You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@jena.apache.org by "Andy Seaborne (Jira)" <ji...@apache.org> on 2019/11/19 21:32:00 UTC

[jira] [Assigned] (JENA-1781) Upgrade Thrift to version 0.13.0

     [ https://issues.apache.org/jira/browse/JENA-1781?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Andy Seaborne reassigned JENA-1781:
-----------------------------------

    Assignee: Andy Seaborne

> Upgrade Thrift to version 0.13.0
> --------------------------------
>
>                 Key: JENA-1781
>                 URL: https://issues.apache.org/jira/browse/JENA-1781
>             Project: Apache Jena
>          Issue Type: Dependency upgrade
>          Components: ARQ, OSGi
>            Reporter: Ken Treimann
>            Assignee: Andy Seaborne
>            Priority: Major
>
> OWASP Dependency Check identifies Thrift version 0.12.0 as having the following vulnerabilites:
> [CVE-2019-0205|https://nvd.nist.gov/vuln/detail/CVE-2019-0205|https://nvd.nist.gov/vuln/detail/CVE-2019-0210]
> [CVE-2019-0210|https://nvd.nist.gov/vuln/detail/CVE-2019-0210]
> According to [CASSANDRA-15420|https://issues.apache.org/jira/browse/CASSANDRA-15420], this was partially fixed in version 0.11.0, but it still gets flagged as vulnerable.  [This message|http://mail-archives.apache.org/mod_mbox/thrift-dev/201910.mbox/%3CVI1PR0101MB2142E0EA19F582429C3AEBCBB1920%40VI1PR0101MB2142.eurprd01.prod.exchangelabs.com%3E] from the thrift-dev mailing list states that the mitigation is to upgrade to version 0.13.0.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)