CVE-2018-1320

NameCVE-2018-1320
DescriptionApache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
Debian Bugs918736

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libthrift-java (PTS)buster, sid, jessie, stretch0.9.1-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libthrift-javasource(unstable)(unfixed)918736

Notes

https://issues.apache.org/jira/browse/THRIFT-4506
https://github.com/apache/thrift/commit/d973409661f820d80d72c0034d06a12348c8705e

Search for package or bug name: Reporting problems