vinayak shedgeri created ZEPPELIN-3793:
------------------------------------------
Summary: Zeppelin uses 0.9.2 org.apache.thrift which has security
vulnerability CVE-2015-3254
Key: ZEPPELIN-3793
URL: https://issues.apache.org/jira/browse/ZEPPELIN-3793
Project: Zeppelin
Issue Type: Bug
Components: zeppelin-interpreter
Affects Versions: 0.8.0
Reporter: vinayak shedgeri
Fix For: 0.8.0
Zeppelin uses org.apache.thrift:0.9.2 which has following security
vulnerability.
Vulnerability details:
Number:CVE-2015-3254
Description:
The client libraries in Apache Thrift before 0.9.3 might allow remote
authenticated users to cause a denial of service (infinite recursion) via
vectors involving the skip function.
(source:https://www.cvedetails.com/cve/CVE-2015-3254/)
The Apache Thrift Go client library exposed the potential during code
generation for command injection due to using an external formatting tool.
Affected Apache Thrift 0.9.3 and older, Fixed in Apache Thrift 0.10.0.
(source:https://www.cvedetails.com/cve/CVE-2016-5397/
[)|https://www.cvedetails.com/cve/CVE-2016-5397/]
Is there any upgrade/alternate planned for above issue?
When i used org.apache.thrift 0.10.0. and 0.11.0 shows compilation error when i
build from source
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
