-
Notifications
You must be signed in to change notification settings - Fork 287
Conversation
Codecov Report
@@ Coverage Diff @@
## master #584 +/- ##
==========================================
+ Coverage 88.55% 88.64% +0.09%
==========================================
Files 61 61
Lines 3328 3328
==========================================
+ Hits 2947 2950 +3
+ Misses 253 251 -2
+ Partials 128 127 -1
Continue to review full report at Codecov.
|
please make sure all commits are signed (see the DCO check) |
Signed-off-by: nhatthm <nt@hellofresh.com>
Signed-off-by: nhatthm <nt@hellofresh.com>
Signed-off-by: nhatthm <nt@hellofresh.com>
Signed-off-by: nhatthm <nt@hellofresh.com>
It's fixed |
That change is only in thrift-gen, correct? Technically we should've placed it in internal/thrift-gen, since those types are not meant to be exposed. Is there a reason you picked 0.13 thrift? There is already https://github.com/apache/thrift/releases/tag/v0.14.1, which also fixed another CVE that we ran into in Jaeger backend. |
Yes, exactly. The change was made by running
Well, I was afraid of making big changes, |
I would certainly prefer to go to the latest, otherwise we'd still have an open CVE, and Thrift is known to make breaking changes (like adding Context argument incrementally across releases instead of all at once), so best to minimize those. |
Signed-off-by: nhatthm <nt@hellofresh.com>
Signed-off-by: nhatthm <nt@hellofresh.com>
Signed-off-by: nhatthm <nt@hellofresh.com>
Signed-off-by: nhatthm <nt@hellofresh.com>
I bumped to 0.14. There are new files from Thrift, see 1065ec2 It's because of
Look like they split the files Anyway, I ran |
// protoFactory := thrift.NewTBinaryProtocolFactoryConf(conf) | ||
// | ||
// [1]: https://github.com/apache/thrift/blob/master/doc/specs/thrift-tconfiguration.md | ||
type TConfiguration struct { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
required by
thrift/binary_protocol.go:35:17: undefined: TConfiguration
thrift/binary_protocol.go:40:7: undefined: TConfiguration
thrift/binary_protocol.go:60:49: undefined: TConfiguration
thrift/binary_protocol.go:91:42: undefined: TConfiguration
thrift/binary_protocol.go:101:58: undefined: TConfiguration
thrift/binary_protocol.go:532:51: undefined: TConfiguration
thrift/compact_protocol.go:79:7: undefined: TConfiguration
thrift/compact_protocol.go:89:43: undefined: TConfiguration
thrift/compact_protocol.go:99:59: undefined: TConfiguration
thrift/compact_protocol.go:107:7: undefined: TConfiguration
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe that @rubenvp8510 is working on cherry-picking some commits from Thrift into our fork so that we have the security fixes in a backward-compatible manner.
Did you use 0.14.0 or 0.14.1? There was another CVE fixed in 0.14.1 |
Sorry, i corrected the title, it is |
gh actions are acting up again (outage in progress). Please update thrift/README to reflect this change. |
Signed-off-by: nhatthm <nt@hellofresh.com>
It's done Updated: Everything is green now |
Thanks! |
Link to #584 Signed-off-by: Yuri Shkuro <github@ysh.us>
@yurishkuro thanks for accepting the PR. May I know when you tag a new release? And will it be v2 or v3? |
Thanks! Sorry for asking again, are you in touch with the contributors of https://github.com/census-ecosystem/opencensus-go-exporter-jaeger? Because we need to update there as well |
opencensus is being sunset, not sure if it's maintained, but cc @bogdandrutu |
Yeah I know, I'm migrating to otel as well. The library had many breaking changes before v0.19, it was very very painful to update so I think better to wait for a stable release. |
Which problem is this PR solving?
Resolves #546
Short description of the changes
Update the vendor Thrift to 0.13.0 to fix the security issue.
There is a change in the
Agent
interfaceto
I'm fine if we decide to put this into
v3
(because of the breaking changes), then I will just wait for #583 to be merged into master and start from there. We can discuss this.References