[ https://issues.apache.org/jira/browse/THRIFT-4506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16755330#comment-16755330 ]
Mike Yoder commented on THRIFT-4506: ------------------------------------ It's not just hive - by my count (of the projects I care about) this affects accumulo, avro, crunch, flume, hbase, hive, impala, kite, parquet, sentry, and spark. In several of those projects the libthrift jar is exposed outside of the project, making it a backwards-compatibility-breaking change for those projects. Without a 0.9.4 release (containing only this fix) there is no good way for those projects to preserve backwards compatibility and protect themselves from this issue. > [CVE-2018-1320] Remove assertion in Java SASL code that would be ignored in > release builds > ------------------------------------------------------------------------------------------ > > Key: THRIFT-4506 > URL: https://issues.apache.org/jira/browse/THRIFT-4506 > Project: Thrift > Issue Type: Bug > Components: Java - Library > Affects Versions: 0.5 > Reporter: James E. King III > Assignee: James E. King III > Priority: Minor > Labels: SASL, security > Fix For: 0.12.0 > > > There is an assertion in the SASL transport for Java that will only be > processed in debug builds, at > https://github.com/apache/thrift/blob/master/lib/java/src/org/apache/thrift/transport/TSaslTransport.java#L298. > The preceeding while loop can be changed to guarantee this assertion in all > builds. > https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1320 -- This message was sent by Atlassian JIRA (v7.6.3#76005)