An update for thrift is now available for openEuler-20.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2021-1017 Final 1.0 1.0 2021-02-04 Initial 2021-02-04 2021-02-04 openEuler SA Tool V1.0 2021-02-04 thrift security update An update for thrift is now available for openEuler-20.03-LTS-SP1. The Apache Thrift software framework for cross-language services development combines a software stack with a code generation engine to build services that work efficiently and seamlessly between C++, Java, Python, and other languages.\r\n\r\n Security Fix(es):\r\n\r\n In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed in version 0.11.0, depending on the installed version it affects only certain language bindings.(CVE-2019-0205)\r\n\r\n In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data.(CVE-2019-0210)\r\n\r\n An update for thrift is now available for openEuler-20.03-LTS-SP1.\r\n\r\n openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High thrift https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1017 https://openeuler.org/en/security/cve/detail.html?id=CVE-2019-0205 https://openeuler.org/en/security/cve/detail.html?id=CVE-2019-0210 https://nvd.nist.gov/vuln/detail/CVE-2019-0205 https://nvd.nist.gov/vuln/detail/CVE-2019-0210 openEuler-20.03-LTS-SP1 fb303-0.10.0-3.oe1.aarch64.rpm thrift-0.10.0-3.oe1.aarch64.rpm thrift-qt-0.10.0-3.oe1.aarch64.rpm thrift-glib-0.10.0-3.oe1.aarch64.rpm fb303-devel-0.10.0-3.oe1.aarch64.rpm python3-fb303-0.10.0-3.oe1.aarch64.rpm thrift-debugsource-0.10.0-3.oe1.aarch64.rpm thrift-devel-0.10.0-3.oe1.aarch64.rpm python3-thrift-0.10.0-3.oe1.aarch64.rpm thrift-debuginfo-0.10.0-3.oe1.aarch64.rpm fb303-java-0.10.0-3.oe1.noarch.rpm libthrift-java-0.10.0-3.oe1.noarch.rpm perl-thrift-0.10.0-3.oe1.noarch.rpm libthrift-javadoc-0.10.0-3.oe1.noarch.rpm thrift-0.10.0-3.oe1.src.rpm python3-fb303-0.10.0-3.oe1.x86_64.rpm python3-thrift-0.10.0-3.oe1.x86_64.rpm thrift-debuginfo-0.10.0-3.oe1.x86_64.rpm thrift-devel-0.10.0-3.oe1.x86_64.rpm thrift-debugsource-0.10.0-3.oe1.x86_64.rpm thrift-0.10.0-3.oe1.x86_64.rpm fb303-0.10.0-3.oe1.x86_64.rpm fb303-devel-0.10.0-3.oe1.x86_64.rpm thrift-glib-0.10.0-3.oe1.x86_64.rpm thrift-qt-0.10.0-3.oe1.x86_64.rpm In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed in version 0.11.0, depending on the installed version it affects only certain language bindings. 2021-02-04 CVE-2019-0205 openEuler-20.03-LTS-SP1 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H thrift security update 2021-02-04 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1017 In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data. 2021-02-04 CVE-2019-0210 openEuler-20.03-LTS-SP1 High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H thrift security update 2021-02-04 https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1017