Date: Mon, 7 Jan 2019 10:14:01 -0500 From: "James E. King III" <jking@...che.org> To: oss-security@...ts.openwall.com, security <security@...che.org>, dev@...ift.apache.org, user@...ift.apache.org Subject: [SECURITY] CVE-2018-1320 Announcement Reported By: Sudheesh Katkam Vendor: The Apache Software Foundation Product: Apache Thrift Problem Type: Improper Authentication Versions Affected: Apache Thrift versions 0.5.0 through 0.11.0 Mitigation: Upgrading to the latest 0.12.0 release Description: Apache Thrift Java client library TSaslTransport can bypass SASL negotiation isComplete validation. An assert was previously used to determine if the SASL handshake had successfully completed, but in some cases this assertion could be disabled in production settings making the validation incomplete. Resolution: The assertion has been removed and an isComplete check has been moved within the handshake processing loop. The fix is contained in the 0.12.0 Apache Thrift release. Jira issue: - https://issues.apache.org/jira/browse/THRIFT-4506 Mitre issue: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1320 Committed resolution: - https://github.com/apache/thrift/commit/d973409661f820d80d72c0034d06a12348c8705e On behalf of the Apache Thrift PMC, Thank you
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.