fix CVE-2026-33637

kenhys · kenhys · commit be0b38ab6fef · 2026-05-29T14:54:23.000+09:00
https://nvd.nist.gov/vuln/detail/CVE-2026-33637 GHSA-5rv5-xj5j-3484 Signed-off-by: Kentaro Hayashi <hayashi@clear-code.com>
diff --git a/fluent-package/Gemfile b/fluent-package/Gemfile
@@ -97,8 +97,8 @@ gem "fluent-plugin-fluent-package-update-notifier", "0.2.3"
 gem "fluent-plugin-obsolete-plugins", "0.2.2"
 gem "fluent-plugin-opentelemetry", "0.5.2"
 
-# fix CVE-2026-25765 for elasticseach and opensearch
-gem "faraday", "2.14.1"
+# fix CVE-2026-25765,CVE-2026-33637 for elasticseach and opensearch
+gem "faraday", "2.14.2"
 
 windows_platforms = [:mingw, :x64_mingw] # :mswin
 # ffi-win32-extensions doesn't support ffi 1.17.1 or later
diff --git a/fluent-package/Gemfile.lock b/fluent-package/Gemfile.lock
@@ -1,6 +1,6 @@
 GIT
   remote: https://github.com/fluent-plugins-nursery/ffi-win32-extensions
-  revision: da0b5539fe35c02a6d17da83ddef7cda688e7628
+  revision: a549365f60c06635bd9b14dd961db118721a2aec
   branch: fluent-package
   specs:
     ffi-win32-extensions (1.1.1)
@@ -17,8 +17,8 @@ GIT
 
 GIT
   remote: https://github.com/fluent/fluentd
-  revision: 00d3a1ed4ef5c3e48ed537c5960efecfe68df69d
-  ref: 00d3a1ed4ef5c3e48ed537c5960efecfe68df69d
+  revision: c16dd7ed11b9c158d30c189481b80099bcf9c5f8
+  ref: c16dd7ed11b9c158d30c189481b80099bcf9c5f8
   specs:
     fluentd (1.19.2)
       async-http (~> 0.86)
@@ -128,7 +128,7 @@ GEM
     faraday-excon (2.3.0)
       excon (>= 1.0.0)
       faraday (>= 2.11.0, < 3)
-    faraday-net_http (3.4.2)
+    faraday-net_http (3.4.3)
       net-http (~> 0.5)
     faraday_middleware-aws-sigv4 (1.0.1)
       aws-sigv4 (~> 1.0)
