[ https://issues.apache.org/jira/browse/THRIFT-5075?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17023464#comment-17023464 ]
Jens Geyer edited comment on THRIFT-5075 at 1/25/20 8:59 AM: ------------------------------------------------------------- Usually we do not do this because of the efforts someone had to put into this. We surely can apply the patch, but I'm not so sure if we provide another release from 0.9.x. Is there any specific reason why people don't want to updgrade to a more recent verison? The initial 0.9.3 is from 2015 and the wire format is still compatible with the latest release. was (Author: jensg): Usually we do not do this because of the efforts someone had to put into this. We surely can apply the patch, but I'm not so sure if we provide another release from 0.9.x. Ifs there any specific reason why people don't want to updgrade to a more recent verison? The initial 0.9.3 is from 2015 ... > Backport fixes for CVE-2019-0205 to (Java) 0.9.3-1 version > ---------------------------------------------------------- > > Key: THRIFT-5075 > URL: https://issues.apache.org/jira/browse/THRIFT-5075 > Project: Thrift > Issue Type: Bug > Reporter: Laurent Goujon > Priority: Major > Time Spent: 10m > Remaining Estimate: 0h > > Similar to THRIFT-4506, would it be possible to backport fixes for > CVE-2019-0205 to 0.9.x branch. There are still several projects still relying > on 0.9.3-1, and the vulnerability seems to impact them as well. > I believe the fix for Java was part of THRIFT-4024 -- This message was sent by Atlassian Jira (v8.3.4#803005)