You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jena.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2019/11/23 15:47:00 UTC
[jira] [Commented] (JENA-1781) Upgrade Thrift to version 0.13.0
[ https://issues.apache.org/jira/browse/JENA-1781?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16980795#comment-16980795 ]
ASF subversion and git services commented on JENA-1781:
-------------------------------------------------------
Commit 9ad64c7f686cef835830f191c70bb3f112e43bd2 in jena's branch refs/heads/master from Andy Seaborne
[ https://gitbox.apache.org/repos/asf?p=jena.git;h=9ad64c7 ]
JENA-1781: Deal with THRIFT-5022 "isOpen"
> Upgrade Thrift to version 0.13.0
> --------------------------------
>
> Key: JENA-1781
> URL: https://issues.apache.org/jira/browse/JENA-1781
> Project: Apache Jena
> Issue Type: Dependency upgrade
> Components: ARQ, OSGi
> Reporter: Ken Treimann
> Assignee: Andy Seaborne
> Priority: Major
> Time Spent: 1h
> Remaining Estimate: 0h
>
> OWASP Dependency Check identifies Thrift version 0.12.0 as having the following vulnerabilites:
> [CVE-2019-0205|https://nvd.nist.gov/vuln/detail/CVE-2019-0205|https://nvd.nist.gov/vuln/detail/CVE-2019-0210]
> [CVE-2019-0210|https://nvd.nist.gov/vuln/detail/CVE-2019-0210]
> According to [CASSANDRA-15420|https://issues.apache.org/jira/browse/CASSANDRA-15420], this was partially fixed in version 0.11.0, but it still gets flagged as vulnerable. [This message|http://mail-archives.apache.org/mod_mbox/thrift-dev/201910.mbox/%3CVI1PR0101MB2142E0EA19F582429C3AEBCBB1920%40VI1PR0101MB2142.eurprd01.prod.exchangelabs.com%3E] from the thrift-dev mailing list states that the mitigation is to upgrade to version 0.13.0.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)