Done
-----Ursprüngliche Nachricht-----
From: Yuta Kawadai
Sent: Wednesday, February 24, 2021 2:45 PM
To: user@thrift.apache.org
Subject: Re: [SECURITY] CVE-2020-13949 Announcement
Hi
Would you be able to tell me JIRA ticket or github's PR# which addressed
this CVE?
I couldn't find them...
Best regards,
Yuta Kawadai
On 2021/02/11 22:43:29, "Jens Geyer" <je...@apache.org> wrote:
CVE-2020-13949: potential DoS when processing untrusted Thrift payloads
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Thrift up to and including 0.13.0
Description:
Applications using Thrift would not error upon receiving messages
declaring containers of sizes larger than the payload. As a result,
malicious RPC clients could send short messages which would result in a
large memory allocation, potentially leading to denial of service.
Mitigation:
Upgrade to version 0.14.0
Credit:
This issue was reported by Hasnain Lakhani of Facebook.
On behalf of the Apache Thrift PMC,
Jens Geyer
