[
https://issues.apache.org/jira/browse/THRIFT-4506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16755499#comment-16755499
]
Mike Yoder commented on THRIFT-4506:
------------------------------------
Thanks _so much_ for the effort.
Version numbers: as far as I know, maven does not enforce anything at all wrt
version strings. I've seen some pretty horrible things, like
[https://mvnrepository.com/artifact/com.mchange/c3p0],
[https://mvnrepository.com/artifact/com.github.luben/zstd-jni,] and
[https://mvnrepository.com/artifact/com.google.errorprone/javac.] So that's the
least of your worries.
Compatibility: is it backwards-compatible from the point of view of a user of
the java client library?
> [CVE-2018-1320] Remove assertion in Java SASL code that would be ignored in
> release builds
> ------------------------------------------------------------------------------------------
>
> Key: THRIFT-4506
> URL: https://issues.apache.org/jira/browse/THRIFT-4506
> Project: Thrift
> Issue Type: Bug
> Components: Java - Library
> Affects Versions: 0.5
> Reporter: James E. King III
> Assignee: James E. King III
> Priority: Minor
> Labels: SASL, security
> Fix For: 0.12.0
>
>
> There is an assertion in the SASL transport for Java that will only be
> processed in debug builds, at
> https://github.com/apache/thrift/blob/master/lib/java/src/org/apache/thrift/transport/TSaslTransport.java#L298.
> The preceeding while loop can be changed to guarantee this assertion in all
> builds.
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1320
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
