An update for thrift is now available for openEuler-20.03-LTS-SP1
Security Advisory
openeuler-security@openeuler.org
openEuler security committee
openEuler-SA-2021-1017
Final
1.0
1.0
2021-02-04
Initial
2021-02-04
2021-02-04
openEuler SA Tool V1.0
2021-02-04
thrift security update
An update for thrift is now available for openEuler-20.03-LTS-SP1.
The Apache Thrift software framework for cross-language services development combines a software stack with a code generation engine to build services that work efficiently and seamlessly between C++, Java, Python, and other languages.\r\n\r\n
Security Fix(es):\r\n\r\n
In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed in version 0.11.0, depending on the installed version it affects only certain language bindings.(CVE-2019-0205)\r\n\r\n
In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data.(CVE-2019-0210)\r\n\r\n
An update for thrift is now available for openEuler-20.03-LTS-SP1.\r\n\r\n
openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
High
thrift
https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1017
https://openeuler.org/en/security/cve/detail.html?id=CVE-2019-0205
https://openeuler.org/en/security/cve/detail.html?id=CVE-2019-0210
https://nvd.nist.gov/vuln/detail/CVE-2019-0205
https://nvd.nist.gov/vuln/detail/CVE-2019-0210
openEuler-20.03-LTS-SP1
fb303-0.10.0-3.oe1.aarch64.rpm
thrift-0.10.0-3.oe1.aarch64.rpm
thrift-qt-0.10.0-3.oe1.aarch64.rpm
thrift-glib-0.10.0-3.oe1.aarch64.rpm
fb303-devel-0.10.0-3.oe1.aarch64.rpm
python3-fb303-0.10.0-3.oe1.aarch64.rpm
thrift-debugsource-0.10.0-3.oe1.aarch64.rpm
thrift-devel-0.10.0-3.oe1.aarch64.rpm
python3-thrift-0.10.0-3.oe1.aarch64.rpm
thrift-debuginfo-0.10.0-3.oe1.aarch64.rpm
fb303-java-0.10.0-3.oe1.noarch.rpm
libthrift-java-0.10.0-3.oe1.noarch.rpm
perl-thrift-0.10.0-3.oe1.noarch.rpm
libthrift-javadoc-0.10.0-3.oe1.noarch.rpm
thrift-0.10.0-3.oe1.src.rpm
python3-fb303-0.10.0-3.oe1.x86_64.rpm
python3-thrift-0.10.0-3.oe1.x86_64.rpm
thrift-debuginfo-0.10.0-3.oe1.x86_64.rpm
thrift-devel-0.10.0-3.oe1.x86_64.rpm
thrift-debugsource-0.10.0-3.oe1.x86_64.rpm
thrift-0.10.0-3.oe1.x86_64.rpm
fb303-0.10.0-3.oe1.x86_64.rpm
fb303-devel-0.10.0-3.oe1.x86_64.rpm
thrift-glib-0.10.0-3.oe1.x86_64.rpm
thrift-qt-0.10.0-3.oe1.x86_64.rpm
In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed in version 0.11.0, depending on the installed version it affects only certain language bindings.
2021-02-04
CVE-2019-0205
openEuler-20.03-LTS-SP1
High
7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
thrift security update
2021-02-04
https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1017
In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data.
2021-02-04
CVE-2019-0210
openEuler-20.03-LTS-SP1
High
7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
thrift security update
2021-02-04
https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1017