[jira] [Commented] (THRIFT-4506) [CVE-2018-1320] Remove assertion in Java SASL code that would be ignored in release builds

Sat, 09 Mar 2019 06:56:01 -0800 


    [ 
https://issues.apache.org/jira/browse/THRIFT-4506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16788697#comment-16788697
 ] 

James E. King III commented on THRIFT-4506:
-------------------------------------------

It is a single language patch for a CVE.  It did not go through the standard 
release cycle.  There's no reason to publish 0.9.3-1 to other languages.  There 
is a branch for it.  There is no release tag for it.  There is no official 
source upload for it, as it was not a full release.  If this violated the 
apache release rules, then it's my fault.  I was trying to help the community 
avoid having to release their own 0.9.3-1 under a separate name.  We might be 
able to get a dist package from 0.9.3.1, but the build environment is pretty 
old and may no longer work.  We could take the 0.9.3.1 download zip/tarball 
from GitHub and bless it but it would not have the built "configure" script.  
So in order to release 0.9.3.1 it may require rebuilding an older docker build 
environment.  Not impossible, but not trivial.  So again, any violation of 
release rules is on me.  I probably shouldn't have tried to make this patch at 
all.

> [CVE-2018-1320] Remove assertion in Java SASL code that would be ignored in 
> release builds
> ------------------------------------------------------------------------------------------
>
>                 Key: THRIFT-4506
>                 URL: https://issues.apache.org/jira/browse/THRIFT-4506
>             Project: Thrift
>          Issue Type: Bug
>          Components: Java - Library
>    Affects Versions: 0.5
>            Reporter: James E. King III
>            Assignee: James E. King III
>            Priority: Minor
>              Labels: SASL, security
>             Fix For: 0.12.0
>
>
> There is an assertion in the SASL transport for Java that will only be 
> processed in debug builds, at 
> https://github.com/apache/thrift/blob/master/lib/java/src/org/apache/thrift/transport/TSaslTransport.java#L298.
>   The preceeding while loop can be changed to guarantee this assertion in all 
> builds.
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1320



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to