You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@tika.apache.org by "Kurz, Fred via user" <us...@tika.apache.org> on 2022/11/01 18:01:53 UTC

When will CVE-2022-42003 be eliminated from Tika 2.5.x?

Categorization: Unclassified
Hi:

I hope you can help, or forward this to someone who can.

I am an IT Team Lead at the Canada Revenue Agency (CRA).  We are currently on Tika 1.2x and wanted to upgrade to 2.4.1 but are being blocked by internal security policies because of the three CVEs impacting it.  Version 2.5.0 still has one of the vulnerabilities (CVE-2022-42003) so we still can’t upgrade to it either.

When will CVE-2022-42003 be eliminated from Tika 2.5.x?

Thank you,
Fred Kurz

Re: When will CVE-2022-42003 be eliminated from Tika 2.5.x?

Posted by Tim Allison <ta...@apache.org>.

Looks like an update was released about 2 weeks ago. I wasn't aware of
that.  I'll update it in main now.

I'll check with the team on the dev list about our next release.

Thank you for notifying us.

On Tue, Nov 1, 2022 at 2:02 PM Kurz, Fred via user <us...@tika.apache.org>
wrote:

> *Categorization: Unclassified *
>
> Hi:
>
>
>
> I hope you can help, or forward this to someone who can.
>
>
>
> I am an IT Team Lead at the Canada Revenue Agency (CRA).  We are currently
> on Tika 1.2x and wanted to upgrade to 2.4.1 but are being blocked by
> internal security policies because of the three CVEs impacting it.  Version
> 2.5.0 still has one of the vulnerabilities (CVE-2022-42003) so we still
> can’t upgrade to it either.
>
>
>
> When will CVE-2022-42003 be eliminated from Tika 2.5.x?
>
>
>
> Thank you,
>
> Fred Kurz
>
>
>
>
>