Thanks for adding comments to JIRA tickets.
I was able to find these tickets.
- https://issues.apache.org/jira/browse/THRIFT-5007
- https://issues.apache.org/jira/browse/THRIFT-5021
- https://issues.apache.org/jira/browse/THRIFT-5237

Best regards,
Yuta

2021年2月25日(木) 4:55 Jens Geyer <jensge...@hotmail.com>:

> Done
>
> -----Ursprüngliche Nachricht-----
> From: Yuta Kawadai
> Sent: Wednesday, February 24, 2021 2:45 PM
> To: user@thrift.apache.org
> Subject: Re: [SECURITY] CVE-2020-13949 Announcement
>
> Hi
>
> Would you be able to tell me JIRA ticket or github's PR# which addressed
> this CVE?
> I couldn't find them...
>
> Best regards,
> Yuta Kawadai
>
> On 2021/02/11 22:43:29, "Jens Geyer" <je...@apache.org> wrote:
> > CVE-2020-13949: potential DoS when processing untrusted Thrift payloads
> >
> > Severity: Important
> >
> > Vendor:
> > The Apache Software Foundation
> >
> > Versions Affected:
> > Apache Thrift up to and including 0.13.0
> >
> > Description:
> > Applications using Thrift would not error upon receiving messages
> > declaring containers of sizes larger than the payload. As a result,
> > malicious RPC clients could send short messages which would result in a
> > large memory allocation, potentially leading to denial of service.
> >
> > Mitigation:
> > Upgrade to version 0.14.0
> >
> > Credit:
> > This issue was reported by Hasnain Lakhani of Facebook.
> >
> > On behalf of the Apache Thrift PMC,
> > Jens Geyer
>
>

Reply via email to