[
https://issues.apache.org/jira/browse/THRIFT-5424?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17361210#comment-17361210
]
Jens Geyer edited comment on THRIFT-5424 at 6/10/21, 8:27 PM:
--------------------------------------------------------------
{quote}To reiterate on the situation{quote}
I understand that part. But -we- I already did 0.14.1 basically just because of
some Java issue.
I'll prepare the release, don't worry. Since nobody else seems interested ...
was (Author: jensg):
> To reiterate on the situation
I understand that part. But we already did 0.14.1 basically just because of
some Java issue.
I'll prepare the release, don't worry. Since nobody else seems interested ...
> Cut release 0.14.2
> ------------------
>
> Key: THRIFT-5424
> URL: https://issues.apache.org/jira/browse/THRIFT-5424
> Project: Thrift
> Issue Type: Bug
> Components: Java - Library
> Affects Versions: 0.14.1
> Reporter: Andrey Yegorov
> Assignee: Jens Geyer
> Priority: Critical
> Fix For: 0.15.0
>
>
> libthrift release 0.13.0 (and 0.12.0) has vulnerabilities, such as
> CVE-2019-0205 , CVE-2019-0210 , CVE-2020-13949
> https://github.com/advisories/GHSA-g2fg-mr77-6vrm
> Unfortunately, upgrade to 0.14.1 is blocked by
> https://issues.apache.org/jira/browse/THRIFT-5383 which is fixed in
> [apache/thrift#2366|https://github.com/apache/thrift/pull/2366]
> We'll need 0.14.2 - with working json parsing and fixed vulnerabilities.
> For more context please see: [https://github.com/apache/bookkeeper/pull/2695]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
