In Apache Thrift 0.9.3 to 0.13.0, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.
Component: RPM Packages => SecurityCVE: (none) => CVE-2020-13949QA Contact: (none) => security
'apache-thrift' is not a Mageia srpm
CC: (none) => ouaurelienResolution: (none) => INVALIDStatus: NEW => RESOLVED
Hold on, I'll fix it. There.
Resolution: INVALID => (none)Source RPM: apache-thrift => golang-github-apache-thrift-0.13.0-1.mga8.src.rpmStatus: RESOLVED => REOPENED
Summary: [Update Request] apache-thrift (CVE-2020-13949) => [Update Request] golang-github-apache-thrift (CVE-2020-13949)
Thanks for reporting this. Assigned to the package maintainer. (Please set the status to 'assigned' if you are working on it)
Assignee: bugsquad => pterjan
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13949 The issue is fixed upstream in 0.14.0.
Whiteboard: (none) => MGA8TOO, MGA7TOOSummary: [Update Request] golang-github-apache-thrift (CVE-2020-13949) => thrift new security issue CVE-2020-13949Source RPM: golang-github-apache-thrift-0.13.0-1.mga8.src.rpm => thrift-0.13.0-2.mga8.src.rpmAssignee: pterjan => javaBlocks: (none) => 24174Severity: normal => critical
Upstream advisory from February 11: https://www.openwall.com/lists/oss-security/2021/02/11/2 Apparently both "thrift" packages are affected: https://bugzilla.redhat.com/show_bug.cgi?id=1928172#c1
Summary: thrift new security issue CVE-2020-13949 => thrift, golang-github-apache-thrift new security issue CVE-2020-13949Status comment: (none) => Fixed upstream in 0.14.0CC: (none) => pterjanSource RPM: thrift-0.13.0-2.mga8.src.rpm => thrift-0.13.0-2.mga8.src.rpm, golang-github-apache-thrift-devel-0.13.0-1.mga8.src.rpm
I had a look last night and we have 2 source packages for the same sources: - thrift builds for all languages except go (explicitly disabled) - golang-github-apache-thrift only builds the go part So yes both should be fixed, with the same patch. However I couldn't easily find the individual fix and 0.14.0 changes the soname.
Could we consolidate those into one SRPM?
https://lists.apache.org/thread.html/r1504886a550426d3c05772c47b1a6350c3235e51fd1fdffbec43e974@%3Cuser.thrift.apache.org%3E
CC: (none) => mageia
https://lists.apache.org/thread.html/rcdf62ecd36e39e4ff9c61802eee4927ce9ecff1602eed1493977ef4c%40%3Cuser.thrift.apache.org%3E
Fixed in cauldron.
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOOVersion: Cauldron => 8
Removing Mageia 7 from whiteboard due to EOL: https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/
Whiteboard: MGA7TOO => (none)
fixed in mga8: src: - thrift-0.14.0-1.mga8 - golang-github-apache-thrift-0.14.0-1.mga8
Assignee: java => qa-bugsStatus comment: Fixed upstream in 0.14.0 => (none)
thrift-0.14.0-1.mga8 libthrift0-0.14.0-1.mga8 libthrift-devel-0.14.0-1.mga8 python3-thrift-0.14.0-1.mga8 perl-thrift-0.14.0-1.mga8 compat-golang-apache-thrift-devel-0.14.0-1.mga8 golang-github-apache-thrift-devel-0.14.0-1.mga8
MGA8-64 Plasma on Lenovo B50 in Dutch No installation issues (apart from drawing in a load of depenencies) No wiki, no previous updates. Looking for tutorial or example found https://thrift.apache.org/ , but this isall developer's area.
CC: (none) => herman.viaene
I looked at the link Herman found, and indeed this is developer stuff. (BTW, the website offers 0.15.0 as the version for download.) As is usual with this sort of thing, I'm going to pass it on the basis of Herman's clean install. Validating.
Whiteboard: (none) => MGA8-64-OKKeywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0578.html
Resolution: (none) => FIXEDStatus: REOPENED => RESOLVED