[
https://issues.apache.org/jira/browse/THRIFT-4506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16755330#comment-16755330
]
Mike Yoder commented on THRIFT-4506:
------------------------------------
It's not just hive - by my count (of the projects I care about) this affects
accumulo, avro, crunch, flume, hbase, hive, impala, kite, parquet, sentry, and
spark. In several of those projects the libthrift jar is exposed outside of
the project, making it a backwards-compatibility-breaking change for those
projects. Without a 0.9.4 release (containing only this fix) there is no good
way for those projects to preserve backwards compatibility and protect
themselves from this issue.
> [CVE-2018-1320] Remove assertion in Java SASL code that would be ignored in
> release builds
> ------------------------------------------------------------------------------------------
>
> Key: THRIFT-4506
> URL: https://issues.apache.org/jira/browse/THRIFT-4506
> Project: Thrift
> Issue Type: Bug
> Components: Java - Library
> Affects Versions: 0.5
> Reporter: James E. King III
> Assignee: James E. King III
> Priority: Minor
> Labels: SASL, security
> Fix For: 0.12.0
>
>
> There is an assertion in the SASL transport for Java that will only be
> processed in debug builds, at
> https://github.com/apache/thrift/blob/master/lib/java/src/org/apache/thrift/transport/TSaslTransport.java#L298.
> The preceeding while loop can be changed to guarantee this assertion in all
> builds.
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1320
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
