[jira] [Commented] (THRIFT-4506) [CVE-2018-1320] Remove assertion in Java SASL code that would be ignored in release builds

Tue, 29 Jan 2019 15:08:05 -0800 


    [ 
https://issues.apache.org/jira/browse/THRIFT-4506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16755451#comment-16755451
 ] 

James E. King III commented on THRIFT-4506:
-------------------------------------------

This proposal is predicated on whether the build environment for 0.9.3 is still 
viable.  I don't mind making a 0.9.3.1 (I have to ask however, would maven 
central even recognize a 4-digit version number, as it is not SemVer compliant, 
and according to SemVer, I could make a "0.9.3_1" but it is semanitcally 
identical to "0.9.3" in terms of a version comparison.

thrift 0.12.0 IS wire compatible with 0.9.3.  Projects currently using 0.9.3 
should upgrade as soon as possible to 0.12.0.  The number of breaking changes 
between 0.9.3 and 0.12.0 from language perspectives should be fairly minor and 
documented in the language-specific README files.  We definitely have 
accumulated a number of breaking changes in 0.13.0, all of which are documented 
in the top level CHANGES.md file.  We are being much more vigilent on tracking 
these than we have in the past.

Finally, I'd like to update the list of project using thrift.... you mentioned 
a number which are not in our list of projects that use thrift.

> [CVE-2018-1320] Remove assertion in Java SASL code that would be ignored in 
> release builds
> ------------------------------------------------------------------------------------------
>
>                 Key: THRIFT-4506
>                 URL: https://issues.apache.org/jira/browse/THRIFT-4506
>             Project: Thrift
>          Issue Type: Bug
>          Components: Java - Library
>    Affects Versions: 0.5
>            Reporter: James E. King III
>            Assignee: James E. King III
>            Priority: Minor
>              Labels: SASL, security
>             Fix For: 0.12.0
>
>
> There is an assertion in the SASL transport for Java that will only be 
> processed in debug builds, at 
> https://github.com/apache/thrift/blob/master/lib/java/src/org/apache/thrift/transport/TSaslTransport.java#L298.
>   The preceeding while loop can be changed to guarantee this assertion in all 
> builds.
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1320



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to