Thanks for adding comments to JIRA tickets. I was able to find these tickets. - https://issues.apache.org/jira/browse/THRIFT-5007 - https://issues.apache.org/jira/browse/THRIFT-5021 - https://issues.apache.org/jira/browse/THRIFT-5237
Best regards, Yuta 2021年2月25日(木) 4:55 Jens Geyer <jensge...@hotmail.com>: > Done > > -----Ursprüngliche Nachricht----- > From: Yuta Kawadai > Sent: Wednesday, February 24, 2021 2:45 PM > To: user@thrift.apache.org > Subject: Re: [SECURITY] CVE-2020-13949 Announcement > > Hi > > Would you be able to tell me JIRA ticket or github's PR# which addressed > this CVE? > I couldn't find them... > > Best regards, > Yuta Kawadai > > On 2021/02/11 22:43:29, "Jens Geyer" <je...@apache.org> wrote: > > CVE-2020-13949: potential DoS when processing untrusted Thrift payloads > > > > Severity: Important > > > > Vendor: > > The Apache Software Foundation > > > > Versions Affected: > > Apache Thrift up to and including 0.13.0 > > > > Description: > > Applications using Thrift would not error upon receiving messages > > declaring containers of sizes larger than the payload. As a result, > > malicious RPC clients could send short messages which would result in a > > large memory allocation, potentially leading to denial of service. > > > > Mitigation: > > Upgrade to version 0.14.0 > > > > Credit: > > This issue was reported by Hasnain Lakhani of Facebook. > > > > On behalf of the Apache Thrift PMC, > > Jens Geyer > >
