[ASA-202102-43] thrift: denial of service
Arch Linux Security Advisory ASA-202102-43 ========================================== Severity: Medium Date : 2021-02-27 CVE-ID : CVE-2020-13949 Package : thrift Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-1568 Summary ======= The package thrift before version 0.14.0-1 is vulnerable to denial of service. Resolution ========== Upgrade to 0.14.0-1. # pacman -Syu "thrift>=0.14.0-1" The problem has been fixed upstream in version 0.14.0. Workaround ========== None. Description =========== Applications using Thrift before version 0.14.0 would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service. Impact ====== Malicious clients could send crafted messages crashing the server. References ========== https://www.openwall.com/lists/oss-security/2021/02/11/2 https://security.archlinux.org/CVE-2020-13949
participants (1)
-
Morten Linderud