Upgrade libthrift to 0.14.1 due CVE-2020-13949

[denodo-research-labs]

Description

Fix CVE-2018-1320, CVE-2019-0205, CVE-2019-0210 and CVE-2020-13949.

The version chosen is 0.14.1, although more recent versions exist, because it does not have CRITICAL and HIGH severity CVEs and has been tested in several scenarios with different versions of Hive Metastore.

Fix for #18026

Motivation and Context

The PR upgrades libthrift version to address known CVEs.

Exception made for Accumulo connector, since the version of Accumulo used is not compatible with newer versions of libthrift.

Impact

Dependency org.apache.thrift:libthrift:0.9.3 has four HIGH vulnerabilities:

https://nvd.nist.gov/vuln/detail/CVE-2018-1320
https://nvd.nist.gov/vuln/detail/CVE-2019-0205
https://nvd.nist.gov/vuln/detail/CVE-2019-0210
https://nvd.nist.gov/vuln/detail/CVE-2020-13949

Contributor checklist

• Please make sure your submission complies with our contributing guide, in particular code style and commit standards.
• PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
• If release notes are required, they follow the release notes guidelines.
• CI passed.

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==

General Changes
* Upgrade libthrift to 0.14.1 in response to `CVE-2020-13949 <https://github.com/advisories/GHSA-g2fg-mr77-6vrm>`_ :pr:`24462`

[czentgr]

Please rebase.

Also, is there a plan to take a look at accumulo to see if thrift can be upgraded for that as well?

[denodo-research-labs]

The community seems to have little interest in maintaining Accumulo, see #15837