ArchLinux: 202102-43: thrift: denial of service
Summary
Applications using Thrift before version 0.14.0 would not error upon receiving messages declaring containers of sizes larger than the payload. As a result, malicious RPC clients could send short messages which would result in a large memory allocation, potentially leading to denial of service.
Resolution
Upgrade to 0.14.0-1.
# pacman -Syu "thrift>=0.14.0-1"
The problem has been fixed upstream in version 0.14.0.
References
https://www.openwall.com/lists/oss-security/2021/02/11/2 https://security.archlinux.org/CVE-2020-13949
Workaround
None.