Tchannel-go security issue related to older Tally/Thrift

Hi folks, GitHub - temporalio/tchannel-go: Go implementation of a multiplexing and framing protocol for RPC calls is importing a fairly old GitHub - uber-go/tally: A Go metrics interface with fast buffered metrics and third party reporters v3.3.15 that uses Thrift 0.10.0

This results in several CVEs.

High vulnerability:
CVE-2019-0205
CVE-2019-0205
CVE-2018-11798
CVE-2015-3254

Medium vulnerability:
CVE-2020-13949
CVE-2019-0210

I see that the most recent commit in tchannel-go explicitly upgrades Thrift to 0.16.0 but 0.10.0 is also included due to the older Tally.

Would it be possible to explore upgrading Tally version in tchannel-go? Thanks.

Hi, thanks a lot for sharing this info. Will get more info from our security team and get back to you asap.

Thank you @tihomir. Please let me know.

Will do, as soon as I get some info will update here.

Just to add, we have issue here that is related as well as issue opened with tally here.

Makes sense. It does seem like tally will have to remove that fixed vendoring. They have moved towards Go module so I don’t see why it is still vendored.

Eng team mentioned that Temporal does have dependency for ringpop, but we do not use the Thrift protocol in any way. We also have plan to deprecate ringpop in the future.

Understood. Thanks for the responses @tihomir :raised_hands: