Source: libthrift-java Version: 0.9.1-2 Severity: important Tags: patch security upstream Forwarded: https://issues.apache.org/jira/browse/THRIFT-4506
Hi, The following vulnerability was published for libthrift-java. CVE-2018-1320[0]: | Apache Thrift Java client library versions 0.5.0 through 0.11.0 can | bypass SASL negotiation isComplete validation in the | org.apache.thrift.transport.TSaslTransport class. An assert used to | determine if the SASL handshake had successfully completed could be | disabled in production settings making the validation incomplete. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-1320 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1320 [1] https://issues.apache.org/jira/browse/THRIFT-4506 [2] https://github.com/apache/thrift/commit/d973409661f820d80d72c0034d06a12348c8705e Regards, Salvatore
