thrift-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James E. King III (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (THRIFT-4506) [CVE-2018-1320] Remove assertion in Java SASL code that would be ignored in release builds
Date Sat, 09 Mar 2019 15:11:00 GMT

    [ https://issues.apache.org/jira/browse/THRIFT-4506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16788702#comment-16788702
] 

James E. King III commented on THRIFT-4506:
-------------------------------------------

I'm manually applying the changes to the 0.9.3 official tarball and will call a release. 
The build environment in the 0.9.3 package is no longer viable as some of the downloaded components
have been retired.  The project was not using docker extensively at that point, and we still
don't tag docker build containers that are known to work for a release (whatever the Travis
CI environment ends up using).  That should be added to the release procedures, I'll open
a ticket.

> [CVE-2018-1320] Remove assertion in Java SASL code that would be ignored in release builds
> ------------------------------------------------------------------------------------------
>
>                 Key: THRIFT-4506
>                 URL: https://issues.apache.org/jira/browse/THRIFT-4506
>             Project: Thrift
>          Issue Type: Bug
>          Components: Java - Library
>    Affects Versions: 0.5
>            Reporter: James E. King III
>            Assignee: James E. King III
>            Priority: Minor
>              Labels: SASL, security
>             Fix For: 0.12.0
>
>
> There is an assertion in the SASL transport for Java that will only be processed in debug
builds, at https://github.com/apache/thrift/blob/master/lib/java/src/org/apache/thrift/transport/TSaslTransport.java#L298.
 The preceeding while loop can be changed to guarantee this assertion in all builds.
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1320



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message