search

xitongsys / parquet-go

pure golang library for reading/writing parquet file
Apache License 2.0
1.27k stars 293 forks source link

Update the apache thrift to latest version to resolve CVE-2020-13949 #389

Closed asghar3 closed 3 years ago

asghar3 commented 3 years ago

There is a known vulnerability in the apache thrift package from version v0.9.3 to v0.13.0 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13949 https://nvd.nist.gov/vuln/detail/CVE-2020-13949

I see github.com/apache/thrift v0.13.1-0.20201008052519-daf620915714 is being used which is not a public stable release at https://github.com/apache/thrift/releases

We get error when we update apache/thrift to latest version at our end:

github.com/xitongsys/parquet-go/parquet /home/builduser/go/pkg/mod/github.com/xitongsys/parquet-go@v1.5.1/parquet/parquet.go:631:37: not enough arguments in call to iprot.ReadStructBegin have () want (context.Context) /home/builduser/go/pkg/mod/github.com/xitongsys/parquet-go@v1.5.1/parquet/parquet.go:637:57: not enough arguments in call to iprot.ReadFieldBegin have () want (context.Context) /home/builduser/go/pkg/mod/github.com/xitongsys/parquet-go@v1.5.1/parquet/parquet.go:649:29: not enough arguments in call to iprot.Skip have (thrift.TType) want (context.Context, thrift.TType) /home/builduser/go/pkg/mod/github.com/xitongsys/parquet-go@v1.5.1/parquet/parquet.go:708:33: not enough arguments in call to iprot.ReadFieldEnd have () want (context.Context) /home/builduser/go/pkg/mod/github.com/xitongsys/parquet-go@v1.5.1/parquet/parquet.go:712:32: not enough arguments in call to iprot.ReadStructEnd have () want (context.Context) /home/builduser/go/pkg/mod/github.com/xitongsys/parquet-go@v1.5.1/parquet/parquet.go:719:32: not enough arguments in call to iprot.ReadBinary have () want (context.Context) /home/builduser/go/pkg/mod/github.com/xitongsys/parquet-go@v1.5.1/parquet/parquet.go:728:32: not enough arguments in call to iprot.ReadBinary have () want (context.Context) /home/builduser/go/pkg/mod/github.com/xitongsys/parquet-go@v1.5.1/parquet/parquet.go:737:29: not enough arguments in call to iprot.ReadI64 have () want (context.Context) /home/builduser/go/pkg/mod/github.com/xitongsys/parquet-go@v1.5.1/parquet/parquet.go:746:29: not enough arguments in call to iprot.ReadI64 have () want (context.Context) /home/builduser/go/pkg/mod/github.com/xitongsys/parquet-go@v1.5.1/parquet/parquet.go:755:32: not enough arguments in call to iprot.ReadBinary have () want (context.Context) /home/builduser/go/pkg/mod/github.com/xitongsys/parquet-go@v1.5.1/parquet/parquet.go:755:32: too many errors

Update the apache thrift to the latest version (at time v0.14.1)

asghar3 commented 3 years ago

Any update on this issue ?

xitongsys commented 3 years ago

updated.