Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Snyk] Upgrade org.apache.thrift:libthrift from 0.10.0 to 0.17.0 #357

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from

Conversation

snyk-bot
Copy link

Snyk has created this PR to upgrade org.apache.thrift:libthrift from 0.10.0 to 0.17.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.


  • The recommended version is 9 versions ahead of your current version.
  • The recommended version was released 4 months ago, on 2022-09-19.

The recommended version fixes:

Severity Issue PriorityScore (*) Exploit Maturity
Denial of Service (DoS)
SNYK-JAVA-ORGAPACHETHRIFT-474610
635/1000
Why? Has a fix available, CVSS 8.2
No Known Exploit
Authentication Bypass
SNYK-JAVA-ORGAPACHETHRIFT-451680
635/1000
Why? Has a fix available, CVSS 8.2
No Known Exploit
Denial of Service (DoS)
SNYK-JAVA-ORGAPACHETHRIFT-1074898
635/1000
Why? Has a fix available, CVSS 8.2
No Known Exploit
Improper Access Control
SNYK-JAVA-ORGAPACHETHRIFT-173706
635/1000
Why? Has a fix available, CVSS 8.2
No Known Exploit
Directory Traversal
SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-31517
635/1000
Why? Has a fix available, CVSS 8.2
No Known Exploit
Improper Input Validation
SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-1048058
635/1000
Why? Has a fix available, CVSS 8.2
No Known Exploit
Information Exposure
SNYK-JAVA-COMMONSCODEC-561518
635/1000
Why? Has a fix available, CVSS 8.2
No Known Exploit

(*) Note that the real score may have changed since the PR was raised.


Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

@CLAassistant
Copy link

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

rtyley added a commit to guardian/scrooge that referenced this pull request Mar 12, 2024
Scrooge's `TArrayByteTransport` and `TReusableMemoryTransport` classes both
extend libthrift's abstract `org.apache.thrift.transport.TTransport` class.
That class gained 3 new abstract members with apache/thrift#2191
(September 2020), released with libthrift v0.14.0 (February 2021). Consequently,
both classes currently fail to compile, due to missing implementations for these
methods:

def checkReadBytesAvailable(x$1: Long): Unit = ???
def getConfiguration(): org.apache.thrift.TConfiguration = ???
def updateKnownMessageSize(x$1: Long): Unit = ???

Note that Snyk PR twitter#357 updates only
one of several files that needs to be updated for a libthrift upgrade, and
the most important file is probably `build.sbt`, not `demos/scrooge-maven-demo/pom.xml`.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

2 participants