You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tika.apache.org by "Felix Sperling (Jira)" <ji...@apache.org> on 2022/11/11 08:07:00 UTC

[jira] [Commented] (TIKA-3926) Build a new version of the Tika docker image to fix CVEs

    [ https://issues.apache.org/jira/browse/TIKA-3926?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17632149#comment-17632149 ] 

Felix Sperling commented on TIKA-3926:
--------------------------------------

Thanks [~tallison] 

> Build a new version of the Tika docker image to fix CVEs
> --------------------------------------------------------
>
>                 Key: TIKA-3926
>                 URL: https://issues.apache.org/jira/browse/TIKA-3926
>             Project: Tika
>          Issue Type: Bug
>    Affects Versions: 2.6.0
>            Reporter: Felix Sperling
>            Priority: Major
>
> Build a new docker image which has openssl upgraded in order to fix security vuln.
>  
> Details:
> A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow an arbitrary number of bytes containing the {{.}} character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service).
> h3. Changelog
> November 1, 2022 - Advisory published.
> h2. Remediation
> Upgrade {{Ubuntu:22.04}} {{openssl}} to version 3.0.2-0ubuntu1.7 or higher.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)