Release v6.0.4

CHANGELOG.md

@@ -2,6 +2,76 @@
 
 About the past changelog entries, see [CHANGELOG v4](CHANGELOG-v4.md) [CHANGELOG v5](CHANGELOG-v5.md) instead.
 
+## Release v6.0.4 - 2026/06/26
+
+### News
+
+* Update bundled Fluentd to v1.19.3
+* Update bundled gems
+  * It contains fixes for `nokogiri` vulnerabilities (fixed in 1.19.4)
+  * Update bundled `rdkafka` to fix segmentation fault
+  * It contains fix for `addressable` vulnerability (CVE-2026-35611) which was fixed in 2.9.0. It might be affected if you use `webhdfs`.
+  * It contains fix for `faraday` vulnerability (CVE-2026-33637, CVE-2026-54297). It might be affected if you use `opensearch`/`elasticsearch`.
+  * It contains fix for `excon` vulnerability (CVE-2026-54171) which was fixed in 1.5.0. It might be affected if you use `opensearch`/`elasticsearch`/`opentelemetry`.
+  * It contains fix for `oj` vulnerability (CVE-2026-54500, CVE-2026-54502, CVE-2026-54592).
+* msi: fixed a bug that bundled ruby version was out-of-date.
+
+### Core component
+
+* ruby v3.4.9
+* jemalloc v3.6.0
+* OpenSSL 3.6.1 Windows
+* OpenSSL 3.0.8 macOS
+* gems
+  * fluentd v1.19.3 (update)
+  * msgpack 1.8.1 (update)
+  * oj 3.17.3 (update)
+  * webrick 1.9.2
+  * openssl 3.3.0
+
+### Bundled plugins and gems
+
+* aws-partitions v1.1150.0
+* aws-sdk-core v3.234.0
+* aws-sdk-kms v1.110.0
+* aws-sdk-s3 v1.208.0
+* aws-sdk-sqs v1.101.0
+* aws-sigv4 v1.12.1
+* elasticsearch v8.19.2
+* fluent-diagtool v1.0.5
+* fluent-plugin-elasticsearch v6.0.0
+* fluent-plugin-flowcounter-simple 0.1.0
+* fluent-plugin-kafka v0.19.7 (update)
+* fluent-plugin-metrics-cmetrics v0.1.2
+* fluent-plugin-fluent-package-update-notifier 0.2.3
+* fluent-plugin-obsolete-plugins v0.2.2
+* fluent-plugin-opensearch v1.1.6 (update)
+* fluent-plugin-opentelemetry 0.5.3 (update)
+* fluent-plugin-prometheus v2.2.2 (update)
+* fluent-plugin-prometheus_pushgateway v0.2.1
+* fluent-plugin-record-modifier v2.2.1
+* fluent-plugin-rewrite-tag-filter v2.4.0
+* fluent-plugin-s3 v1.8.5 (update)
+* fluent-plugin-sd-dns 0.1.0
+* fluent-plugin-systemd v1.1.1
+* fluent-plugin-td v1.2.0
+* fluent-plugin-utmpx v0.5.0
+* fluent-plugin-webhdfs v1.6.0
+* mini_portile2 v2.8.9
+* prometheus-client v4.2.5
+* rdkafka v0.27.0 (update)
+* ruby-kafka v1.5.0
+* systemd-journal v2.1.1
+* td-client v3.0.0
+* webhdfs v0.11.0
+
+On Windows
+
+* fluent-plugin-parser-winevt_xml v0.2.8
+* fluent-plugin-windows-exporter v1.0.0
+* winevt_c v0.11.5 (update)
+* nokogiri v1.19.4 (update)
+
 ## Release v6.0.3 - 2026/03/27
 
 ### News

fluent-package/Gemfile

@@ -20,10 +20,11 @@ gem "sigdump", "0.2.5"
 gem "http_parser.rb", "0.8.1"
 gem "yajl-ruby", "1.4.3"
 gem "serverengine", "2.4.0"
-gem "msgpack", "1.8.0"
-gem "oj", "3.16.11"
+gem "msgpack", "1.8.1"
+# fix  CVE-2026-54500, CVE-2026-54502, CVE-2026-54592
+gem "oj", "3.17.3"
 gem "tzinfo", "2.0.6"
-gem "tzinfo-data", "1.2026.1"
+gem "tzinfo-data", "1.2026.2"
 
 # Fluentd v1.19.0 requires io-event 1.10.x or before.
 # The dependency condition cannot be met with async >= 2.25
@@ -44,12 +45,19 @@ if ENV["INSTALL_GEM_FROM_LOCAL_REPO"]
     # https://github.com/fluent/fluent-package-builder/issues/618
     # NOTE: platforms: does not work in source ... do block
     gem "win32-service" if RUBY_PLATFORM =~ /mswin|mingw/
+    # Bundle forked version of ffi-win32-extensions until
+    # ffi 1.17.1 or later is supported.
+    # This workaround should be applied to fluent-package not to block using
+    # newer rdkafka to fix SEGV issue.
+    # https://github.com/fluent/fluent-package-builder/issues/1051
+    gem "ffi-win32-extensions" if RUBY_PLATFORM =~ /mswin|mingw/
   end
 else
   # Lock to specific revision
   git_source(:github) {|repo_name| "https://github.com/#{repo_name}" }
   gem "fluentd", github: "fluent/fluentd", ref: FLUENTD_REVISION
   gem "win32-service", github: "fluent-plugins-nursery/win32-service", branch: "fluent-package", platforms: [:mingw, :x64_mingw]
+  gem "ffi-win32-extensions", github: "fluent-plugins-nursery/ffi-win32-extensions", branch: "fluent-package", platforms: [:mingw, :x64_mingw]
 end
 
 # plugin gems
@@ -58,9 +66,9 @@ gem "elasticsearch", "8.19.2"
 gem "fluent-plugin-elasticsearch", "6.0.0"
 gem "ruby-kafka", "1.5.0"
 gem "digest-murmurhash", "1.1.1"
-gem "fluent-plugin-kafka", "0.19.6"
+gem "fluent-plugin-kafka", "0.19.7"
 gem "prometheus-client", "4.2.5"
-gem "fluent-plugin-prometheus", "2.2.1"
+gem "fluent-plugin-prometheus", "2.2.2"
 gem "fluent-plugin-prometheus_pushgateway", "0.2.1"
 gem "jmespath", "1.6.2"
 gem "aws-partitions", "1.1150.0"
@@ -69,7 +77,7 @@ gem "aws-sdk-kms", "1.110.0"
 gem "aws-sdk-sqs", "1.101.0"
 gem "aws-sigv4", "1.12.1"
 gem "aws-sdk-s3", "1.208.0"
-gem "fluent-plugin-s3", "1.8.4"
+gem "fluent-plugin-s3", "1.8.5"
 gem "httpclient", "2.9.0"
 gem "fluent-diagtool", "1.0.5"
 gem "td", "0.19.1"
@@ -85,26 +93,28 @@ gem "mini_portile2", "2.8.9"
 gem "cmetrics", "0.3.3"
 gem "fluent-plugin-metrics-cmetrics", "0.1.2"
 gem "opensearch-ruby", "3.4.0"
-gem "fluent-plugin-opensearch", "1.1.5"
+gem "fluent-plugin-opensearch", "1.1.6"
 gem "fluent-plugin-fluent-package-update-notifier", "0.2.3"
 gem "fluent-plugin-obsolete-plugins", "0.2.2"
-gem "fluent-plugin-opentelemetry", "0.5.2"
+gem "fluent-plugin-opentelemetry", "0.5.3"
 
-# fix CVE-2026-25765 for elasticseach and opensearch
-gem "faraday", "2.14.1"
+# fix CVE-2026-25765,CVE-2026-33637 for elasticseach and opensearch
+# fix CVE-2026-54297
+gem "faraday", "2.14.3"
 
 windows_platforms = [:mingw, :x64_mingw] # :mswin
 # ffi-win32-extensions doesn't support ffi 1.17.1 or later
-gem "ffi", "1.17.0", platforms: windows_platforms
-gem "ffi-win32-extensions", "1.1.0", platforms: windows_platforms
+gem "ffi", "1.17.4", platforms: windows_platforms
+# Use officially released version when PR was merged and released.
+#gem "ffi-win32-extensions", "1.1.0", platforms: windows_platforms
 # fiddle gem that isn't default gems as of Ruby 3.5
 gem "fiddle", "1.1.8", platforms: windows_platforms
-gem "nokogiri", "1.19.2", platforms: windows_platforms
+gem "nokogiri", "1.19.4", platforms: windows_platforms
 gem "win32-event", "0.6.3", platforms: windows_platforms
 gem "win32-ipc", "0.7.0", platforms: windows_platforms
 # Use officially released version when PR was merged and released.
 #gem "win32-service", "2.3.2", platforms: windows_platforms
-gem "winevt_c", "0.11.2", platforms: windows_platforms
+gem "winevt_c", "0.11.5", platforms: windows_platforms
 gem "win32-eventlog", "0.6.7", platforms: windows_platforms
 gem "fluent-plugin-parser-winevt_xml", "0.2.8", platforms: windows_platforms
 gem "fluent-plugin-windows-eventlog", "0.9.2", platforms: windows_platforms
@@ -116,7 +126,7 @@ gem "capng_c", "0.2.4", platforms: not_windows_platforms
 # (librdkafka 2.8.0 supports "OpenSSL without the ENGINE component")
 # librdkafka 2.8.0 can't be built on CentOS 7.
 unless platform_centos7?
-  gem "rdkafka", "0.21.0", platforms: not_windows_platforms
+  gem "rdkafka", "0.27.0", platforms: not_windows_platforms
 end
 gem "fluent-plugin-systemd", "1.1.1", platforms: not_windows_platforms
 gem "fluent-plugin-utmpx", "0.5.0", platforms: not_windows_platforms