[jira] [Comment Edited] (THRIFT-5075) Backport fixes for CVE-2019-0205 to (Java) 0.9.3-1 version

Sat, 08 Feb 2020 05:13:55 -0800 


    [ 
https://issues.apache.org/jira/browse/THRIFT-5075?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17032896#comment-17032896
 ] 

Jens Geyer edited comment on THRIFT-5075 at 2/8/20 1:12 PM:
------------------------------------------------------------

I thought a while about this and I'm still not convinced that we need it.

Thrift upgrades are in most cases (not always, though) rather painless, at 
least that's my experience. So what could be a possible reason to stay with 
0.9.3? If we receive another security report down the road, do we have to 
maintain again both versions? Or will it be three, because someone also comes 
up with some 0.11.0 or the like? So that approach obviously does not scale.

*Bottom line*: What can we all do to help improving the situation for these 
three projects? Is there anything you need in order to help you with the 
upgrade (aside from another 0.9.3 release of course)?

PS: I'm only expressing personal opinion and if anyone else wants to prepare 
another 0.9.3 release - I surely won't stand in the way..



was (Author: jensg):
I thought a while about this and I'm still not convinced that we need it.

Thrift upgrades are in most cases (not always, though) rather painless, at 
least that's my experience. So what could be a possible reason to stay with 
0.9.3? If we receive another security report down the road, do we have to 
maintain again both versions? Or will it be three, because someone also comes 
up with some 0.11.0 or the like? 

*Bottom line*: What can we all do to help improving the situation for these 
three projects? Is there anything you need, aside from another release of 
course?

PS: I'm only expressing personal opinion and if anyone else wants to prepare 
another 0.9.3 release - I surely won't stand in the way..


> Backport fixes for CVE-2019-0205 to (Java) 0.9.3-1 version
> ----------------------------------------------------------
>
>                 Key: THRIFT-5075
>                 URL: https://issues.apache.org/jira/browse/THRIFT-5075
>             Project: Thrift
>          Issue Type: Bug
>            Reporter: Laurent Goujon
>            Priority: Major
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Similar to THRIFT-4506, would it be possible to backport fixes for 
> CVE-2019-0205 to 0.9.x branch. There are still several projects still relying 
> on 0.9.3-1, and the vulnerability seems to impact them as well.
> I believe the fix for Java was part of THRIFT-4024



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to