thrift-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Laurent Goujon (Jira)" <>
Subject [jira] [Commented] (THRIFT-5075) Backport fixes for CVE-2019-0205 to (Java) 0.9.3-1 version
Date Mon, 27 Jan 2020 22:16:00 GMT


Laurent Goujon commented on THRIFT-5075:

Several projects I'm afraid so (less than THRIFT-4506 though):
- Apache Hive
- Apache Impala
- Apache Sentry

I open an issue against Hive to get the security vulnerability addressed (HIVE-22738), and
a ticket already exist to upgrade thrift (,
but no update on those. The situation is actually a bit worse because depending on if you
need to connect to a Hive 1 vs Hive 2 server, you might need to use a different client versions
(and not sure if Hive people feel like upgrading thrift versions on an older version too).

> Backport fixes for CVE-2019-0205 to (Java) 0.9.3-1 version
> ----------------------------------------------------------
>                 Key: THRIFT-5075
>                 URL:
>             Project: Thrift
>          Issue Type: Bug
>            Reporter: Laurent Goujon
>            Priority: Major
>          Time Spent: 10m
>  Remaining Estimate: 0h
> Similar to THRIFT-4506, would it be possible to backport fixes for CVE-2019-0205 to 0.9.x
branch. There are still several projects still relying on 0.9.3-1, and the vulnerability seems
to impact them as well.
> I believe the fix for Java was part of THRIFT-4024

This message was sent by Atlassian Jira

View raw message