Hello Armin,

Take a look at the CVE-2020-13949 (https://issues.apache.org/jira/browse/THRIFT-5237). Backporting just those patches is probably no go, that's reason why I chose the upgrade option.

Regards,
Andrej

> On 8/10/21 6:55 AM, Andrej Valek wrote:
>> Upgrade thrift to version 0.14.2 due to remote security
>> vulnerability.
> No specific security issues are mentioned in the other patches. This is a big jump and from what I can decode from their release notes. They deprecate many things between these two versions.
>
> Unless I can be convinced otherwise, this update is deemed outside the acceptable norms for a stable release.
>
> I think backport the specific security issues may be  more appropriate.
>
> thanks,
> Armin
>
>> Andrej Valek (2):
>>   thrift: drop unsupported features
>>   thrift: upgrade to 0.14.2
>>
>>  ...llationPaths.cmake-Define-libdir-in-terms.patch |  8 +++----
>>  .../thrift/{thrift_0.13.0.bb => thrift_0.14.2.bb}  | 26 ++++++++++------------
>>  2 files changed, 16 insertions(+), 18 deletions(-)
>>  rename meta-oe/recipes-connectivity/thrift/{thrift_0.13.0.bb => thrift_0.14.2.bb} (72%)
>>
>>
>> 
>>