[
https://issues.apache.org/jira/browse/THRIFT-5075?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17024709#comment-17024709
]
Laurent Goujon commented on THRIFT-5075:
----------------------------------------
Several projects I'm afraid so (less than THRIFT-4506 though):
- Apache Hive
- Apache Impala
- Apache Sentry
I open an issue against Hive to get the security vulnerability addressed
(HIVE-22738), and a ticket already exist to upgrade thrift
(https://issues.apache.org/jira/browse/HIVE-21000), but no update on those. The
situation is actually a bit worse because depending on if you need to connect
to a Hive 1 vs Hive 2 server, you might need to use a different client versions
(and not sure if Hive people feel like upgrading thrift versions on an older
version too).
> Backport fixes for CVE-2019-0205 to (Java) 0.9.3-1 version
> ----------------------------------------------------------
>
> Key: THRIFT-5075
> URL: https://issues.apache.org/jira/browse/THRIFT-5075
> Project: Thrift
> Issue Type: Bug
> Reporter: Laurent Goujon
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Similar to THRIFT-4506, would it be possible to backport fixes for
> CVE-2019-0205 to 0.9.x branch. There are still several projects still relying
> on 0.9.3-1, and the vulnerability seems to impact them as well.
> I believe the fix for Java was part of THRIFT-4024
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
