Your message dated Wed, 3 Dec 2025 08:58:14 +0200
with message-id <aS/fhjBs0a2KNXn+@localhost>
and subject line Re: Bug#988948: CVE-2019-11939
has caused the Debian Bug report #988948,
regarding CVE-2019-11939
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
988948: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988948
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: thrift
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team <[email protected]>
CVE-2019-11939:
https://github.com/facebook/fbthrift/commit/483ed864d69f307e9e3b9dadec048216100c0757
Cheers,
Moritz
--- End Message ---
--- Begin Message ---
On Thu, Mar 30, 2023 at 01:59:21PM +0200, Salvatore Bonaccorso wrote:
> Hi,
>
> On Wed, Mar 29, 2023 at 11:43:05PM +0200, Moritz Mühlenhoff wrote:
> > Am Tue, Mar 28, 2023 at 09:29:57PM +0200 schrieb Salvatore Bonaccorso:
> > > Hi László,
> > >
> > > On Sun, Mar 26, 2023 at 04:13:01PM +0200, László Böszörményi wrote:
> > > > Hi,
> > > >
> > > > On Fri, Mar 17, 2023 at 7:54 PM László Böszörményi (GCS)
> > > > <[email protected]> wrote:
> > > > > On Thu, Mar 16, 2023 at 11:15 PM Moritz Mühlenhoff <[email protected]>
> > > > > wrote:
> > > > > > Am Fri, May 21, 2021 at 09:46:31PM +0200 schrieb Moritz Muehlenhoff:
> > > > > > > CVE-2019-11939:
> > > > > > > https://github.com/facebook/fbthrift/commit/483ed864d69f307e9e3b9dadec048216100c0757
> > > > > > is this fixed in Bookworm?
> > > > > I let the Security Team decide how this should be treated. I will try
> > > > > to describe it in full and short.
> > > > Friendly ping, how the Security Team sees this issue. I've provided
> > > > insights [1] and tend to think it's safe for Bullseye and later.
> >
> > Sorry for the late reply, currently mostly offline.
> >
> > > Strictly speaking if the code base diverged, CVE-2019-11939 would be
> > > for facebook's fbthrift only. If Apache thrift has a similar issue,
> > > which is my understanding of the THRIFT-5322 then it would need a own
> > > CVE, which does not seem to exist (In some cases a CVE might be used
> > > by multiple projects even if the code base is not the same).
> > >
> > > I'm leaning to mark CVE-2019-11939 as NFU for facebook fbthrift
> > > specifically, and let alone the Apache Thrift issues for similar case.
> > > Given the issue would be no-dsa for bullseye and fixed in bookworm I
> > > would not do anything particular unless a CVE get assigned.
> > >
> > > Moritz, do you agree?
> >
> > I agree, let's mark it as NFU: Facebook fbthrift and not track Apache
> > Thrift/src:thrift specifically here.
>
> Updated the tracking information accordingly.
FTR, in src:thrift this is CVE-2020-13949 (#988949).
> Regards,
> Salvatore
cu
Adrian
--- End Message ---
