Skip to content

THRIFT-5075: Backport changes for CVE-2019-0205 to 0.9.3.1 branch #1993

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
laurentgo wants to merge 3 commits into from
Closed

THRIFT-5075: Backport changes for CVE-2019-0205 to 0.9.3.1 branch #1993

laurentgo wants to merge 3 commits into from

Conversation

@laurentgo
Copy link

@laurentgo laurentgo commented Jan 24, 2020

Security vulnerability CVE-2019-0205 impacts several Apache projects who still uses the 0.9.3-1 Java library for Thrift. It seems unlikely those projects would be able to migrate to a more recent version of Thrift where the fix was addressed, so instead I propose to backport the small change to 0.9.3.1 branch.

  • Did you create an Apache Jira ticket? (not required for trivial changes)
  • If a ticket exists: Does your pull request title follow the pattern "THRIFT-NNNN: describe my issue"?
  • Did you squash your changes to a single commit? (not required, but preferred)
  • Did you do your best to avoid breaking changes? If one was needed, did you label the Jira ticket with "Breaking-Change"?
  • If your change does not involve any code, add [skip ci] at the end of your pull request to free up build resources.

Jens-G and others added 3 commits January 23, 2020 13:34
@Jens-G @laurentgo
THRIFT-4784 Thrift should throw when skipping over unexpected data
8d1c61d 
Client: as3
Patch: Jens Geyer
@jeking3 @laurentgo
THRIFT-4024, THRIFT-4783: throw when skipping invalid type (apache#1742)
4db64aa 
* THRIFT-4024: make c_glib throw on unsupported type when skipping
* THRIFT-4783: throw on invalid skip (py)
* THRIFT-4024: make cpp throw on unsupported type when skipping
* THRIFT-4024: uniform skip behavior on unsupported type
@laurentgo
Fix build environment
e2d15b2 
Fix Ubuntu docker build environment so it can build current code with
the same set of dependencies as of when 0.9.3 was released
(approximatively):
- Use specific versions for some dependencies instead of the latest ones
- Switch to https for maven repository
- Update npm list of trusted certificates
- Fix invalid change to configure.ac introduced in 0.9.4.1
- Copy gomock code from 2015 as a private module
@Jens-G Jens-G self-requested a review February 8, 2020 13:15
Jens-G added a commit that referenced this pull request Feb 8, 2020
@Jens-G
THRIFT-5075: Backport changes for CVE-2019-0205 to 0.9.3.1 branch
33dcbd0 
This closes #1993

THRIFT-4024, THRIFT-4783, THRIFT-4784: throw when skipping invalid type (#1742)
* THRIFT-4024: make c_glib throw on unsupported type when skipping
* THRIFT-4783: throw on invalid skip (py)
* THRIFT-4024: make cpp throw on unsupported type when skipping
* THRIFT-4024: uniform skip behavior on unsupported type
* THRIFT-4784: Thrift should throw when skipping over unexpected data
@Jens-G
Copy link
Member

Jens-G commented Feb 8, 2020

Merged, except the "fix build env" part

@Jens-G Jens-G closed this Feb 8, 2020
@kevinsookocheff-wf
Copy link

kevinsookocheff-wf commented Aug 13, 2020

Is it possible to get this branch released? This fix is currently unavailable for anyone still on the popular 0.9.3 release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Jens-G Jens-G Awaiting requested review from Jens-G

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@laurentgo @Jens-G @kevinsookocheff-wf @jeking3