What's Changed
New or updated images
| component | image |
|---|---|
| operator | ghcr.io/kube-logging/logging-operator:6.7.0
|
| fluentd | ghcr.io/kube-logging/logging-operator/fluentd:6.7.0-full
|
| syslog-ng-reloader | ghcr.io/kube-logging/logging-operator/syslog-ng-reloader:6.7.0
|
| config-reloader | ghcr.io/kube-logging/logging-operator/config-reloader:6.7.0
|
| fluentd-drain-watch | ghcr.io/kube-logging/logging-operator/fluentd-drain-watch:6.7.0
|
| buffer-volume-metrics | ghcr.io/kube-logging/logging-operator/node-exporter:6.7.0
|
| eventrouter | ghcr.io/kube-logging/eventrouter:1.0.0
|
Install with helm
helm install logging-operator oci://ghcr.io/kube-logging/helm-charts/logging-operator --version=6.7.0Security
CVE-2026-54680 — Fluentd configuration injection via unescaped CRD/secret values
CRD and secret-provided string values were written into the generated fluent.conf without escaping. A value containing a newline could terminate its directive and inject arbitrary Fluentd configuration (for example a <match> block with @type exec), enabling remote code execution in the aggregator. Parameter values containing newlines are now quoted and escaped, and newlines in structural fields (@type, @id, @label, @log_level, tag, directive and parameter names) are rejected at config-render time.
- Affected: ≤ 6.5.2
- Hardening shipped in: 6.6.0
Enhancements
Dependency and image updates
- chore(deps): bump net-imap from 0.5.14 to 0.5.15 in /images/fluentd/outputs by @dependabot[bot] in #2249
- chore(deps): bump github.com/open-telemetry/opentelemetry-operator from 0.151.0 to 0.152.0 by @dependabot[bot] in #2252
Bug fixes
Full Changelog: 6.6.0...6.7.0