Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 13203200BF8 for ; Fri, 13 Jan 2017 18:16:09 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 11D44160B2E; Fri, 13 Jan 2017 17:16:09 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 8A8FD160B4D for ; Fri, 13 Jan 2017 18:16:08 +0100 (CET) Received: (qmail 34752 invoked by uid 500); 13 Jan 2017 17:16:07 -0000 Mailing-List: contact user-help@thrift.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@thrift.apache.org Delivered-To: mailing list user@thrift.apache.org Received: (qmail 34542 invoked by uid 99); 13 Jan 2017 17:16:07 -0000 Received: from mail-relay.apache.org (HELO mail-relay.apache.org) (140.211.11.15) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 13 Jan 2017 17:16:07 +0000 Received: from mail-lf0-f46.google.com (mail-lf0-f46.google.com [209.85.215.46]) by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with ESMTPSA id D206A1A0AA2; Fri, 13 Jan 2017 17:16:06 +0000 (UTC) Received: by mail-lf0-f46.google.com with SMTP id m78so42786137lfg.2; Fri, 13 Jan 2017 09:16:06 -0800 (PST) X-Gm-Message-State: AIkVDXLrVks+1mx8zcsLFfM6I11cBGI5NHX3KovVGP7YcDts2UFHY7FgKRUoY69f1Oi85EELc6fCKAW0oGx5DA== X-Received: by 10.46.76.9 with SMTP id z9mr3372032lja.1.1484327765314; Fri, 13 Jan 2017 09:16:05 -0800 (PST) MIME-Version: 1.0 Reply-To: jfarrell@apache.org Received: by 10.25.227.72 with HTTP; Fri, 13 Jan 2017 09:16:04 -0800 (PST) From: Jake Farrell Date: Fri, 13 Jan 2017 12:16:04 -0500 X-Gmail-Original-Message-ID: Message-ID: Subject: [NOTICE]: Apache Thrift Security Vulnerability CVE-2016-5397 To: "user@thrift.apache.org" , "dev@thrift.apache.org" Content-Type: multipart/alternative; boundary=f403045ea6262e95280545fcfd66 archived-at: Fri, 13 Jan 2017 17:16:09 -0000 --f403045ea6262e95280545fcfd66 Content-Type: text/plain; charset=UTF-8 CVE-2016-5397 A security vulnerability was discovered in the Apache Thrift Go client library, CVE-2016-5397. It was determined that the Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external formatting tool. This has been traced and resolved in THRIFT-3893 [2]. Vendor: The Apache Software Foundation Versions Affected: All Apache Thrift versions 0.9.3 and older may be affected Mitigation: Upgrading to the latest Apache Thrift 0.10.0 release Resolution: The issue was resolved by removing the relevant calls to the external formatting tool, gofmt, since it is not required for core Apache Thrift code functionality. -Jake Farrell [1]: CVE-2016-5397 [2]: https://issues.apache.org/jira/browse/THRIFT-3893 --f403045ea6262e95280545fcfd66--