[Buildroot] [git commit branch/next] package/thrift: security bump to version 0.14.1

Arnout Vandecappelle (Essensium/Mind) arnout at mind.be
Tue Aug 3 21:15:35 UTC 2021 

commit: https://git.buildroot.net/buildroot/commit/?id=7ecbb956e2c6a6dd42126657e05e86072f3fc140
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/next

Fix CVE-2020-13949: In Apache Thrift 0.9.3 to 0.13.0, malicious RPC
clients could send short messages which would result in a large memory
allocation, potentially leading to denial of service.

- Disable javascript and nodejs which have been added with
  https://github.com/apache/thrift/commit/61d502075bf5da10331c201f604acdfefc4d5edc
- Update hash of LICENSE, license for windows-specific files added:
  https://github.com/apache/thrift/commit/98854c48744f20b3f551817273ed502835477f09

https://github.com/apache/thrift/blob/v0.14.1/CHANGES.md

Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout at mind.be>
---
 package/thrift/thrift.hash | 6 +++---
 package/thrift/thrift.mk   | 4 +++-
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/package/thrift/thrift.hash b/package/thrift/thrift.hash
index f342dc348d..20d6baeace 100644
--- a/package/thrift/thrift.hash
+++ b/package/thrift/thrift.hash
@@ -1,4 +1,4 @@
-# From https://www.apache.org/dist/thrift/0.13.0/thrift-0.13.0.tar.gz.sha256
-sha256  7ad348b88033af46ce49148097afe354d513c1fca7c607b59c33ebb6064b5179  thrift-0.13.0.tar.gz
+# From https://www.apache.org/dist/thrift/0.14.1/thrift-0.14.1.tar.gz.sha256
+sha256  13da5e1cd9c8a3bb89778c0337cc57eb0c29b08f3090b41cf6ab78594b410ca5  thrift-0.14.1.tar.gz
 # License files, locally calculated
-sha256  23df881cec3192d1f4474633c14eb2ec30a45b84f8daeb82b9de5d2bd3ac8218  LICENSE
+sha256  d315e6cdedc07c478de6992027bfb66f220886c6216fd7e9885ced30c3703646  LICENSE
diff --git a/package/thrift/thrift.mk b/package/thrift/thrift.mk
index 544eb97323..c36efce2ed 100644
--- a/package/thrift/thrift.mk
+++ b/package/thrift/thrift.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-THRIFT_VERSION = 0.13.0
+THRIFT_VERSION = 0.14.1
 THRIFT_SITE = http://www.us.apache.org/dist/thrift/$(THRIFT_VERSION)
 THRIFT_LICENSE = Apache-2.0
 THRIFT_LICENSE_FILES = LICENSE
@@ -18,8 +18,10 @@ HOST_THRIFT_DEPENDENCIES = host-bison host-boost \
 
 THRIFT_COMMON_CONF_OPTS = -DBUILD_TUTORIALS=OFF \
 	-DBUILD_TESTING=OFF \
+	-DWITH_NODEJS=OFF \
 	-DWITH_PYTHON=OFF \
 	-DWITH_JAVA=OFF \
+	-DWITH_JAVASCRIPT=OFF \
 	-DWITH_QT5=OFF
 
 THRIFT_CONF_OPTS = $(THRIFT_COMMON_CONF_OPTS) -DBUILD_COMPILER=OFF

More information about the buildroot mailing list