Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
0.8.0
-
Patch, Important
Description
Zeppelin uses org.apache.thrift:0.9.2 which has following security vulnerability.
Vulnerability details:
Number:CVE-2015-3254
Description:
The client libraries in Apache Thrift before 0.9.3 might allow remote authenticated users to cause a denial of service (infinite recursion) via vectors involving the skip function.
(source:https://www.cvedetails.com/cve/CVE-2015-3254/)
The Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external formatting tool. Affected Apache Thrift 0.9.3 and older, Fixed in Apache Thrift 0.10.0.
(source:https://www.cvedetails.com/cve/CVE-2016-5397/ )
Is there any upgrade/alternate planned for above issue?
When i used org.apache.thrift 0.10.0. and 0.11.0 shows compilation error when i build from source
also we have few more similar issues
org.apache.thrift->libthrift->0.9.2 CVE-2015-3254 Fails to compile
org.scala-lang->scala-library->2.11.7 CVE-2017-15288 Not feasible
com.google.code.gson->gson-> 2.2 Fails to compile
jackson-databind->2.8.11.1->apache->2.9.7 Fails to compile
jackson-annotations->2.8.0->apache->2.9.7 Fails to compile