[
https://issues.apache.org/jira/browse/JENA-1781?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16980795#comment-16980795
]
ASF subversion and git services commented on JENA-1781:
-------------------------------------------------------
Commit 9ad64c7f686cef835830f191c70bb3f112e43bd2 in jena's branch
refs/heads/master from Andy Seaborne
[ https://gitbox.apache.org/repos/asf?p=jena.git;h=9ad64c7 ]
JENA-1781: Deal with THRIFT-5022 "isOpen"
> Upgrade Thrift to version 0.13.0
> --------------------------------
>
> Key: JENA-1781
> URL: https://issues.apache.org/jira/browse/JENA-1781
> Project: Apache Jena
> Issue Type: Dependency upgrade
> Components: ARQ, OSGi
> Reporter: Ken Treimann
> Assignee: Andy Seaborne
> Priority: Major
> Time Spent: 1h
> Remaining Estimate: 0h
>
> OWASP Dependency Check identifies Thrift version 0.12.0 as having the
> following vulnerabilites:
> [CVE-2019-0205|https://nvd.nist.gov/vuln/detail/CVE-2019-0205|https://nvd.nist.gov/vuln/detail/CVE-2019-0210]
> [CVE-2019-0210|https://nvd.nist.gov/vuln/detail/CVE-2019-0210]
> According to
> [CASSANDRA-15420|https://issues.apache.org/jira/browse/CASSANDRA-15420], this
> was partially fixed in version 0.11.0, but it still gets flagged as
> vulnerable. [This
> message|http://mail-archives.apache.org/mod_mbox/thrift-dev/201910.mbox/%3CVI1PR0101MB2142E0EA19F582429C3AEBCBB1920%40VI1PR0101MB2142.eurprd01.prod.exchangelabs.com%3E]
> from the thrift-dev mailing list states that the mitigation is to upgrade to
> version 0.13.0.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
