+1 It would be great if 0.13 stream patch is released with CVE-2020-13949 fix.
Regards, Pankaj -----Original Message----- From: Tomas Hofman [mailto:[email protected]] Sent: Friday, March 12, 2021 5:20 PM To: [email protected] Subject: Thrift 0.13 micro for CVE-2020-13949? Hello, I see that the recommended approach to avoid exposure to the CVE-2020-13949 is upgrading to version 0.14.0. However this version brings some breaking changes and upgrading is bit challenging for some of our projects. Has it been considered to backport the fixes into 0.13 stream? Would it be too demanding to do? Thanks for any statements on this! Best regards, -- Tomas Hofman Software Engineer, JBoss SET Red Hat
