[Buildroot] [git commit branch/2026.02.x] package/thrift: security bump version to 0.23.0

Thomas Perale thomas.perale at mind.be
Wed May 13 11:57:47 UTC 2026 

commit: https://gitlab.com/buildroot.org/buildroot/-/commit/bef8aefcde882ca234f202ce7f76f12fdb6ef0e4
branch: https://gitlab.com/buildroot.org/buildroot/-/tree/2026.02.x

https://github.com/apache/thrift/blob/v0.23.0/CHANGES.md

Fixes the following CVEs:

CVE-2026-41636: https://seclists.org/oss-sec/2026/q2/236
CVE-2026-41607: https://seclists.org/oss-sec/2026/q2/237
CVE-2026-41606: https://seclists.org/oss-sec/2026/q2/238
CVE-2026-41605: https://seclists.org/oss-sec/2026/q2/239
CVE-2026-41604: https://seclists.org/oss-sec/2026/q2/240
CVE-2026-41602: https://seclists.org/oss-sec/2026/q2/241
CVE-2026-41603: https://seclists.org/oss-sec/2026/q2/242
CVE-2025-48431: https://seclists.org/oss-sec/2026/q2/243

This commit also adds "Public Domain" in THRIFT_LICENSE, after
upstream commit [1] added a new sha256 implementation with that
license. The LICENSE file hash is also updated accordingly.

[1] https://github.com/apache/thrift/commit/1e5fa4b9b35ad6bfeb238d19897ace7826eda057

Signed-off-by: Bernd Kuhls <bernd at kuhls.net>
Signed-off-by: Julien Olivain <ju.o at free.fr>
(cherry picked from commit 6935bc74121967ab6a01950d55c3bb9a14f0f833)
Signed-off-by: Thomas Perale <thomas.perale at mind.be>
---
 package/thrift/thrift.hash | 6 +++---
 package/thrift/thrift.mk   | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package/thrift/thrift.hash b/package/thrift/thrift.hash
index a517900c82..406c65fd25 100644
--- a/package/thrift/thrift.hash
+++ b/package/thrift/thrift.hash
@@ -1,4 +1,4 @@
-# From https://downloads.apache.org/thrift/0.22.0/thrift-0.22.0.tar.gz.sha256
-sha256  794a0e455787960d9f27ab92c38e34da27e8deeda7a5db0e59dc64a00df8a1e5  thrift-0.22.0.tar.gz
+# From https://downloads.apache.org/thrift/0.23.0/thrift-0.23.0.tar.gz.sha256
+sha256  1859d932d2ae1f13d16c5a196931208c116310a5ff50f2bfd11d3db03be8f46f  thrift-0.23.0.tar.gz
 # License files, locally calculated
-sha256  d315e6cdedc07c478de6992027bfb66f220886c6216fd7e9885ced30c3703646  LICENSE
+sha256  89aa7b27868669299bd8a6c53b72ec4beadce42dad6c8336797cc26e1e8df98d  LICENSE
diff --git a/package/thrift/thrift.mk b/package/thrift/thrift.mk
index 177b75903b..34f4671239 100644
--- a/package/thrift/thrift.mk
+++ b/package/thrift/thrift.mk
@@ -4,9 +4,9 @@
 #
 ################################################################################
 
-THRIFT_VERSION = 0.22.0
+THRIFT_VERSION = 0.23.0
 THRIFT_SITE = https://downloads.apache.org/thrift/$(THRIFT_VERSION)
-THRIFT_LICENSE = Apache-2.0
+THRIFT_LICENSE = Apache-2.0, Public Domain (sha256.h)
 THRIFT_LICENSE_FILES = LICENSE
 THRIFT_CPE_ID_VENDOR = apache

More information about the buildroot mailing list