thrift-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James E. King III (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (THRIFT-4506) [CVE-2018-1320] Remove assertion in Java SASL code that would be ignored in release builds
Date Sat, 09 Mar 2019 14:55:00 GMT

    [ https://issues.apache.org/jira/browse/THRIFT-4506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16788697#comment-16788697
] 

James E. King III commented on THRIFT-4506:
-------------------------------------------

It is a single language patch for a CVE.  It did not go through the standard release cycle. 
There's no reason to publish 0.9.3-1 to other languages.  There is a branch for it.  There
is no release tag for it.  There is no official source upload for it, as it was not a full
release.  If this violated the apache release rules, then it's my fault.  I was trying to
help the community avoid having to release their own 0.9.3-1 under a separate name.  We might
be able to get a dist package from 0.9.3.1, but the build environment is pretty old and may
no longer work.  We could take the 0.9.3.1 download zip/tarball from GitHub and bless it
but it would not have the built "configure" script.  So in order to release 0.9.3.1 it may
require rebuilding an older docker build environment.  Not impossible, but not trivial. 
So again, any violation of release rules is on me.  I probably shouldn't have tried to make
this patch at all.

> [CVE-2018-1320] Remove assertion in Java SASL code that would be ignored in release builds
> ------------------------------------------------------------------------------------------
>
>                 Key: THRIFT-4506
>                 URL: https://issues.apache.org/jira/browse/THRIFT-4506
>             Project: Thrift
>          Issue Type: Bug
>          Components: Java - Library
>    Affects Versions: 0.5
>            Reporter: James E. King III
>            Assignee: James E. King III
>            Priority: Minor
>              Labels: SASL, security
>             Fix For: 0.12.0
>
>
> There is an assertion in the SASL transport for Java that will only be processed in debug
builds, at https://github.com/apache/thrift/blob/master/lib/java/src/org/apache/thrift/transport/TSaslTransport.java#L298.
 The preceeding while loop can be changed to guarantee this assertion in all builds.
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1320



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message