* [Buildroot] [git commit branch/next] package/thrift: security bump to version 0.14.1
@ 2021-07-13 20:05 Arnout Vandecappelle
0 siblings, 0 replies; only message in thread
From: Arnout Vandecappelle @ 2021-07-13 20:05 UTC (permalink / raw)
To: buildroot
commit: https://git.buildroot.net/buildroot/commit/?id=7ecbb956e2c6a6dd42126657e05e86072f3fc140
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/next
Fix CVE-2020-13949: In Apache Thrift 0.9.3 to 0.13.0, malicious RPC
clients could send short messages which would result in a large memory
allocation, potentially leading to denial of service.
- Disable javascript and nodejs which have been added with
https://github.com/apache/thrift/commit/61d502075bf5da10331c201f604acdfefc4d5edc
- Update hash of LICENSE, license for windows-specific files added:
https://github.com/apache/thrift/commit/98854c48744f20b3f551817273ed502835477f09
https://github.com/apache/thrift/blob/v0.14.1/CHANGES.md
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
---
package/thrift/thrift.hash | 6 +++---
package/thrift/thrift.mk | 4 +++-
2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/package/thrift/thrift.hash b/package/thrift/thrift.hash
index f342dc348d..20d6baeace 100644
--- a/package/thrift/thrift.hash
+++ b/package/thrift/thrift.hash
@@ -1,4 +1,4 @@
-# From https://www.apache.org/dist/thrift/0.13.0/thrift-0.13.0.tar.gz.sha256
-sha256 7ad348b88033af46ce49148097afe354d513c1fca7c607b59c33ebb6064b5179 thrift-0.13.0.tar.gz
+# From https://www.apache.org/dist/thrift/0.14.1/thrift-0.14.1.tar.gz.sha256
+sha256 13da5e1cd9c8a3bb89778c0337cc57eb0c29b08f3090b41cf6ab78594b410ca5 thrift-0.14.1.tar.gz
# License files, locally calculated
-sha256 23df881cec3192d1f4474633c14eb2ec30a45b84f8daeb82b9de5d2bd3ac8218 LICENSE
+sha256 d315e6cdedc07c478de6992027bfb66f220886c6216fd7e9885ced30c3703646 LICENSE
diff --git a/package/thrift/thrift.mk b/package/thrift/thrift.mk
index 544eb97323..c36efce2ed 100644
--- a/package/thrift/thrift.mk
+++ b/package/thrift/thrift.mk
@@ -4,7 +4,7 @@
#
################################################################################
-THRIFT_VERSION = 0.13.0
+THRIFT_VERSION = 0.14.1
THRIFT_SITE = http://www.us.apache.org/dist/thrift/$(THRIFT_VERSION)
THRIFT_LICENSE = Apache-2.0
THRIFT_LICENSE_FILES = LICENSE
@@ -18,8 +18,10 @@ HOST_THRIFT_DEPENDENCIES = host-bison host-boost \
THRIFT_COMMON_CONF_OPTS = -DBUILD_TUTORIALS=OFF \
-DBUILD_TESTING=OFF \
+ -DWITH_NODEJS=OFF \
-DWITH_PYTHON=OFF \
-DWITH_JAVA=OFF \
+ -DWITH_JAVASCRIPT=OFF \
-DWITH_QT5=OFF
THRIFT_CONF_OPTS = $(THRIFT_COMMON_CONF_OPTS) -DBUILD_COMPILER=OFF
_______________________________________________
buildroot mailing list
buildroot@busybox.net
http://lists.busybox.net/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2021-08-03 23:25 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-13 20:05 [Buildroot] [git commit branch/next] package/thrift: security bump to version 0.14.1 Arnout Vandecappelle
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.