(CVE) Request upgrade c-ares library to 1.19.1

[giancorderoortiz]

Bug Report

Describe the bug
The following published vulnerabilities applicable to c-ares library can be fixed by upgrading c-ares library in fluent-bit project from 1.19.0 to 1.19.1:

https://nvd.nist.gov/vuln/detail/CVE-2023-31130
https://nvd.nist.gov/vuln/detail/CVE-2023-32067
https://nvd.nist.gov/vuln/detail/CVE-2023-31147
https://nvd.nist.gov/vuln/detail/CVE-2023-31124

To Reproduce

4 CVE vulnerabilities present in fluent-bit version 2.1.5.
See https://github.com/fluent/fluent-bit/blob/v2.1.5/cmake/libraries.cmake#L22

Expected behaviour

Future fluent-bit version 2.1.6 contains c-ares library 1.19.1 which fixes above mentioned vulnerabilities.

[waynec86]

Out of curiosity, which versions of fluent does this affect?

[giancorderoortiz]

Out of curiosity, which versions of fluent does this affect?

afaik 2.14 and 2.15.

[giancorderoortiz]

Update to c-ares library still pending.
https://github.com/fluent/fluent-bit/blob/v2.1.6/cmake/libraries.cmake#L22
https://github.com/fluent/fluent-bit/blob/v2.1.7/cmake/libraries.cmake#L22

Fluent-bit still vulnerable to these CVEs:

https://nvd.nist.gov/vuln/detail/CVE-2023-31130
https://nvd.nist.gov/vuln/detail/CVE-2023-32067
https://nvd.nist.gov/vuln/detail/CVE-2023-31147
https://nvd.nist.gov/vuln/detail/CVE-2023-31124

[giancorderoortiz]

@edsiper @celalettin1286 is it possible to update c-areas library to v1.19.1 for v2.1.8 release?

[edsiper]

FYI: #7843

[lecaros]

This was released as part of 2.1.9