You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tika.apache.org by "Felix Sperling (Jira)" <ji...@apache.org> on 2022/10/27 09:01:00 UTC

[jira] [Created] (TIKA-3906) Build a new version of the Tika docker image to fix CVEs

Felix Sperling created TIKA-3906:
------------------------------------

             Summary: Build a new version of the Tika docker image to fix CVEs
                 Key: TIKA-3906
                 URL: https://issues.apache.org/jira/browse/TIKA-3906
             Project: Tika
          Issue Type: Bug
          Components: docker
    Affects Versions: 2.5.0
            Reporter: Felix Sperling


Please rebuild and release a new version of the 2.5.0 docker image.
The current one contains CVEs which have fixes already in the jammy repos.
h2. zlib

*_Note:_* _Versions mentioned in the description apply to the upstream {{zlib}} package._ _See {{How to fix?}} for {{Ubuntu:22.04}} relevant versions._

zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).
h2. Remediation

Upgrade {{Ubuntu:22.04}} {{zlib}} to version 1:1.2.11.dfsg-2ubuntu9.2 or higher.

 
h2. perl

*_Note:_* _Versions mentioned in the description apply to the upstream {{perl}} package._ _See {{How to fix?}} for {{Ubuntu:22.04}} relevant versions._

CPAN 2.28 allows Signature Verification Bypass.
h2. Remediation

Upgrade {{Ubuntu:22.04}} {{perl}} to version 5.34.0-3ubuntu1.1 or higher.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)