* CVE-2019-0205 Description: "In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed in version 0.11.0, depending on the installed version it affects only certain language bindings." * CVE-2019-0210 Description: "In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data."
Please bump to 0.13.0, thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=25eda03e3a6f32f3e20742165a0b9e6e6f87f4c2 commit 25eda03e3a6f32f3e20742165a0b9e6e6f87f4c2 Author: Fabian Groffen <grobian@gentoo.org> AuthorDate: 2020-12-24 08:58:45 +0000 Commit: Fabian Groffen <grobian@gentoo.org> CommitDate: 2020-12-24 08:58:45 +0000 dev-python/thrift-0.13.0: version bump, bug #761409 Bug: https://bugs.gentoo.org/761409 Package-Manager: Portage-3.0.9, Repoman-3.0.2 Signed-off-by: Fabian Groffen <grobian@gentoo.org> dev-python/thrift/Manifest | 1 + dev-python/thrift/thrift-0.13.0.ebuild | 26 ++++++++++++++++++++++++++ 2 files changed, 27 insertions(+)
Thank you! Please stabilize when ready.
Ready?
go ahead
x86 done
amd64 done all arches done
Please cleanup, thanks!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e82c786f414c8a81a5fde1dcf66ce4f47fe4d77c commit e82c786f414c8a81a5fde1dcf66ce4f47fe4d77c Author: Fabian Groffen <grobian@gentoo.org> AuthorDate: 2021-01-07 14:44:09 +0000 Commit: Fabian Groffen <grobian@gentoo.org> CommitDate: 2021-01-07 14:44:09 +0000 dev-python/thrift: security cleanup Bug: https://bugs.gentoo.org/761409 Package-Manager: Portage-3.0.12, Repoman-3.0.2 Signed-off-by: Fabian Groffen <grobian@gentoo.org> dev-python/thrift/Manifest | 1 - dev-python/thrift/thrift-0.11.0.ebuild | 20 -------------------- 2 files changed, 21 deletions(-)
GLSA request filed.
This issue was resolved and addressed in GLSA 202107-32 at https://security.gentoo.org/glsa/202107-32 by GLSA coordinator John Helmert III (ajak).