You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@ofbiz.apache.org by "Jacques Le Roux (Jira)" <ji...@apache.org> on 2022/02/12 09:35:00 UTC

[jira] [Updated] (OFBIZ-12572) [SECURITY] Upgrade Tika to 2.3.0

     [ https://issues.apache.org/jira/browse/OFBIZ-12572?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux updated OFBIZ-12572:
------------------------------------
        Parent: OFBIZ-1525
    Issue Type: Sub-task  (was: Bug)

> [SECURITY] Upgrade Tika to 2.3.0
> --------------------------------
>
>                 Key: OFBIZ-12572
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12572
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: content, framework/security
>    Affects Versions: 18.12.06, 22.01.01
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Major
>
> Here the Tika announce:
> {quote}
> The Apache Tika project is pleased to announce the release of Apache
> Tika 2.3.0. The release contents have been pushed out to the main
> Apache release site and to the Maven Central sync.
> Apache Tika is a toolkit for detecting and extracting metadata and
> structured text content from various documents using existing parser
> libraries.
> Apache Tika 2.3.0 includes several security upgrades in dependencies,
> including an upgrade to log4j2 (version 2.17.1).  This release also
> includes a non-trivial upgrade to Apache POI 5.2.0 (TIKA-3164); users
> will observe significantly more logging from the POI parsers.
> Details can be found in the changes file:
> https://www.apache.org/dist/tika/2.3.0/CHANGES-2.3.0.txt
> {quote}
> We currently still use 1.28 version because since 2.1.0 Tika throws a lot of compile errors. I tried to use 2.3.0 and there is much work. Fortunately we don't rely too much on Tika. 
> * In security component, only to check *.svg files in SecuredUpload::getMimeTypeFromFileName() and there is another final check in this method.
> * In content: DataResourceWorker.getMimeTypeWithByteBuffer::getMimeTypeWithByteBuffer



--
This message was sent by Atlassian Jira
(v8.20.1#820001)