[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss-gnuradio] Fwd: [NOTICE]: Apache Thrift Security Vulnerability C
From: |
Philip Balister |
Subject: |
[Discuss-gnuradio] Fwd: [NOTICE]: Apache Thrift Security Vulnerability CVE-2016-5397 |
Date: |
Fri, 13 Jan 2017 12:32:59 -0500 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1 |
Control port users, take note.
-------- Forwarded Message --------
Subject: [NOTICE]: Apache Thrift Security Vulnerability CVE-2016-5397
Date: Fri, 13 Jan 2017 12:16:04 -0500
From: Jake Farrell <address@hidden>
Reply-To: address@hidden, address@hidden
To: address@hidden <address@hidden>,
address@hidden <address@hidden>
CVE-2016-5397
A security vulnerability was discovered in the Apache Thrift Go client
library,
CVE-2016-5397. It was determined that the Apache Thrift Go client library
exposed
the potential during code generation for command injection due to using an
external formatting tool. This has been traced and resolved in THRIFT-3893
[2].
Vendor: The Apache Software Foundation
Versions Affected: All Apache Thrift versions 0.9.3 and older may be
affected
Mitigation: Upgrading to the latest Apache Thrift 0.10.0 release
Resolution: The issue was resolved by removing the relevant calls to the
external
formatting tool, gofmt, since it is not required for core Apache Thrift code
functionality.
-Jake Farrell
[1]: CVE-2016-5397
[2]: https://issues.apache.org/jira/browse/THRIFT-3893
- [Discuss-gnuradio] Fwd: [NOTICE]: Apache Thrift Security Vulnerability CVE-2016-5397,
Philip Balister <=