thrift-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jake Farrell <jfarr...@apache.org>
Subject Re: [NOTICE]: Apache Thrift Security Vulnerability CVE-2015-1774
Date Thu, 10 Dec 2015 18:37:19 GMT
the CVE notice that went out in our board report was correct, CVE-2015-3254.
Please disregard  CVE-2015-1774, not sure where that came in from

-Jake




On Wed, Dec 9, 2015 at 5:23 AM, Mark Thomas <markt@apache.org> wrote:

> Both the Subject and the heading in the body of this message do not
> agree with the CVE referenced in the main text.
>
> A correction needs to be issued.
>
> Mark
>
> On 02/12/2015 02:28, Jake Farrell wrote:
> > CVE-2015-1774
> >
> > A security vulnerability was discovered in the Apache Thrift client
> > libraries,
> > CVE-2015-3254. It was determined that in some cases a remote user could
> > cause unlimited recursion when the skip() function was called within the
> > server.
> > This has being addressed in the Apache Thrift 0.9.3 release and was
> > tracked in
> > THRIFT-3231 [2].
> >
> > Vendor: The Apache Software Foundation
> >
> > Versions Affected: All Apache Thrift versions 0.9.2 and older may be
> > affected
> >
> > Mitigation: Upgrading to the latest 0.9.3 release
> >
> >
> > -Jake Farrell
> >
> > [1]: CVE-2015-3254
> > [2]: https://issues.apache.org/jira/browse/THRIFT-3231
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message