| Summary: | thrift, golang-github-apache-thrift new security issue CVE-2020-13949 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Zombie Ryushu <zombie_ryushu> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, herman.viaene, mageia, ouaurelien, pterjan, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://nvd.nist.gov/vuln/detail/CVE-2020-13949 | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | thrift-0.13.0-2.mga8.src.rpm, golang-github-apache-thrift-devel-0.13.0-1.mga8.src.rpm | CVE: | CVE-2020-13949 |
| Status comment: | |||
| Bug Depends on: | |||
| Bug Blocks: | 24174 | ||
|
Description
Zombie Ryushu
2021-02-19 10:52:47 CET
Zombie Ryushu
2021-02-19 13:46:06 CET
Component:
RPM Packages =>
Security 'apache-thrift' is not a Mageia srpm CC:
(none) =>
ouaurelien Hold on, I'll fix it. There. Resolution:
INVALID =>
(none)
Zombie Ryushu
2021-02-19 15:11:34 CET
Summary:
[Update Request] apache-thrift (CVE-2020-13949) =>
[Update Request] golang-github-apache-thrift (CVE-2020-13949) Thanks for reporting this. Assigned to the package maintainer. (Please set the status to 'assigned' if you are working on it) Assignee:
bugsquad =>
pterjan https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13949 The issue is fixed upstream in 0.14.0. Whiteboard:
(none) =>
MGA8TOO, MGA7TOO Upstream advisory from February 11: https://www.openwall.com/lists/oss-security/2021/02/11/2 Apparently both "thrift" packages are affected: https://bugzilla.redhat.com/show_bug.cgi?id=1928172#c1 Summary:
thrift new security issue CVE-2020-13949 =>
thrift, golang-github-apache-thrift new security issue CVE-2020-13949 I had a look last night and we have 2 source packages for the same sources: - thrift builds for all languages except go (explicitly disabled) - golang-github-apache-thrift only builds the go part So yes both should be fixed, with the same patch. However I couldn't easily find the individual fix and 0.14.0 changes the soname. Could we consolidate those into one SRPM? https://lists.apache.org/thread.html/r1504886a550426d3c05772c47b1a6350c3235e51fd1fdffbec43e974@%3Cuser.thrift.apache.org%3E CC:
(none) =>
mageia Fixed in cauldron. Whiteboard:
MGA8TOO, MGA7TOO =>
MGA7TOO Removing Mageia 7 from whiteboard due to EOL: https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/ Whiteboard:
MGA7TOO =>
(none) fixed in mga8:
src:
- thrift-0.14.0-1.mga8
- golang-github-apache-thrift-0.14.0-1.mga8Assignee:
java =>
qa-bugs thrift-0.14.0-1.mga8 libthrift0-0.14.0-1.mga8 libthrift-devel-0.14.0-1.mga8 python3-thrift-0.14.0-1.mga8 perl-thrift-0.14.0-1.mga8 compat-golang-apache-thrift-devel-0.14.0-1.mga8 golang-github-apache-thrift-devel-0.14.0-1.mga8 MGA8-64 Plasma on Lenovo B50 in Dutch No installation issues (apart from drawing in a load of depenencies) No wiki, no previous updates. Looking for tutorial or example found https://thrift.apache.org/ , but this isall developer's area. CC:
(none) =>
herman.viaene I looked at the link Herman found, and indeed this is developer stuff. (BTW, the website offers 0.15.0 as the version for download.) As is usual with this sort of thing, I'm going to pass it on the basis of Herman's clean install. Validating. Whiteboard:
(none) =>
MGA8-64-OK
Dave Hodgins
2021-12-23 19:14:12 CET
CC:
(none) =>
davidwhodgins An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0578.html Resolution:
(none) =>
FIXED |