thrift-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James E. King III (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (THRIFT-4506) [CVE-2018-1320] Remove assertion in Java SASL code that would be ignored in release builds
Date Sun, 27 Jan 2019 13:21:00 GMT

    [ https://issues.apache.org/jira/browse/THRIFT-4506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16753378#comment-16753378
] 

James E. King III commented on THRIFT-4506:
-------------------------------------------

I opened HIVE-21173 to track updating Apache Hive.  We don't normally make retroactive patches
like this.  For example the tooling to get things into maven, and the entire build environment
for 0.9.3 and 0.12.0 are quite different.  My recommendation is to move Hive to 0.12.0 to
resolve the CVE.

> [CVE-2018-1320] Remove assertion in Java SASL code that would be ignored in release builds
> ------------------------------------------------------------------------------------------
>
>                 Key: THRIFT-4506
>                 URL: https://issues.apache.org/jira/browse/THRIFT-4506
>             Project: Thrift
>          Issue Type: Bug
>          Components: Java - Library
>    Affects Versions: 0.5
>            Reporter: James E. King III
>            Assignee: James E. King III
>            Priority: Minor
>              Labels: SASL, security
>             Fix For: 0.12.0
>
>
> There is an assertion in the SASL transport for Java that will only be processed in debug
builds, at https://github.com/apache/thrift/blob/master/lib/java/src/org/apache/thrift/transport/TSaslTransport.java#L298.
 The preceeding while loop can be changed to guarantee this assertion in all builds.
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1320



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message