You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@thrift.apache.org by Jake Farrell <jf...@apache.org> on 2015/12/02 03:28:04 UTC

[NOTICE]: Apache Thrift Security Vulnerability CVE-2015-1774

CVE-2015-1774

A security vulnerability was discovered in the Apache Thrift client
libraries,
CVE-2015-3254. It was determined that in some cases a remote user could
cause unlimited recursion when the skip() function was called within the
server.
This has being addressed in the Apache Thrift 0.9.3 release and was tracked
in
THRIFT-3231 [2].

Vendor: The Apache Software Foundation

Versions Affected: All Apache Thrift versions 0.9.2 and older may be
affected

Mitigation: Upgrading to the latest 0.9.3 release


-Jake Farrell

[1]: CVE-2015-3254
[2]: https://issues.apache.org/jira/browse/THRIFT-3231

Re: [NOTICE]: Apache Thrift Security Vulnerability CVE-2015-1774

Posted by Suresh Marru <sm...@apache.org>.

Hi Supun,

Thanks for noticing this. Since the CVE said all 0.9.2 and older may be effected, it might be better we move to 0.9.3 before 0.16 release. I created a JIRA to track this task - https://issues.apache.org/jira/browse/AIRAVATA-1883 <https://issues.apache.org/jira/browse/AIRAVATA-1883>

Suresh

> On Dec 10, 2015, at 3:34 PM, Supun Nakandala <su...@gmail.com> wrote:
> 
> Should we consider upgrading to Thrift 0.9.3 ? Currently we are using 0.9.2
> 
> ---------- Forwarded message ----------
> From: Jake Farrell <jfarrell@apache.org <ma...@apache.org>>
> Date: Tue, Dec 1, 2015 at 9:28 PM
> Subject: [NOTICE]: Apache Thrift Security Vulnerability CVE-2015-1774
> To: "user@thrift.apache.org <ma...@thrift.apache.org>" <user@thrift.apache.org <ma...@thrift.apache.org>>, "dev@thrift.apache.org <ma...@thrift.apache.org>" <dev@thrift.apache.org <ma...@thrift.apache.org>>
> 
> 
> CVE-2015-1774
> 
> A security vulnerability was discovered in the Apache Thrift client
> libraries,
> CVE-2015-3254. It was determined that in some cases a remote user could
> cause unlimited recursion when the skip() function was called within the
> server.
> This has being addressed in the Apache Thrift 0.9.3 release and was tracked
> in
> THRIFT-3231 [2].
> 
> Vendor: The Apache Software Foundation
> 
> Versions Affected: All Apache Thrift versions 0.9.2 and older may be
> affected
> 
> Mitigation: Upgrading to the latest 0.9.3 release
> 
> 
> -Jake Farrell
> 
> [1]: CVE-2015-3254
> [2]: https://issues.apache.org/jira/browse/THRIFT-3231 <https://issues.apache.org/jira/browse/THRIFT-3231>

Fwd: [NOTICE]: Apache Thrift Security Vulnerability CVE-2015-1774

Posted by Supun Nakandala <su...@gmail.com>.

Should we consider upgrading to Thrift 0.9.3 ? Currently we are using 0.9.2

---------- Forwarded message ----------
From: Jake Farrell <jf...@apache.org>
Date: Tue, Dec 1, 2015 at 9:28 PM
Subject: [NOTICE]: Apache Thrift Security Vulnerability CVE-2015-1774
To: "user@thrift.apache.org" <us...@thrift.apache.org>, "
dev@thrift.apache.org" <de...@thrift.apache.org>

CVE-2015-1774

A security vulnerability was discovered in the Apache Thrift client
libraries,
CVE-2015-3254. It was determined that in some cases a remote user could
cause unlimited recursion when the skip() function was called within the
server.
This has being addressed in the Apache Thrift 0.9.3 release and was tracked
in
THRIFT-3231 [2].

Vendor: The Apache Software Foundation

Versions Affected: All Apache Thrift versions 0.9.2 and older may be
affected

Mitigation: Upgrading to the latest 0.9.3 release

-Jake Farrell

[1]: CVE-2015-3254
[2]: https://issues.apache.org/jira/browse/THRIFT-3231

Re: [NOTICE]: Apache Thrift Security Vulnerability CVE-2015-1774

Posted by Mark Thomas <ma...@apache.org>.

Both the Subject and the heading in the body of this message do not
agree with the CVE referenced in the main text.

A correction needs to be issued.

Mark

On 02/12/2015 02:28, Jake Farrell wrote:
> CVE-2015-1774
> 
> A security vulnerability was discovered in the Apache Thrift client
> libraries,
> CVE-2015-3254. It was determined that in some cases a remote user could
> cause unlimited recursion when the skip() function was called within the
> server.
> This has being addressed in the Apache Thrift 0.9.3 release and was
> tracked in 
> THRIFT-3231 [2].
> 
> Vendor: The Apache Software Foundation
> 
> Versions Affected: All Apache Thrift versions 0.9.2 and older may be
> affected
> 
> Mitigation: Upgrading to the latest 0.9.3 release
> 
> 
> -Jake Farrell
> 
> [1]: CVE-2015-3254
> [2]: https://issues.apache.org/jira/browse/THRIFT-3231

Re: [NOTICE]: Apache Thrift Security Vulnerability CVE-2015-1774

Posted by Mark Thomas <ma...@apache.org>.

Both the Subject and the heading in the body of this message do not
agree with the CVE referenced in the main text.

A correction needs to be issued.

Mark

On 02/12/2015 02:28, Jake Farrell wrote:
> CVE-2015-1774
> 
> A security vulnerability was discovered in the Apache Thrift client
> libraries,
> CVE-2015-3254. It was determined that in some cases a remote user could
> cause unlimited recursion when the skip() function was called within the
> server.
> This has being addressed in the Apache Thrift 0.9.3 release and was
> tracked in 
> THRIFT-3231 [2].
> 
> Vendor: The Apache Software Foundation
> 
> Versions Affected: All Apache Thrift versions 0.9.2 and older may be
> affected
> 
> Mitigation: Upgrading to the latest 0.9.3 release
> 
> 
> -Jake Farrell
> 
> [1]: CVE-2015-3254
> [2]: https://issues.apache.org/jira/browse/THRIFT-3231