java-spring-cloud icon indicating copy to clipboard operation
java-spring-cloud copied to clipboard

Published 20 hours ago verified publisher icon opentracing-contrib

Update jaeger-client dependency due to CVE-2020-13949

Open lathspell opened this issue 3 years ago • 4 comments

You have an indirect dependency on libthrift:0.13.0 which has a security problem according to CVE-2020-13949. Please update to opentracing-spring-jaeger-starter:3.3.3!

{noformat} +--- io.opentracing.contrib:opentracing-spring-jaeger-cloud-starter:3.3.1 | +--- io.opentracing.contrib:opentracing-spring-jaeger-starter:3.3.1 | | --- io.jaegertracing:jaeger-client:1.3.2 | | +--- io.jaegertracing:jaeger-thrift:1.3.2 | | | +--- org.apache.thrift:libthrift:0.13.0 ... {noformat}

see also

  • https://github.com/opentracing-contrib/java-spring-jaeger/issues/121 and
  • https://github.com/jaegertracing/jaeger-client-java/pull/768

lathspell avatar Sep 02 '21 06:09 lathspell

ping

lathspell avatar Oct 27 '21 07:10 lathspell

ping

lathspell avatar Jan 10 '22 16:01 lathspell

Any update on this? 0.16.0 if libthrift is out, when can we expect and update?

barbetb avatar Sep 12 '22 09:09 barbetb

Migrating according to https://opentelemetry.io/docs/migration/opentracing/ is the way to go but it's sad that the old libraries are left with security issues.

lathspell avatar Sep 13 '22 23:09 lathspell