CVE-2020-13949: Applications using Thrift would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. Fixed in 0.14.0, please bump.
ping
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3d737b9a8a8e0fa201ed4f9ecf529e5699d3b3bb commit 3d737b9a8a8e0fa201ed4f9ecf529e5699d3b3bb Author: Fabian Groffen <grobian@gentoo.org> AuthorDate: 2021-06-01 06:38:48 +0000 Commit: Fabian Groffen <grobian@gentoo.org> CommitDate: 2021-06-01 06:39:03 +0000 dev-python/thrift-0.14.1: version bump Bug: https://bugs.gentoo.org/770145 Package-Manager: Portage-3.0.18, Repoman-3.0.2 Signed-off-by: Fabian Groffen <grobian@gentoo.org> dev-python/thrift/Manifest | 1 + dev-python/thrift/thrift-0.14.1.ebuild | 27 +++++++++++++++++++++++++++ 2 files changed, 28 insertions(+)
Please proceed with stabilization when ready.
(In reply to John Helmert III from comment #3) > Please proceed with stabilization when ready. ping
arches, please stabilise =dev-python/thrift-0.14.1 thanks
amd64 stable
Resetting sanity check; package list is empty or all packages are done.
I guess arm wasn't supposed to be CCd? Don't forget to use nattka to handle arches trivially! https://archives.gentoo.org/gentoo-dev/message/cd62f6be924f6a0f76b68a07d33b256a
nattka didn't work, so I wanted to add the archs x86 and amd64 manually myself, apparently I accidentially added arm instead.
x86 stable. Maintainer(s), please cleanup. Security, please vote.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=72e4790572c52c37f876509da179b24b4ae83734 commit 72e4790572c52c37f876509da179b24b4ae83734 Author: Fabian Groffen <grobian@gentoo.org> AuthorDate: 2021-06-19 19:06:44 +0000 Commit: Fabian Groffen <grobian@gentoo.org> CommitDate: 2021-06-19 19:06:44 +0000 dev-python/thrift: cleanup old Bug: https://bugs.gentoo.org/770145 Package-Manager: Portage-3.0.18, Repoman-3.0.2 Signed-off-by: Fabian Groffen <grobian@gentoo.org> dev-python/thrift/Manifest | 1 - dev-python/thrift/thrift-0.13.0.ebuild | 25 ------------------------- 2 files changed, 26 deletions(-)
Thanks!
GLSA request filed.
This issue was resolved and addressed in GLSA 202107-32 at https://security.gentoo.org/glsa/202107-32 by GLSA coordinator John Helmert III (ajak).