Apache Thrift has a Memory Allocation with Excessive Size Value Vulnerability

[houseme]

Memory Allocation with Excessive Size Value vulnerability in Apache Thrift.

This issue affects Apache Thrift: before 0.23.0.

Users are recommended to upgrade to version 0.23.0, which fixes the issue.

Are there any plans for updates? Thank you!

@dependabot

[jhorstmann]

The Apache Thrift dependency and its generated code are no longer used inside arrow-rs and are deprecated, see #8615. As far as I know the plan is to remove them for the 59.0 release (#9110).

Apache Thrift Rust was also unmaintained for a bit (THRIFT-5917), and at the moment there does not seem to be a newer release.

[houseme]

A new version was released 2 weeks ago. https://github.com/apache/thrift/releases/tag/v0.23.0

[jhorstmann]

I did not see that published on crates.io, the last version there is 0.17.0.

[houseme]

Thanks, and I look forward to the arrow-rs crate being decoupled from the Thrift crate soon.