You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tika.apache.org by "Tim Allison (Jira)" <ji...@apache.org> on 2020/11/19 21:44:00 UTC
[jira] [Resolved] (TIKA-3232) security vulnerability in
dependencies
[ https://issues.apache.org/jira/browse/TIKA-3232?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tim Allison resolved TIKA-3232.
-------------------------------
Fix Version/s: 1.25
Assignee: Tim Allison
Resolution: Fixed
Thank you for opening this issue. We've already fixed these in {{branch_1x}}, which we'll release in the next week or two as Tika 1.25.
> security vulnerability in dependencies
> --------------------------------------
>
> Key: TIKA-3232
> URL: https://issues.apache.org/jira/browse/TIKA-3232
> Project: Tika
> Issue Type: Bug
> Affects Versions: 1.24.1
> Reporter: Shayne Grant
> Assignee: Tim Allison
> Priority: Major
> Fix For: 1.25
>
>
> Our team runs BlackDuck to find security vulnerabilities and Tika 1.24.1 was flagged in a recent scan for two libraries that it includes. Here is information about the two libraries which have vulnerabilities and have been recently patched which Tika needs to upgrade to:
>
> Apache HttpClient v4.5.12
> The recommendation is to upgrade 4.5.13. I cannot find a CVE number however the BlackDuck tool has pointed to the following changeset that was made in the 4.5.13 version that addresses the vulnerability
> [https://github.com/apache/httpcomponents-client/commit/e628b4c5c464c2fa346385596cc78e035a91a62e]
>
> jackson-databind 2.10.3
> The recommendation is to upgrade to 2.11.3. The issue was CVE-2020-25649
--
This message was sent by Atlassian Jira
(v8.3.4#803005)