[
https://issues.apache.org/jira/browse/THRIFT-5075?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17032896#comment-17032896
]
Jens Geyer commented on THRIFT-5075:
------------------------------------
I thought a while about this and I'm still not convinced that we need it.
Thrift upgrades are in most cases (not always, though) rather painless, at
least that's my experience. So what could be a possible reason to stay with
0.9.3? If we receive another security report down the road, do we have to
maintain again both versions? Or will it be three, because someone also comes
up with some 0.11.0 or the like?
*Bottom line*: What can we all do to help improving the situation for these
three projects? Is there anything you need, aside from another release of
course?
PS: I'm only expressing personal opinion and if anyone else wants to prepare
another 0.9.3 release - I surely won't stand in the way..
> Backport fixes for CVE-2019-0205 to (Java) 0.9.3-1 version
> ----------------------------------------------------------
>
> Key: THRIFT-5075
> URL: https://issues.apache.org/jira/browse/THRIFT-5075
> Project: Thrift
> Issue Type: Bug
> Reporter: Laurent Goujon
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Similar to THRIFT-4506, would it be possible to backport fixes for
> CVE-2019-0205 to 0.9.x branch. There are still several projects still relying
> on 0.9.3-1, and the vulnerability seems to impact them as well.
> I believe the fix for Java was part of THRIFT-4024
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
