thrift-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jens Geyer <jensge...@hotmail.com>
Subject Subject: [SECURITY] CVE-2019-0205 Announcement
Date Wed, 16 Oct 2019 22:46:15 GMT
CVE-2019-0205: potential DoS when processing untrusted Thrift payloads

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Thrift up to and including 0.12.0

Description:
A server or client may run into an endless loop when feed with specific input data.

Because the issue had already been partially fixed by THRIFT-4024 in version 0.11.0, depending
on the installed version it affects only certain language bindings.

Mitigation:
Upgrade to version 0.13.0

Credit:
This issue was discovered by Hasnain Lakhani of Facebook.

On behalf of the Apache Thrift PMC,
Jens Geyer

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message