CVE-2016-5397

NameCVE-2016-5397
DescriptionThe Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external formatting tool. Affected Apache Thrift 0.9.3 and older, Fixed in Apache Thrift 0.10.0.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
thrift-compiler (PTS)jessie0.9.1-2vulnerable
buster, sid, stretch0.9.1-2.1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
thrift-compilersource(unstable)(unfixed)

Notes

https://issues.apache.org/jira/browse/THRIFT-3893
https://github.com/apache/thrift/commit/2007783e874d524a46b818598a45078448ecc53e
Fixed in 0.10.0 upstream, and in experimental src:thrift/0.10.0-1 is present
src:thrift only present in experimental

Search for package or bug name: Reporting problems