DescriptionThe Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external formatting tool. Affected Apache Thrift 0.9.3 and older, Fixed in Apache Thrift 0.10.0.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh
Debian Bugs894577

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
thrift (PTS)buster0.11.0-4fixed
bullseye, sid0.13.0-6fixed
thrift-compiler (PTS)stretch0.9.1-2.1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs

Fixed in 0.10.0 upstream, and in experimental src:thrift/0.10.0-1 is present
src:thrift only present in experimental
Go bindings only enabled in 0.9.3-2 (not yet in unstable)
Only ever affected src:thrift in experimental, and fixed in src:thrift/0.10.0-1
so any future upload of thrift to unstable can mark this item as <not-affected>
(fixed before the initial upload to Debian unstable)

Search for package or bug name: Reporting problems