You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tika.apache.org by "Tim Allison (Jira)" <ji...@apache.org> on 2022/11/10 22:10:00 UTC
[jira] [Resolved] (TIKA-3926) Build a new version of the Tika docker image to fix CVEs
[ https://issues.apache.org/jira/browse/TIKA-3926?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tim Allison resolved TIKA-3926.
-------------------------------
Resolution: Fixed
2.6.0.1 released just now
> Build a new version of the Tika docker image to fix CVEs
> --------------------------------------------------------
>
> Key: TIKA-3926
> URL: https://issues.apache.org/jira/browse/TIKA-3926
> Project: Tika
> Issue Type: Bug
> Affects Versions: 2.6.0
> Reporter: Felix Sperling
> Priority: Major
>
> Build a new docker image which has openssl upgraded in order to fix security vuln.
>
> Details:
> A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow an arbitrary number of bytes containing the {{.}} character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service).
> h3. Changelog
> November 1, 2022 - Advisory published.
> h2. Remediation
> Upgrade {{Ubuntu:22.04}} {{openssl}} to version 3.0.2-0ubuntu1.7 or higher.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)