* [Buildroot] [PATCH v2, 1/2] package/thrift: drop unrecognized option
@ 2021-06-13 9:13 Fabrice Fontaine
2021-06-13 9:13 ` [Buildroot] [PATCH v2, 2/2] package/thrift: security bump to version 0.14.1 Fabrice Fontaine
2021-07-13 20:06 ` [Buildroot] [PATCH v2, 1/2] package/thrift: drop unrecognized option Arnout Vandecappelle
0 siblings, 2 replies; 4+ messages in thread
From: Fabrice Fontaine @ 2021-06-13 9:13 UTC (permalink / raw)
To: buildroot
WITH_QT4 has been dropped since version 0.13.0 and
https://github.com/apache/thrift/commit/17355425429274e7971fff39d7e45279cdf550fa
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
Changes v1 -> v2:
- Add security bump
package/thrift/thrift.mk | 1 -
1 file changed, 1 deletion(-)
diff --git a/package/thrift/thrift.mk b/package/thrift/thrift.mk
index 0f2a8eb071..544eb97323 100644
--- a/package/thrift/thrift.mk
+++ b/package/thrift/thrift.mk
@@ -20,7 +20,6 @@ THRIFT_COMMON_CONF_OPTS = -DBUILD_TUTORIALS=OFF \
-DBUILD_TESTING=OFF \
-DWITH_PYTHON=OFF \
-DWITH_JAVA=OFF \
- -DWITH_QT4=OFF \
-DWITH_QT5=OFF
THRIFT_CONF_OPTS = $(THRIFT_COMMON_CONF_OPTS) -DBUILD_COMPILER=OFF
--
2.30.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH v2, 2/2] package/thrift: security bump to version 0.14.1
2021-06-13 9:13 [Buildroot] [PATCH v2, 1/2] package/thrift: drop unrecognized option Fabrice Fontaine
@ 2021-06-13 9:13 ` Fabrice Fontaine
2021-07-15 6:49 ` Peter Korsgaard
2021-07-13 20:06 ` [Buildroot] [PATCH v2, 1/2] package/thrift: drop unrecognized option Arnout Vandecappelle
1 sibling, 1 reply; 4+ messages in thread
From: Fabrice Fontaine @ 2021-06-13 9:13 UTC (permalink / raw)
To: buildroot
Fix CVE-2020-13949: In Apache Thrift 0.9.3 to 0.13.0, malicious RPC
clients could send short messages which would result in a large memory
allocation, potentially leading to denial of service.
- Disable javascript and nodejs which have been added with
https://github.com/apache/thrift/commit/61d502075bf5da10331c201f604acdfefc4d5edc
- Update hash of LICENSE, license for windows-specific files added:
https://github.com/apache/thrift/commit/98854c48744f20b3f551817273ed502835477f09
https://github.com/apache/thrift/blob/v0.14.1/CHANGES.md
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
package/thrift/thrift.hash | 6 +++---
package/thrift/thrift.mk | 4 +++-
2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/package/thrift/thrift.hash b/package/thrift/thrift.hash
index f342dc348d..20d6baeace 100644
--- a/package/thrift/thrift.hash
+++ b/package/thrift/thrift.hash
@@ -1,4 +1,4 @@
-# From https://www.apache.org/dist/thrift/0.13.0/thrift-0.13.0.tar.gz.sha256
-sha256 7ad348b88033af46ce49148097afe354d513c1fca7c607b59c33ebb6064b5179 thrift-0.13.0.tar.gz
+# From https://www.apache.org/dist/thrift/0.14.1/thrift-0.14.1.tar.gz.sha256
+sha256 13da5e1cd9c8a3bb89778c0337cc57eb0c29b08f3090b41cf6ab78594b410ca5 thrift-0.14.1.tar.gz
# License files, locally calculated
-sha256 23df881cec3192d1f4474633c14eb2ec30a45b84f8daeb82b9de5d2bd3ac8218 LICENSE
+sha256 d315e6cdedc07c478de6992027bfb66f220886c6216fd7e9885ced30c3703646 LICENSE
diff --git a/package/thrift/thrift.mk b/package/thrift/thrift.mk
index 544eb97323..c36efce2ed 100644
--- a/package/thrift/thrift.mk
+++ b/package/thrift/thrift.mk
@@ -4,7 +4,7 @@
#
################################################################################
-THRIFT_VERSION = 0.13.0
+THRIFT_VERSION = 0.14.1
THRIFT_SITE = http://www.us.apache.org/dist/thrift/$(THRIFT_VERSION)
THRIFT_LICENSE = Apache-2.0
THRIFT_LICENSE_FILES = LICENSE
@@ -18,8 +18,10 @@ HOST_THRIFT_DEPENDENCIES = host-bison host-boost \
THRIFT_COMMON_CONF_OPTS = -DBUILD_TUTORIALS=OFF \
-DBUILD_TESTING=OFF \
+ -DWITH_NODEJS=OFF \
-DWITH_PYTHON=OFF \
-DWITH_JAVA=OFF \
+ -DWITH_JAVASCRIPT=OFF \
-DWITH_QT5=OFF
THRIFT_CONF_OPTS = $(THRIFT_COMMON_CONF_OPTS) -DBUILD_COMPILER=OFF
--
2.30.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH v2, 1/2] package/thrift: drop unrecognized option
2021-06-13 9:13 [Buildroot] [PATCH v2, 1/2] package/thrift: drop unrecognized option Fabrice Fontaine
2021-06-13 9:13 ` [Buildroot] [PATCH v2, 2/2] package/thrift: security bump to version 0.14.1 Fabrice Fontaine
@ 2021-07-13 20:06 ` Arnout Vandecappelle
1 sibling, 0 replies; 4+ messages in thread
From: Arnout Vandecappelle @ 2021-07-13 20:06 UTC (permalink / raw)
To: buildroot
On 13/06/2021 11:13, Fabrice Fontaine wrote:
> WITH_QT4 has been dropped since version 0.13.0 and
> https://github.com/apache/thrift/commit/17355425429274e7971fff39d7e45279cdf550fa
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Both applied to master, thanks
Regards,
Arnout
> ---
> Changes v1 -> v2:
> - Add security bump
>
> package/thrift/thrift.mk | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/package/thrift/thrift.mk b/package/thrift/thrift.mk
> index 0f2a8eb071..544eb97323 100644
> --- a/package/thrift/thrift.mk
> +++ b/package/thrift/thrift.mk
> @@ -20,7 +20,6 @@ THRIFT_COMMON_CONF_OPTS = -DBUILD_TUTORIALS=OFF \
> -DBUILD_TESTING=OFF \
> -DWITH_PYTHON=OFF \
> -DWITH_JAVA=OFF \
> - -DWITH_QT4=OFF \
> -DWITH_QT5=OFF
>
> THRIFT_CONF_OPTS = $(THRIFT_COMMON_CONF_OPTS) -DBUILD_COMPILER=OFF
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH v2, 2/2] package/thrift: security bump to version 0.14.1
2021-06-13 9:13 ` [Buildroot] [PATCH v2, 2/2] package/thrift: security bump to version 0.14.1 Fabrice Fontaine
@ 2021-07-15 6:49 ` Peter Korsgaard
0 siblings, 0 replies; 4+ messages in thread
From: Peter Korsgaard @ 2021-07-15 6:49 UTC (permalink / raw)
To: buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> Fix CVE-2020-13949: In Apache Thrift 0.9.3 to 0.13.0, malicious RPC
> clients could send short messages which would result in a large memory
> allocation, potentially leading to denial of service.
> - Disable javascript and nodejs which have been added with
> https://github.com/apache/thrift/commit/61d502075bf5da10331c201f604acdfefc4d5edc
> - Update hash of LICENSE, license for windows-specific files added:
> https://github.com/apache/thrift/commit/98854c48744f20b3f551817273ed502835477f09
> https://github.com/apache/thrift/blob/v0.14.1/CHANGES.md
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed to 2021.02.x and 2021.05.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-07-15 6:49 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-13 9:13 [Buildroot] [PATCH v2, 1/2] package/thrift: drop unrecognized option Fabrice Fontaine
2021-06-13 9:13 ` [Buildroot] [PATCH v2, 2/2] package/thrift: security bump to version 0.14.1 Fabrice Fontaine
2021-07-15 6:49 ` Peter Korsgaard
2021-07-13 20:06 ` [Buildroot] [PATCH v2, 1/2] package/thrift: drop unrecognized option Arnout Vandecappelle
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.