Update jaeger-client dependency due to CVE-2020-13949

[lathspell]

You have an indirect dependency on libthrift:0.13.0 which has a security problem according to CVE-2020-13949.
Please update to opentracing-spring-jaeger-starter:3.3.3!

{noformat}
+--- io.opentracing.contrib:opentracing-spring-jaeger-cloud-starter:3.3.1
| +--- io.opentracing.contrib:opentracing-spring-jaeger-starter:3.3.1
| | --- io.jaegertracing:jaeger-client:1.3.2
| | +--- io.jaegertracing:jaeger-thrift:1.3.2
| | | +--- org.apache.thrift:libthrift:0.13.0
...
{noformat}

see also

• CVE-2020-13949 in libthrift 0.13.0 dependency  java-spring-jaeger#121 and
• Bump thrift version jaegertracing/jaeger-client-java#768

[lathspell]

ping

[lathspell]

ping

[barbetb]

Any update on this? 0.16.0 if libthrift is out, when can we expect and update?

[lathspell]

Migrating according to https://opentelemetry.io/docs/migration/opentracing/ is the way to go but it's sad that the old libraries are left with security issues.