Date: Wed, 13 Mar 2019 08:47:13 -0400 From: "James E. King III" <jking@...che.org> To: "James E. King III" <jking@...che.org> Cc: oss-security@...ts.openwall.com, security <security@...che.org>, dev@...ift.apache.org, user@...ift.apache.org Subject: Re: [SECURITY] CVE-2018-1320 Apache Thrift SASL negotiation vulnerability (update) This is an update to a previously announced CVE. The specific change in the update is that a new version of Apache Thrift 0.9.3.1 was released per community request. The following fields changed from the previous announcement: Versions Affected Mitigation Resolution The new content of the CVE announcement is as follows: Reported By: Sudheesh Katkam Vendor: The Apache Software Foundation Product: Apache Thrift Problem Type: Improper Authentication Versions Affected: Apache Thrift versions 0.5.0 through 0.11.0, except 0.9.3.1 Mitigation: Upgrading to 0.9.3.1 or to the latest 0.12.0 release Description: Apache Thrift Java client library TSaslTransport can bypass SASL negotiation isComplete validation. An assert was previously used to determine if the SASL handshake had successfully completed, but in some cases this assertion could be disabled in production settings making the validation incomplete. Resolution: The assertion has been removed and an isComplete check has been moved within the handshake processing loop. The fix is contained in the 0.12.0 Apache Thrift release as has also been backported to the 0.9.3.1 release, also available on maven central. 0.12.0 was released on January 4, 2019 and 0.9.3.1 was released on March 13, 2019. Jira issue: - https://issues.apache.org/jira/browse/THRIFT-4506 Mitre issue: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1320 Committed resolution: - https://github.com/apache/thrift/commit/d973409661f820d80d72c0034d06a12348c8705e On behalf of the Apache Thrift PMC, Thank you
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.