thrift-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jake Farrell <>
Subject [NOTICE]: Apache Thrift Security Vulnerability CVE-2016-5397
Date Fri, 13 Jan 2017 17:16:04 GMT

A security vulnerability was discovered in the Apache Thrift Go client
CVE-2016-5397. It was determined that the Apache Thrift Go client library
the potential during code generation for command injection due to using an
external formatting tool. This has been traced and resolved in THRIFT-3893

Vendor: The Apache Software Foundation

Versions Affected: All Apache Thrift versions 0.9.3 and older may be

Mitigation: Upgrading to the latest Apache Thrift 0.10.0 release

Resolution: The issue was resolved by removing the relevant calls to the
formatting tool, gofmt, since it is not required for core Apache Thrift code

-Jake Farrell

[1]: CVE-2016-5397

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message