[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Discuss-gnuradio] Fwd: [NOTICE]: Apache Thrift Security Vulnerabili
|
From: |
Marcus Müller |
|
Subject: |
Re: [Discuss-gnuradio] Fwd: [NOTICE]: Apache Thrift Security Vulnerability CVE-2016-5397 |
|
Date: |
Fri, 13 Jan 2017 18:38:47 +0100 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 |
Specification: If you're writing a controlport/thrift client in Go, you
might be vulnerable.
I'm not aware of any usage of Go in that context.
Best regards,
Marcus
On 01/13/2017 06:32 PM, Philip Balister wrote:
> Control port users, take note.
>
>
> -------- Forwarded Message --------
> Subject: [NOTICE]: Apache Thrift Security Vulnerability CVE-2016-5397
> Date: Fri, 13 Jan 2017 12:16:04 -0500
> From: Jake Farrell <address@hidden>
> Reply-To: address@hidden, address@hidden
> To: address@hidden <address@hidden>,
> address@hidden <address@hidden>
>
> CVE-2016-5397
>
> A security vulnerability was discovered in the Apache Thrift Go client
> library,
> CVE-2016-5397. It was determined that the Apache Thrift Go client library
> exposed
> the potential during code generation for command injection due to using an
> external formatting tool. This has been traced and resolved in THRIFT-3893
> [2].
>
> Vendor: The Apache Software Foundation
>
> Versions Affected: All Apache Thrift versions 0.9.3 and older may be
> affected
>
> Mitigation: Upgrading to the latest Apache Thrift 0.10.0 release
>
> Resolution: The issue was resolved by removing the relevant calls to the
> external
> formatting tool, gofmt, since it is not required for core Apache Thrift code
> functionality.
>
> -Jake Farrell
>
> [1]: CVE-2016-5397
> [2]: https://issues.apache.org/jira/browse/THRIFT-3893
>
>
> _______________________________________________
> Discuss-gnuradio mailing list
> address@hidden
> https://lists.gnu.org/mailman/listinfo/discuss-gnuradio