jiachao2130/cvrf2cusa
1
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7d8412e76d
cvrf2cusa/cvrf/2021/cvrf-openEuler-SA-2021-1017.xml
Jia Chao 0b34274085 git mv 
Signed-off-by: Jia Chao <jiac13@chinaunicom.cn>
2024-07-25 09:57:37 +08:00

152 lines
9.8 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<cvrfdoc xmlns="http://www.icasi.org/CVRF/schema/cvrf/1.1" xmlns:cvrf="http://www.icasi.org/CVRF/schema/cvrf/1.1">
<DocumentTitle xml:lang="en">An update for thrift is now available for openEuler-20.03-LTS-SP1</DocumentTitle>
<DocumentType>Security Advisory</DocumentType>
<DocumentPublisher Type="Vendor">
<ContactDetails>openeuler-security@openeuler.org</ContactDetails>
<IssuingAuthority>openEuler security committee</IssuingAuthority>
</DocumentPublisher>
<DocumentTracking>
<Identification>
<ID>openEuler-SA-2021-1017</ID>
</Identification>
<Status>Final</Status>
<Version>1.0</Version>
<RevisionHistory>
<Revision>
<Number>1.0</Number>
<Date>2021-02-04</Date>
<Description>Initial</Description>
</Revision>
</RevisionHistory>
<InitialReleaseDate>2021-02-04</InitialReleaseDate>
<CurrentReleaseDate>2021-02-04</CurrentReleaseDate>
<Generator>
<Engine>openEuler SA Tool V1.0</Engine>
<Date>2021-02-04</Date>
</Generator>
</DocumentTracking>
<DocumentNotes>
<Note Title="Synopsis" Type="General" Ordinal="1" xml:lang="en">thrift security update</Note>
<Note Title="Summary" Type="General" Ordinal="2" xml:lang="en">An update for thrift is now available for openEuler-20.03-LTS-SP1.</Note>
<Note Title="Description" Type="General" Ordinal="3" xml:lang="en">The Apache Thrift software framework for cross-language services development combines a software stack with a code generation engine to build services that work efficiently and seamlessly between C++, Java, Python, and other languages.\r\n\r\n
Security Fix(es):\r\n\r\n
In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed in version 0.11.0, depending on the installed version it affects only certain language bindings.(CVE-2019-0205)\r\n\r\n
In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data.(CVE-2019-0210)\r\n\r\n</Note>
<Note Title="Topic" Type="General" Ordinal="4" xml:lang="en">An update for thrift is now available for openEuler-20.03-LTS-SP1.\r\n\r\n
openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.</Note>
<Note Title="Severity" Type="General" Ordinal="5" xml:lang="en">High</Note>
<Note Title="Affected Component" Type="General" Ordinal="6" xml:lang="en">thrift</Note>
</DocumentNotes>
<DocumentReferences>
<Reference Type="Self">
<URL>https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1017</URL>
</Reference>
<Reference Type="openEuler CVE">
<URL>https://openeuler.org/en/security/cve/detail.html?id=CVE-2019-0205</URL>
<URL>https://openeuler.org/en/security/cve/detail.html?id=CVE-2019-0210</URL>
</Reference>
<Reference Type="Other">
<URL>https://nvd.nist.gov/vuln/detail/CVE-2019-0205</URL>
<URL>https://nvd.nist.gov/vuln/detail/CVE-2019-0210</URL>
</Reference>
</DocumentReferences>
<ProductTree xmlns="http://www.icasi.org/CVRF/schema/prod/1.1">
<Branch Type="Product Name" Name="openEuler">
<FullProductName ProductID="openEuler-20.03-LTS-SP1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">openEuler-20.03-LTS-SP1</FullProductName>
</Branch>
<Branch Type="Package Arch" Name="aarch64">
<FullProductName ProductID="fb303-0.10.0-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">fb303-0.10.0-3.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="thrift-0.10.0-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">thrift-0.10.0-3.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="thrift-qt-0.10.0-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">thrift-qt-0.10.0-3.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="thrift-glib-0.10.0-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">thrift-glib-0.10.0-3.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="fb303-devel-0.10.0-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">fb303-devel-0.10.0-3.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="python3-fb303-0.10.0-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">python3-fb303-0.10.0-3.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="thrift-debugsource-0.10.0-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">thrift-debugsource-0.10.0-3.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="thrift-devel-0.10.0-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">thrift-devel-0.10.0-3.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="python3-thrift-0.10.0-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">python3-thrift-0.10.0-3.oe1.aarch64.rpm</FullProductName>
<FullProductName ProductID="thrift-debuginfo-0.10.0-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">thrift-debuginfo-0.10.0-3.oe1.aarch64.rpm</FullProductName>
</Branch>
<Branch Type="Package Arch" Name="noarch">
<FullProductName ProductID="fb303-java-0.10.0-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">fb303-java-0.10.0-3.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="libthrift-java-0.10.0-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">libthrift-java-0.10.0-3.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="perl-thrift-0.10.0-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">perl-thrift-0.10.0-3.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="libthrift-javadoc-0.10.0-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">libthrift-javadoc-0.10.0-3.oe1.noarch.rpm</FullProductName>
</Branch>
<Branch Type="Package Arch" Name="src">
<FullProductName ProductID="thrift-0.10.0-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">thrift-0.10.0-3.oe1.src.rpm</FullProductName>
</Branch>
<Branch Type="Package Arch" Name="x86_64">
<FullProductName ProductID="python3-fb303-0.10.0-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">python3-fb303-0.10.0-3.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="python3-thrift-0.10.0-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">python3-thrift-0.10.0-3.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="thrift-debuginfo-0.10.0-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">thrift-debuginfo-0.10.0-3.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="thrift-devel-0.10.0-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">thrift-devel-0.10.0-3.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="thrift-debugsource-0.10.0-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">thrift-debugsource-0.10.0-3.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="thrift-0.10.0-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">thrift-0.10.0-3.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="fb303-0.10.0-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">fb303-0.10.0-3.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="fb303-devel-0.10.0-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">fb303-devel-0.10.0-3.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="thrift-glib-0.10.0-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">thrift-glib-0.10.0-3.oe1.x86_64.rpm</FullProductName>
<FullProductName ProductID="thrift-qt-0.10.0-3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">thrift-qt-0.10.0-3.oe1.x86_64.rpm</FullProductName>
</Branch>
</ProductTree>
<Vulnerability Ordinal="1" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
<Notes>
<Note Title="Vulnerability Description" Type="General" Ordinal="1" xml:lang="en">In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed in version 0.11.0, depending on the installed version it affects only certain language bindings.</Note>
</Notes>
<ReleaseDate>2021-02-04</ReleaseDate>
<CVE>CVE-2019-0205</CVE>
<ProductStatuses>
<Status Type="Fixed">
<ProductID>openEuler-20.03-LTS-SP1</ProductID>
</Status>
</ProductStatuses>
<Threats>
<Threat Type="Impact">
<Description>High</Description>
</Threat>
</Threats>
<CVSSScoreSets>
<ScoreSet>
<BaseScore>7.5</BaseScore>
<Vector>AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</Vector>
</ScoreSet>
</CVSSScoreSets>
<Remediations>
<Remediation Type="Vendor Fix">
<Description>thrift security update</Description>
<DATE>2021-02-04</DATE>
<URL>https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1017</URL>
</Remediation>
</Remediations>
</Vulnerability>
<Vulnerability Ordinal="2" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
<Notes>
<Note Title="Vulnerability Description" Type="General" Ordinal="2" xml:lang="en">In Apache Thrift 0.9.3 to 0.12.0, a server implemented in Go using TJSONProtocol or TSimpleJSONProtocol may panic when feed with invalid input data.</Note>
</Notes>
<ReleaseDate>2021-02-04</ReleaseDate>
<CVE>CVE-2019-0210</CVE>
<ProductStatuses>
<Status Type="Fixed">
<ProductID>openEuler-20.03-LTS-SP1</ProductID>
</Status>
</ProductStatuses>
<Threats>
<Threat Type="Impact">
<Description>High</Description>
</Threat>
</Threats>
<CVSSScoreSets>
<ScoreSet>
<BaseScore>7.5</BaseScore>
<Vector>AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</Vector>
</ScoreSet>
</CVSSScoreSets>
<Remediations>
<Remediation Type="Vendor Fix">
<Description>thrift security update</Description>
<DATE>2021-02-04</DATE>
<URL>https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1017</URL>
</Remediation>
</Remediations>
</Vulnerability>
</cvrfdoc>
Reference in New Issue View Git Blame Copy Permalink