DFSG, Licensing & New Packages Team

thrift (0.23.0-1) experimental; urgency=medium
 .
   * New major upstream release (closes: #1135348):
     - fixes CVE-2025-48431: mismatched memory management routines
       vulnerability,
     - fixes CVE-2026-41602: integer overflow or wraparound vulnerability,
     - fixes CVE-2026-41603: improper validation of certificate with host
       mismatch vulnerability,
     - fixes CVE-2026-41606: uncontrolled recursion vulnerability,
     - fixes CVE-2026-41607: out of bounds read vulnerability.
   * Rename related packages to -0.23.0 suffix.
   * Build without deprecated Qt5 (closes: #1133038).
   * Update copyright file.

Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: thrift
Source: https://www.apache.org/dist/thrift

Files: *
Copyright: Copyright 2006- Apache Software Foundation
License: Apache-2.0

Files: aclocal/ax_boost_base.m4 aclocal/ax_check_openssl.m4 aclocal/ax_compare_version.m4 aclocal/ax_cxx_compile_stdcxx_11.m4 aclocal/ax_cxx_compile_stdcxx.m4 aclocal/ax_dmd.m4 aclocal/ax_javac_and_java.m4 aclocal/ax_lib_event.m4 aclocal/ax_lib_zlib.m4 aclocal/ax_prog_dotnetcore_version.m4 aclocal/ax_prog_haxe_version.m4 aclocal/ax_prog_perl_modules.m4 aclocal/ax_signed_right_shift.m4 aclocal/ax_thrift_internal.m4 contrib/fb303/acinclude.m4 contrib/fb303/aclocal/ax_boost_base.m4 contrib/fb303/aclocal/ax_cxx_compile_stdcxx_11.m4 contrib/fb303/aclocal/ax_javac_and_java.m4 contrib/fb303/aclocal/ax_thrift_internal.m4
Copyright: 2008 Benjamin Kosnik <bkoz@redhat.com>,
 2008 Tim Toolan <toolan@ele.uri.edu>,
 2008 Thomas Porschberg <thomas@randspringer.de>,
 2009 David Reiss,
 2009 Facebook,
 2009 Peter Adolphs,
 2012 Zack Weinberg <zackw@panix.com>,
 2013 Roy Stogner <roystgnr@ices.utexas.edu>,
 2015 Jens Geyer <jensg@apache.org>
License: FSFAP
 This file is free software; the Free Software Foundation gives
 unlimited permission to copy and/or distribute it, with or without
 modifications, as long as this notice is preserved.
 .
 This program is distributed in the hope that it will be useful, but
 WITHOUT ANY WARRANTY, to the extent permitted by law; without even
 the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
 PURPOSE.

Files: aclocal/lt~obsolete.m4 aclocal/ltoptions.m4 aclocal/ltsugar.m4 aclocal/ltversion.m4 aclocal/tar.m4
Copyright: 1992-1996, 1998-2017, 2020-2021 Free Software Foundation, Inc.
License: FSFULLR
 This file is free software; the Free Software Foundation
 gives unlimited permission to copy and/or distribute it,
 with or without modifications, as long as this notice is preserved.
 .
 This program is distributed in the hope that it will be useful,
 but WITHOUT ANY WARRANTY, to the extent permitted by law; without
 even the implied warranty of MERCHANTABILITY or FITNESS FOR A
 PARTICULAR PURPOSE.

Files: aclocal/libtool.m4
Copyright: 1996-2001, 2003-2015 Free Software Foundation, Inc.
License: FSFULLR and/or GPL-2+ with Libtool exception
 GNU Libtool is free software; you can redistribute it and/or modify it
 under the terms of the GNU General Public License as published by the Free
 Software Foundation; either version 2 of the License, or (at your option)
 any later version.
 .
 As a special exception to the GNU General Public License, if you
 distribute this file as part of a program or library that is built
 using GNU Libtool, you may include this file under the  same
 distribution terms that you use for the rest of that program.
 .
 GNU Libtool is distributed in the hope that it will be useful, but
 WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 GNU General Public License for more details.
 .
 You should have received a copy of the GNU General Public License version 2
 along with this program.  If not, see <http://www.gnu.org/licenses/>.

Files: configure
Copyright: 1992-1996, 1998-2017, 2020-2021 Free Software Foundation, Inc.
License: FSFUL
 This configure script is free software; the Free Software Foundation
 gives unlimited permission to copy, distribute and modify it.

Files: install-sh
Copyright: 1994 X Consortium
License: X11
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
 .
 The above copyright notice and this permission notice shall be included in all
 copies or substantial portions of the Software.
 .
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL THE X
 CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
 ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
 WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 .
 Except as contained in this notice, the name of the X Consortium shall not be
 used in advertising or otherwise to promote the sale, use or other dealings in
 this Software without prior written authorization from the X Consortium.

Files: ltmain.sh
Copyright: 1996-2015 Free Software Foundation, Inc.
License: GPL-2+ with Libtool exception
 GNU Libtool is free software; you can redistribute it and/or modify it
 under the terms of the GNU General Public License as published by the Free
 Software Foundation; either version 2 of the License, or (at your option)
 any later version.
 .
 As a special exception to the GNU General Public License, if you
 distribute this file as part of a program or library that is built
 using GNU Libtool, you may include this file under the  same
 distribution terms that you use for the rest of that program.
 .
 GNU Libtool is distributed in the hope that it will be useful, but
 WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 GNU General Public License for more details.
 .
 You should have received a copy of the GNU General Public License version 2
 along with this program.  If not, see <http://www.gnu.org/licenses/>.

Files: compiler/cpp/tests/catch/catch.hpp
Copyright: 2012 Two Blue Cubes Ltd.
License: BSL-1.0
 Boost Software License - Version 1.0 - August 17th, 2003
 .
 Permission is hereby granted, free of charge, to any person or organization
 obtaining a copy of the software and accompanying documentation covered by
 this license (the "Software") to use, reproduce, display, distribute,
 execute, and transmit the Software, and to prepare derivative works of the
 Software, and to permit third-parties to whom the Software is furnished to
 do so, all subject to the following:
 .
 The copyright notices in the Software and this entire statement, including
 the above license grant, this restriction and the following disclaimer,
 must be included in all copies of the Software, in whole or in part, and
 all derivative works of the Software, unless such copies or derivative
 works are solely in the form of machine-executable object code generated by
 a source language processor.
 .
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. IN NO EVENT
 SHALL THE COPYRIGHT HOLDERS OR ANYONE DISTRIBUTING THE SOFTWARE BE LIABLE
 FOR ANY DAMAGES OR OTHER LIABILITY, WHETHER IN CONTRACT, TORT OR OTHERWISE,
 ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
 DEALINGS IN THE SOFTWARE.

Files: build/cmake/FindGLIB.cmake
Copyright: Copyright (C) 2012 Raphael Kubo da Costa <rakuco@webkit.org>
License: BSD-2-clause
 All rights reserved.
 .
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are
 met:
 .
 1. Redistributions of source code must retain the above copyright
    notice, this list of conditions and the following disclaimer.
 2. Redistributions in binary form must reproduce the above copyright
    notice, this list of conditions and the following disclaimer in the
    documentation and/or other materials provided with the distribution.
 .
 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
 IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
 TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
 PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Files: compiler/cpp/src/thrift/thrifty.cc compiler/cpp/src/thrift/thrifty.hh
Copyright: Copyright (C) 1984, 1989-1990, 2000-2015, 2018-2021 Free Software Foundation, Inc.
License: GPL-3+ with Bison-2.2 exception
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
 the Free Software Foundation, either version 3 of the License, or
 (at your option) any later version.
 .
 This program is distributed in the hope that it will be useful,
 but WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 GNU General Public License for more details.
 .
 You should have received a copy of the GNU General Public License version 3
 along with this program.  If not, see <https://www.gnu.org/licenses/>.
 .
 As a special exception, you may create a larger work that contains
 part or all of the Bison parser skeleton and distribute that work
 under terms of your choice, so long as that work isn't itself a
 parser generator using the skeleton or a modified version thereof
 as a parser skeleton.  Alternatively, if you modify or redistribute
 the parser skeleton itself, you may (at your option) remove this
 special exception, which will cause the skeleton and the resulting
 Bison output files to be licensed under the GNU General Public
 License without this special exception.

Files: doc/licenses/otp-base-license.txt
Copyright: 2006 Martin J. Logan, Erlware
License: Expat
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the
 "Software"), to deal in the Software without restriction, including
 without limitation the rights to use, copy, modify, merge, publish,
 distribute, sublicense, and/or sell copies of the Software, and to
 permit persons to whom the Software is furnished to do so, subject to
 the following conditions:
 .
 The above copyright notice and this permission notice shall be
 included in all copies or substantial portions of the Software.
 .
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
 EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
 MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
 IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
 CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
 TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
 SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Files: lib/php/src/ext/thrift_protocol/config.m4
Copyright: 2009 Facebook
License: Apache-2.0 and/or FSFAP
 Copying and distribution of this file, with or without modification, are
 permitted in any medium without royalty provided the copyright notice
 and this notice are preserved. This file is offered as-is, without any
 warranty.

Files: debian/*
Copyright: Copyright 2012-2014 Eric Evans <eevans@debian.org>,
           Copyright 2014-     Laszlo Boszormenyi (GCS) <gcs@debian.org>
License: GPL-2+

License: GPL-2+
 This program is free software; you can redistribute it and/or modify it
 under the terms of the GNU General Public License as published by the Free
 Software Foundation; either version 2 of the License, or (at your option)
 any later version.
 .
 This program is distributed in the hope that it will be useful, but
 WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 for more details.
 .
 You should have received a copy of the GNU General Public License version 2
 along with this program. If not, see <https://www.gnu.org/licenses/>.
 .
 On Debian systems, the full text of the GNU General Public License version
 2 can be found in the file `/usr/share/common-licenses/GPL-2'.

License: GPL-3+
 This program is free software: you can redistribute it and/or modify it
 under the terms of the GNU General Public License as published by the Free
 Software Foundation, either version 3 of the License, or (at your option)
 any later version.
 .
 This package is distributed in the hope that it will be useful,
 but WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 GNU General Public License for more details.
 .
 You should have received a copy of the GNU General Public License version 3
 along with this program. If not, see <https://www.gnu.org/licenses/>.
 .
 On Debian systems, the full text of the GNU General Public License
 version 3 can be found in the file `/usr/share/common-licenses/GPL-3'.

License: Apache-2.0
 Licensed to the Apache Software Foundation (ASF) under one or more contributor
 license agreements. The ASF licenses this work to You under the Apache License,
 Version 2.0 (the "License"); you may not use this work except in compliance
 with the License.  You may obtain a copy of the License at
 .
 https://www.apache.org/licenses/LICENSE-2.0
 .
 On Debian systems, the complete text of the Apache License Version 2.0
 can be found in the file '/usr/share/common-licenses/Apache-2.0'.