Hi Moritz, On Sun, Apr 1, 2018 at 10:38 PM, Moritz Muehlenhoff <j...@debian.org> wrote: > Package: thrift-compiler > Severity: grave > Tags: security > > This was assigned CVE-2016-5397: > https://issues.apache.org/jira/browse/THRIFT-3893 This affects the Go compiler component only if I see it right. That's packaged only with 0.9.3-2 and later versions. As such, it affects only thrift which is still in experimental only. I need to check every usage scenario of course - but I'm going to do that in daytime and not at the moment. :-/
> Fix: > https://github.com/apache/thrift/commit/2007783e874d524a46b818598a45078448ecc53e I don't really consider this as a fix, it disables the format_go_output function instead of input sanitizing. :-( Thanks anyway, Laszlo/GCS
