The project currently depends on libthrift-0.9.3, however thrift released 0.12.0 on 2019-JAN-04. This release includes a security fix for
THRIFT-4506 (CVE-2018-1320). Updating thrift to the latest version will remove that vulnerability.
Also note the Apache Thrift project does not publish "libfb303" any longer. fb303 is contributed code (in '/contrib') and it has not been maintained.
Ps.: 0.9.3.1 also addresses the CVE, see