[
https://issues.apache.org/jira/browse/THRIFT-5424?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17361085#comment-17361085
]
Andrey Yegorov commented on THRIFT-5424:
----------------------------------------
[~jensg] To reiterate on the situation:
- release 0.13.x has critical security vulnerabilities; patched in 0.14
- releases 0.14.0/0.14.1 have regression preventing their use (THRIFT-5383).
Generally speaking, such regressions justify minor releases.
I don't know how complicated/hard the release process is for the libthrift.
If it is automated and simple enough I think we have a good reason to just do
it.
I think it is ok if non-java libraries were released without changes in this
case but I recognize that you might have reasons to not do that, I'd appreciate
if you could briefly walk me through them.
If the release is planned soon anyway, having an ETA would help.
> Cut release 0.14.2
> ------------------
>
> Key: THRIFT-5424
> URL: https://issues.apache.org/jira/browse/THRIFT-5424
> Project: Thrift
> Issue Type: Bug
> Components: Java - Library
> Affects Versions: 0.14.1
> Reporter: Andrey Yegorov
> Assignee: Jens Geyer
> Priority: Critical
> Fix For: 0.15.0
>
>
> libthrift release 0.13.0 (and 0.12.0) has vulnerabilities, such as
> CVE-2019-0205 , CVE-2019-0210 , CVE-2020-13949
> https://github.com/advisories/GHSA-g2fg-mr77-6vrm
> Unfortunately, upgrade to 0.14.1 is blocked by
> https://issues.apache.org/jira/browse/THRIFT-5383 which is fixed in
> [apache/thrift#2366|https://github.com/apache/thrift/pull/2366]
> We'll need 0.14.2 - with working json parsing and fixed vulnerabilities.
> For more context please see: [https://github.com/apache/bookkeeper/pull/2695]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
