You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@thrift.apache.org by "Jens Geyer (Jira)" <ji...@apache.org> on 2020/02/08 13:12:00 UTC
[jira] [Commented] (THRIFT-5075) Backport fixes for CVE-2019-0205
to (Java) 0.9.3-1 version
[ https://issues.apache.org/jira/browse/THRIFT-5075?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17032896#comment-17032896 ]
Jens Geyer commented on THRIFT-5075:
------------------------------------
I thought a while about this and I'm still not convinced that we need it.
Thrift upgrades are in most cases (not always, though) rather painless, at least that's my experience. So what could be a possible reason to stay with 0.9.3? If we receive another security report down the road, do we have to maintain again both versions? Or will it be three, because someone also comes up with some 0.11.0 or the like?
*Bottom line*: What can we all do to help improving the situation for these three projects? Is there anything you need, aside from another release of course?
PS: I'm only expressing personal opinion and if anyone else wants to prepare another 0.9.3 release - I surely won't stand in the way..
> Backport fixes for CVE-2019-0205 to (Java) 0.9.3-1 version
> ----------------------------------------------------------
>
> Key: THRIFT-5075
> URL: https://issues.apache.org/jira/browse/THRIFT-5075
> Project: Thrift
> Issue Type: Bug
> Reporter: Laurent Goujon
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Similar to THRIFT-4506, would it be possible to backport fixes for CVE-2019-0205 to 0.9.x branch. There are still several projects still relying on 0.9.3-1, and the vulnerability seems to impact them as well.
> I believe the fix for Java was part of THRIFT-4024
--
This message was sent by Atlassian Jira
(v8.3.4#803005)