Upgrade Thrift dependency in broker to solve CVE-2019-0210, CVE-2019-0205 and CVE-2020-13949 #9248
Comments
fmiguelez
added
the
type/enhancement
|
Since these update-needs regularly occurs, Automated security and update routine before every release #8815 |
fmiguelez
changed the title
|
Fixing this issue depends on Bookkeeper issue apache/bookkeeper#2695 . libthrift 0.14.1 is broken and a new version is needed before the upgrade can be completed. More details in apache/bookkeeper#2695 (review) . |
|
The issue had no activity for 30 days, mark with Stale label. |
|
Closed as stale. Please open a new issue if it's still relevant to the maintained versions. IIRC we have a OWASP checker to prevent high risk vulnerabilities |
|
@tisonkun CVE-2019-0205 and CVE-2019-0210 are still showing up as vulnerabilities as of September 2023 with Pulsar 3.1.0's connectors. I don't think the OWASP checker you have setup is working, or these types of security vulnerabilities are being prioritized. |
Library from Apache Thrift (libthrift-0.12.jar) used by Apache Pulsar Broker is affected by two high risk vulnerabilities:
CVE-2019-0210 and CVE-2019-0205
These vulnerabilities are solved by version 0.13.
Update 2021/02/19
New vulnerability CVE-2020-13949 has been published affecting libthrift up to (including) version 0.13. Version 0.14 seems to solve the issue.
The text was updated successfully, but these errors were encountered: