You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@thrift.apache.org by Tomas Hofman <th...@redhat.com> on 2021/03/12 11:49:43 UTC

Thrift 0.13 micro for CVE-2020-13949?

Hello,

I see that the recommended approach to avoid exposure to the 
CVE-2020-13949 is upgrading to version 0.14.0. However this version 
brings some breaking changes and upgrading is bit challenging for some 
of our projects.

Has it been considered to backport the fixes into 0.13 stream?
Would it be too demanding to do?

Thanks for any statements on this!

Best regards,
-- 
Tomas Hofman
Software Engineer, JBoss SET
Red Hat

RE: Thrift 0.13 micro for CVE-2020-13949?

Posted by Pankaj kr <pa...@huawei.com>.

+1

It would be great if 0.13 stream patch is released with CVE-2020-13949 fix. 

Regards,
Pankaj

-----Original Message-----
From: Tomas Hofman [mailto:thofman@redhat.com] 
Sent: Friday, March 12, 2021 5:20 PM
To: user@thrift.apache.org
Subject: Thrift 0.13 micro for CVE-2020-13949?

Hello,

I see that the recommended approach to avoid exposure to the
CVE-2020-13949 is upgrading to version 0.14.0. However this version brings some breaking changes and upgrading is bit challenging for some of our projects.

Has it been considered to backport the fixes into 0.13 stream?
Would it be too demanding to do?

Thanks for any statements on this!

Best regards,
--
Tomas Hofman
Software Engineer, JBoss SET
Red Hat