logstash-9.2: fix GHSA-j4pr-3wm6-xx2r

[jamie-albert]

Summary

Updates Ruby URI gem to version 0.12.5 in logstash-9.2 to address GHSA-j4pr-3wm6-xx2r (CVE-2025-61594).

Vulnerability Details

GHSA-j4pr-3wm6-xx2r is a bypass of the previous CVE-2025-27221 fix in Ruby's URI library. When using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 standards and exposing user credentials.

Affected versions:

• URI gem < 0.12.5
• URI gem >= 0.13.0, < 0.13.3
• URI gem >= 1.0.0, < 1.0.4

Fixed versions:

• 0.12.5
• 0.13.3
• 1.0.4

Changes

• logstash-9.2: epoch 0→1, added URI fix (was missing)

References

• GHSA-j4pr-3wm6-xx2r
• https://nvd.nist.gov/vuln/detail/CVE-2025-61594

Related Issues

• https://github.com/chainguard-dev/CVE-Dashboard/issues/52305

[octo-sts]

🔄 Build Failed: Git Checkout Error

remote: Repository not found.
fatal: repository 'https://github.com/chainguard-dev/iamguarded-tools/' not found

Build Details

Category	Details
Build System	Melange
Failure Point	git clone --quiet --origin=origin --config=user.name=Melange Build --config=user.email=melange-build@cgr.dev --config=advice.detachedHead=false --branch=main --depth=1 https://github.com/chainguard-dev/iamguarded-tools

Root Cause Analysis 🔍

The git repository 'https://github.com/chainguard-dev/iamguarded-tools' does not exist or is not accessible. This appears to be during the iamguarded-compat subpackage build process, where the build system is trying to clone a repository that either doesn't exist, is private, or the URL is incorrect.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Suggested Changes

File: logstash-9.2.yaml

• removal at line 175-280 (subpackages section)
  Original:

  - name: ${{package.name}}-iamguarded-compat
    description: "Logstash for IAMGuarded"
    dependencies:
      runtime:
        - bash # some helper scripts use bash and busybox utilities
        - busybox
        - coreutils
        - findutils
        - glibc-locale-en
        - glibc-locales
        - grep
        - net-tools
        - openjdk-${{vars.java-version}}-default-jdk
        - posix-libc-utils # Required for getent
        - sed
        - wolfi-baselayout
        - yq
    pipeline:
      - uses: iamguarded/build-compat
        with:
          package: logstash
          version: ${{vars.major-minor-version}}
      - runs: |
          mkdir -p /opt/iamguarded/logstash
          mkdir -p /opt/iamguarded/logstash/pipeline
          mkdir -p /opt/iamguarded/scripts/logstash/
          mkdir -p /opt/iamguarded/logstash/config/./

          src=docker/data/logstash
          dst="/opt/iamguarded/logstash"
          mkdir -p "${dst}/config" \
                   "${dst}/pipeline"

          tarball=$(find . -type f -name "logstash-oss-${{package.version}}-SNAPSHOT-no-jdk.tar.gz")
          if [ -z $tarball ]; then
            echo "Could not find logstash-oss tarball, nothing to unpack"
            exit 1
          fi

          tar --strip-components 1 \
            -C /opt/iamguarded/logstash \
            -xf $tarball

          install -m644 config/jvm.options                     "${dst}/config/jvm.options"
          install -m644 "${src}/config/pipelines.yml"          "${dst}/config/pipelines.yml"
          install -m644 "${src}/config/logstash-oss.yml"       "${dst}/config/logstash-oss.yml"
          install -m644 "${src}/config/logstash-full.yml"      "${dst}/config/logstash-full.yml"

          /opt/iamguarded/scripts/logstash/postunpack.sh

          # Link binaries and Java
          ln -sf /opt/iamguarded/scripts/logstash/entrypoint.sh ${{targets.contextdir}}/entrypoint.sh
          ln -sf /opt/iamguarded/scripts/logstash/run.sh ${{targets.contextdir}}/run.sh
      - runs: |
          # mkdir these empty directories to quiet various startup messages per upstream
          mkdir -p /iamguarded/logstash/data
          mkdir -p /iamguarded/logstash/pipeline
          mkdir -p /iamguarded/logstash/config
      - runs: |
          # use custom log4j2.properties
          cp /opt/iamguarded/logstash/config.default/log4j2.properties /opt/iamguarded/logstash/config.default/log4j2.orig.properties
          rm -f /opt/iamguarded/logstash/config.default/log4j2.properties
          install -Dm755 log4j2.custom.properties /opt/iamguarded/logstash/config.default/log4j2.properties
          # also have a custom logstash.yml
          rm /opt/iamguarded/logstash/config.default/logstash.yml
          install -Dm755 logstash.iamguarded.yml /opt/iamguarded/logstash/config.default/logstash.yml
      - runs: |
          find "/opt/iamguarded" \
            -path "/opt/iamguarded/logstash/vendor" -prune -o \
            -exec chmod g+rwX {} \;
          find / -perm /6000 -type f -exec chmod a-s {} \; || true
      - uses: iamguarded/finalize-compat
        with:
          package: logstash
          version: ${{vars.major-minor-version}}
    test:
      environment:
        contents:
          packages:
            - bash
            - curl
            - busybox
            - openjdk-${{vars.java-version}}
            - sudo
        accounts:
          groups:
            - groupname: logstash
              gid: 1001
          users:
            - username: logstash
              gid: 1001
              uid: 1001
          run-as: 0
      pipeline:
        - pipeline:
            - uses: iamguarded/test-compat
              with:
                package: logstash
                version: ${{vars.major-minor-version}}
            - runs: |
                run-script --version
                run-script --help
            - name: "start daemon on localhost"
              uses: test/daemon-check-output
              with:
                setup: |
                  chown logstash: -fR /iamguarded/logstash
                  chown logstash: -fR /opt/iamguarded
                start: |
                  sudo -ulogstash env \
                    "LS_JAVA_HOME=/usr/lib/jvm/default-jvm" \
                    "PATH=/opt/iamguarded/logstash/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" \
                    /opt/iamguarded/scripts/logstash/entrypoint.sh \
                    /opt/iamguarded/scripts/logstash/run.sh
                timeout: 180
                expected_output: |
                  Starting Logstash setup
                  Starting Logstash
                  Starting http input listener
                post: |
                  #!/bin/sh -e
                  sleep 1
                  url=http://localhost:8080
                  response=$(curl -fsS --connect-timeout 10 --max-time 20 --retry 5 --retry-delay 1 --retry-max-time 40 "$url") || {
                    echo "curl ${url} failed $?"
                    exit 1
                  }
                  echo "$response" | grep -q ok || {
                    echo "response from $url did not contain \"ok\""
                    echo "response: $response"
                    exit 1
                  }
                  echo "$url had expected output: $response"

Content:

Remove the entire iamguarded-compat subpackage as the required iamguarded tools repository is not available

Click to expand fix analysis

Analysis

The similar fix shows that when the git repository 'https://github.com/chainguard-dev/iamguarded-tools/' is not found, the solution was to remove the subpackage that depends on it entirely. In the envoy-1.35 case, the fix involved updating the package version and removing the iamguarded-compat subpackage that was trying to access the non-existent repository. The pattern indicates that when iamguarded tools are not available, the iamguarded-compat subpackages should be removed rather than attempting to fix the repository URL.

Click to expand fix explanation

Explanation

The fix removes the ${{package.name}}-iamguarded-compat subpackage entirely because the iamguarded tools repository at https://github.com/chainguard-dev/iamguarded-tools/ is not accessible. This follows the same pattern as the similar fix where the envoy iamguarded-compat subpackage was removed when the same repository issue occurred. The iamguarded/build-compat, iamguarded/finalize-compat, and iamguarded/test-compat pipeline steps all depend on tools from this repository, so without access to it, the entire subpackage cannot be built successfully. By removing this subpackage, the main logstash package and other subpackages can still be built without the iamguarded compatibility layer.

Click to expand alternative approaches

Alternative Approaches

• If the iamguarded tools are expected to be available later, an alternative would be to update the repository URL to the correct location if it has moved
• Another approach would be to temporarily disable just the iamguarded pipeline steps while keeping the subpackage structure, but this would result in a broken package
• Could investigate if there's an alternative source or mirror for the iamguarded tools, but removal is the safest immediate fix

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.