Details
-
Task
-
Status: Closed
-
Critical
-
Resolution: Fixed
-
0.14.1
-
None
Description
libthrift release 0.13.0 (and 0.12.0) has vulnerabilities, such as CVE-2019-0205 , CVE-2019-0210 , CVE-2020-13949 https://github.com/advisories/GHSA-g2fg-mr77-6vrm
Unfortunately, upgrade to 0.14.1 is blocked by https://issues.apache.org/jira/browse/THRIFT-5383 which is fixed in apache/thrift#2366
We'll need 0.14.2 - with working json parsing and fixed vulnerabilities.
For more context please see: https://github.com/apache/bookkeeper/pull/2695
Attachments
Issue Links
- duplicates
-
THRIFT-5383 TJSONProtocol Java readString throws on bounds check
- Closed