Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependencies to fix CVE-2020-13949 #21

Closed
mcramer-billgo opened this issue Jun 2, 2023 · 4 comments
Closed

Update dependencies to fix CVE-2020-13949 #21

mcramer-billgo opened this issue Jun 2, 2023 · 4 comments

Comments

@mcramer-billgo
Copy link

In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.

Fix is in 0.14.0
@mcramer-billgo
Copy link
Author

PR to update: #22

@cswank
Copy link
Collaborator

cswank commented Jun 5, 2023

Thanks Matt, I was not aware of the thrift issue. I noticed you closed the PR. Did that change result in something unexpected?

@mcramer-billgo
Copy link
Author

mcramer-billgo commented Jun 5, 2023
edited

@cswank updating thrift to latest 0.18.1 appears to be a breaking change. I'm testing on my fork some more.

@cswank
Copy link
Collaborator

cswank commented Jul 20, 2023

@mcramer-billgo the files in schema/ needed to be re-generated with the v0.18.1 thrift tool. v0.8.0 of parsyl/parquet now uses thrift v0.18.1.

@cswank cswank closed this as completed Jul 27, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cswank @mcramer-billgo