:           libtasn1-6                                                                                                                       
Score:              5.9                                                                                                                              
Severity:           CRITICAL                                                                                                                         
Target:             fluent/fluent-bit:1.9.5 (debian 11.3)                                   
Title:              libtasn1: Out-of-bound access in ETYPE_OK                                                                                        
Vulnerability ID:   CVE-2021-46848                                                                                                                   
Description:        In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).

[genofire]

Fixed Version:      1.1.1n-0+deb11u3                                                                                                                 
Installed Version:  1.1.1n-0+deb11u2                                                                                                                 
Links:                                                                                                                                               
Primary Link:       https://avd.aquasec.com/nvd/cve-2022-2068                                                                                        
Resource:           openssl                                                                                                                          
Score:              6.7                                                                                                                              
Severity:           CRITICAL                                                                                                                         
Target:             fluent/fluent-bit:1.9.5 (debian 11.3)                                   
Title:              openssl: the c_rehash script allows command injection                                                                            
Vulnerability ID:   CVE-2022-2068                                                                                                                    
Description:        The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial of service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue.

[genofire]

Fixed Version:      1:1.2.11.dfsg-2+deb11u2                                                                                                          
Installed Version:  1:1.2.11.dfsg-2+deb11u1                                                                                                          
Links:                                                                                                                                               
Primary Link:      https://avd.aquasec.com/nvd/cve-2022-37434                                                                                        
Resource:          zlib1g                                                                                                                            
Score:             7                                                                                                                                 
Severity:          CRITICAL                                                                                                                          
Target:            fluent/fluent-bit:1.9.5 (debian 11.3)                                    
Title:             zlib: heap-based buffer over-read and overflow in inflate() in inflate.c via a large gzip header extra field                      
Vulnerability ID:  CVE-2022-3743

[ahma]

Thanks @genofire