[
https://issues.apache.org/jira/browse/THRIFT-5972?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18078199#comment-18078199
]
Shh commented on THRIFT-5972:
-----------------------------
_Just some more detailed information:_
The CVE's
CVE-2026-41604 | high | 8.20 | libthrift | 0.22.0
CVE-2026-41602 | high | 7.50 | libthrift | 0.22.0
CVE-2025-48431 | high | 7.50 | libthrift | 0.22.0
CVE-2026-41603 | high | 7.40 | libthrift | 0.22.0
and "{_}The{_} _previous time_ _gap"_
_Between:_
_“Release”: (0.22.0)_
[_https://github.com/apache/thrift/releases/tag/v0.22.0_]
__ [_Jens-G_|https://github.com/Jens-G] _released this_ *_May 23, 2025_*
_And:_
_And “public maven”_
[_https://mvnrepository.com/artifact/org.apache.thrift/libthrift_]
_0.22.0_
*_Jun 25, 2025_*
_Was over_ {_}1 month{_}{_}.{_}
> 0.23.0 "published" to public Maven
> ----------------------------------
>
> Key: THRIFT-5972
> URL: https://issues.apache.org/jira/browse/THRIFT-5972
> Project: Thrift
> Issue Type: Improvement
> Components: Java - Library
> Affects Versions: 0.23.0
> Reporter: Shh
> Priority: Major
>
> HI.
>
> 0.23.0 addresses a critical vulnerability.
> and is available as a download here:
>
> [Release Version 0.23.0 · apache/thrift ·
> GitHub|https://github.com/apache/thrift/releases/tag/v0.23.0]
>
> My company's build systems are tied to public maven central.
>
> and 0.23.0 is not avaiable here.
>
> [Maven Repository: org.apache.thrift »
> libthrift|https://mvnrepository.com/artifact/org.apache.thrift/libthrift]
> (currently only 0.22.0 and lower is available).
>
>
> I am kindly requesting that the library be "published" to maven-central.
>
> Note, the time gap on 0.22.0 seems to have been about one month.
>
> I appreciated the consideration.
>
> thank you.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
