Upgrade Thrift dependency in broker to solve CVE-2019-0210, CVE-2019-0205 and CVE-2020-13949

[fmiguelez]

Library from Apache Thrift (libthrift-0.12.jar) used by Apache Pulsar Broker is affected by two high risk vulnerabilities:
CVE-2019-0210 and CVE-2019-0205

These vulnerabilities are solved by version 0.13.

Update 2021/02/19

New vulnerability CVE-2020-13949 has been published affecting libthrift up to (including) version 0.13. Version 0.14 seems to solve the issue.

[hpvd]

Since these update-needs regularly occurs,
one should think of implementing a procedure to address this:

Automated security and update routine before every release #8815

[lhotari]

Fixing this issue depends on Bookkeeper issue apache/bookkeeper#2695 . libthrift 0.14.1 is broken and a new version is needed before the upgrade can be completed. More details in apache/bookkeeper#2695 (review) .

[codelipenghui]

The issue had no activity for 30 days, mark with Stale label.

[tisonkun]

Closed as stale. Please open a new issue if it's still relevant to the maintained versions.

IIRC we have a OWASP checker to prevent high risk vulnerabilities

[compuguy]

@tisonkun CVE-2019-0205 and CVE-2019-0210 are still showing up as vulnerabilities as of September 2023 with Pulsar 3.1.0's connectors. I don't think the OWASP checker you have setup is working, or these types of security vulnerabilities are being prioritized.