airavata-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Suresh Marru <sma...@apache.org>
Subject Re: [NOTICE]: Apache Thrift Security Vulnerability CVE-2015-1774
Date Tue, 15 Dec 2015 17:07:13 GMT
Hi Supun,

Thanks for noticing this. Since the CVE said all 0.9.2 and older may be effected, it might
be better we move to 0.9.3 before 0.16 release. I created a JIRA to track this task - https://issues.apache.org/jira/browse/AIRAVATA-1883
<https://issues.apache.org/jira/browse/AIRAVATA-1883>

Suresh

> On Dec 10, 2015, at 3:34 PM, Supun Nakandala <supun.nakandala@gmail.com> wrote:
> 
> Should we consider upgrading to Thrift 0.9.3 ? Currently we are using 0.9.2
> 
> ---------- Forwarded message ----------
> From: Jake Farrell <jfarrell@apache.org <mailto:jfarrell@apache.org>>
> Date: Tue, Dec 1, 2015 at 9:28 PM
> Subject: [NOTICE]: Apache Thrift Security Vulnerability CVE-2015-1774
> To: "user@thrift.apache.org <mailto:user@thrift.apache.org>" <user@thrift.apache.org
<mailto:user@thrift.apache.org>>, "dev@thrift.apache.org <mailto:dev@thrift.apache.org>"
<dev@thrift.apache.org <mailto:dev@thrift.apache.org>>
> 
> 
> CVE-2015-1774
> 
> A security vulnerability was discovered in the Apache Thrift client
> libraries,
> CVE-2015-3254. It was determined that in some cases a remote user could
> cause unlimited recursion when the skip() function was called within the
> server.
> This has being addressed in the Apache Thrift 0.9.3 release and was tracked
> in
> THRIFT-3231 [2].
> 
> Vendor: The Apache Software Foundation
> 
> Versions Affected: All Apache Thrift versions 0.9.2 and older may be
> affected
> 
> Mitigation: Upgrading to the latest 0.9.3 release
> 
> 
> -Jake Farrell
> 
> [1]: CVE-2015-3254
> [2]: https://issues.apache.org/jira/browse/THRIFT-3231 <https://issues.apache.org/jira/browse/THRIFT-3231>

Mime
View raw message