Bump Apache parent POM from 37 to 38. Update Apache Thrift from 0.22.0 to 0.23.0.#3906
Conversation
afs
changed the title
|
When will there be a release with this fix? We would like to patch CVE-2026-41604 and CVE-2026-41636 in our system. |
How do you use Jena? library or Fuseki? Jena only uses Thrift for encode/decode in a binary RDF format, not the inter-machine communication part. Apache Thrift has several implementations for different language ecosystems. There was a batch of Thrift security announcement in April: CVE-2026-41603 is java related. This seems to relate to the Swift language form of Thrift. Jena binary release do not include this code. Jena does not ship the Apache Thrift JS code. |
|
We use Fuseki @seitenbau-govdata . Do you think the CVEs do not apply to jena and therefore fuseki? |
|
I can't give you a formal response. Use of Fuseki is under the terms of the license. All open source licenses have similar provisions; otherwise, open source would not exist. It is up to Seitenbau to verify and endorse that the software is fit for purpose as part of any contract with a customer. The two CVEs you point out are not Java related as far as I can determin - that's no more than a personal opinion. There should not be any code related to them in Fuseki. That can be checked by looking inside the Fuseki jar file. @seitenbau-govdata does not have anything publicly visible in it. |
2 participants
By submitting this pull request, I acknowledge that I am making a contribution to the Apache Software Foundation under the terms and conditions of the Contributor's Agreement.