You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@tika.apache.org by Tim Allison <ta...@apache.org> on 2021/12/23 20:27:02 UTC
[ANNOUNCE] Apache Tika 2.2.1 released
The Apache Tika project is pleased to announce the release of Apache
Tika 2.2.1. The release contents have been pushed out to the main
Apache release site and to the Maven Central sync.
Apache Tika is a toolkit for detecting and extracting metadata and
structured text content from various documents using existing parser
libraries.
Apache Tika 2.2.1 contains an upgrade to log4j2 2.17.0, a
critical fix to an OOXML parser regression that was introduced
in 2.2.0, and upgrades to other dependencies. Details can be found
in the changes file:
https://www.apache.org/dist/tika/2.2.1/CHANGES-2.2.1.txt
Apache Tika is available on the download page:
https://tika.apache.org/download.html
Apache Tika is also available in binary form or for use using Maven 2
from the Central Repository:
https://repo1.maven.org/maven2/org/apache/tika/
When downloading, please remember to verify the downloads using
signatures found: https://www.apache.org/dist/tika/KEYS
For more information on Apache Tika, visit the project home page:
https://tika.apache.org/
-- Tim Allison, on behalf of the Apache Tika community
Re: [ANNOUNCE] Apache Tika 2.2.1 released
Posted by Tilman Hausherr <TH...@t-online.de>.
I agree because of that exact reason (access to config file needed). I
remember a cartoon about it but can no longer find it.
Tilman
Am 07.01.2022 um 19:15 schrieb Tim Allison:
> I'm frankly, personally, not motivated to roll a new release for
> log4j2 2.17.1 because the vulnerability, IMO, is not a real
> vulnerability...if someone has access to your logging config file,
> you've got far larger issues.
>
> However, it does look like there are some new problems with iworks
> detection and maybe processing. Once we fix those and/or figure out
> what's fixable, then I think we should roll a Tika 2.2.2 with log4j
> 2.17.1 and those updates.
>
> I'd be grateful for any help getting POI 5.x to work in our osgi
> bundle so that we can upgrade to that asap.
>
> Fellow devs, what do you think?
>
> Best,
>
> Tim
>
> On Fri, Jan 7, 2022 at 11:17 AM Josh Burchard <bu...@pnp-hcl.com> wrote:
>> I see that now https://logging.apache.org/log4j/2.x/security.html states that vulnerabilities exist in all versions up to Log4j 2.17.0, so the recommendation is to use 2.17.1. Is there a plan to spin another Tika release that uses 2.17.1?
>>
>>
>>
>>
>> From: "Tim Allison" <ta...@apache.org>
>> To: announce@apache.org, "<de...@tika.apache.org>" <de...@tika.apache.org>, user@tika.apache.org
>> Date: 12/23/2021 03:27 PM
>> Subject: [ANNOUNCE] Apache Tika 2.2.1 released
>> ________________________________
>>
>>
>>
>> The Apache Tika project is pleased to announce the release of Apache
>> Tika 2.2.1. The release contents have been pushed out to the main
>> Apache release site and to the Maven Central sync.
>>
>> Apache Tika is a toolkit for detecting and extracting metadata and
>> structured text content from various documents using existing parser
>> libraries.
>>
>> Apache Tika 2.2.1 contains an upgrade to log4j2 2.17.0, a
>> critical fix to an OOXML parser regression that was introduced
>> in 2.2.0, and upgrades to other dependencies. Details can be found
>> in the changes file:
>> https://www.apache.org/dist/tika/2.2.1/CHANGES-2.2.1.txt
>>
>> Apache Tika is available on the download page:
>> https://tika.apache.org/download.html
>>
>> Apache Tika is also available in binary form or for use using Maven 2
>> from the Central Repository:
>> https://repo1.maven.org/maven2/org/apache/tika/
>>
>> When downloading, please remember to verify the downloads using
>> signatures found: https://www.apache.org/dist/tika/KEYS
>>
>> For more information on Apache Tika, visit the project home page:
>> https://tika.apache.org/
>>
>> -- Tim Allison, on behalf of the Apache Tika community
>>
>>
Re: [ANNOUNCE] Apache Tika 2.2.1 released
Posted by Josh Burchard <bu...@pnp-hcl.com>.
It's a fair point you make about the config file, Tim. Personally I'll be
waiting for 2.2.2 because if we ship with a Tika server that has potential
vulnerabilities, no matter how unlikely they are to be exploited on our
customers' systems, I inevitably have to answer a bunch of support
questions and calm their fears. The less of that there is, the better,
IMHO. 2.2.2 also has a nice ring to it. ;-)
From: "Tim Allison" <ta...@apache.org>
To: user@tika.apache.org, "<de...@tika.apache.org>"
<de...@tika.apache.org>
Date: 01/07/2022 01:15 PM
Subject: Re: [ANNOUNCE] Apache Tika 2.2.1 released
I'm frankly, personally, not motivated to roll a new release for
log4j2 2.17.1 because the vulnerability, IMO, is not a real
vulnerability...if someone has access to your logging config file,
you've got far larger issues.
However, it does look like there are some new problems with iworks
detection and maybe processing. Once we fix those and/or figure out
what's fixable, then I think we should roll a Tika 2.2.2 with log4j
2.17.1 and those updates.
I'd be grateful for any help getting POI 5.x to work in our osgi
bundle so that we can upgrade to that asap.
Fellow devs, what do you think?
Best,
Tim
On Fri, Jan 7, 2022 at 11:17 AM Josh Burchard <bu...@pnp-hcl.com>
wrote:
>
> I see that now https://logging.apache.org/log4j/2.x/security.html states
that vulnerabilities exist in all versions up to Log4j 2.17.0, so the
recommendation is to use 2.17.1. Is there a plan to spin another Tika
release that uses 2.17.1?
>
>
>
>
> From: "Tim Allison" <ta...@apache.org>
> To: announce@apache.org, "<de...@tika.apache.org>"
<de...@tika.apache.org>, user@tika.apache.org
> Date: 12/23/2021 03:27 PM
> Subject: [ANNOUNCE] Apache Tika 2.2.1 released
> ________________________________
>
>
>
> The Apache Tika project is pleased to announce the release of Apache
> Tika 2.2.1. The release contents have been pushed out to the main
> Apache release site and to the Maven Central sync.
>
> Apache Tika is a toolkit for detecting and extracting metadata and
> structured text content from various documents using existing parser
> libraries.
>
> Apache Tika 2.2.1 contains an upgrade to log4j2 2.17.0, a
> critical fix to an OOXML parser regression that was introduced
> in 2.2.0, and upgrades to other dependencies. Details can be found
> in the changes file:
> https://www.apache.org/dist/tika/2.2.1/CHANGES-2.2.1.txt
>
> Apache Tika is available on the download page:
> https://tika.apache.org/download.html
>
> Apache Tika is also available in binary form or for use using Maven 2
> from the Central Repository:
> https://repo1.maven.org/maven2/org/apache/tika/
>
> When downloading, please remember to verify the downloads using
> signatures found: https://www.apache.org/dist/tika/KEYS
>
> For more information on Apache Tika, visit the project home page:
> https://tika.apache.org/
>
> -- Tim Allison, on behalf of the Apache Tika community
>
>
Re: [ANNOUNCE] Apache Tika 2.2.1 released
Posted by Tim Allison <ta...@apache.org>.
I'm frankly, personally, not motivated to roll a new release for
log4j2 2.17.1 because the vulnerability, IMO, is not a real
vulnerability...if someone has access to your logging config file,
you've got far larger issues.
However, it does look like there are some new problems with iworks
detection and maybe processing. Once we fix those and/or figure out
what's fixable, then I think we should roll a Tika 2.2.2 with log4j
2.17.1 and those updates.
I'd be grateful for any help getting POI 5.x to work in our osgi
bundle so that we can upgrade to that asap.
Fellow devs, what do you think?
Best,
Tim
On Fri, Jan 7, 2022 at 11:17 AM Josh Burchard <bu...@pnp-hcl.com> wrote:
>
> I see that now https://logging.apache.org/log4j/2.x/security.html states that vulnerabilities exist in all versions up to Log4j 2.17.0, so the recommendation is to use 2.17.1. Is there a plan to spin another Tika release that uses 2.17.1?
>
>
>
>
> From: "Tim Allison" <ta...@apache.org>
> To: announce@apache.org, "<de...@tika.apache.org>" <de...@tika.apache.org>, user@tika.apache.org
> Date: 12/23/2021 03:27 PM
> Subject: [ANNOUNCE] Apache Tika 2.2.1 released
> ________________________________
>
>
>
> The Apache Tika project is pleased to announce the release of Apache
> Tika 2.2.1. The release contents have been pushed out to the main
> Apache release site and to the Maven Central sync.
>
> Apache Tika is a toolkit for detecting and extracting metadata and
> structured text content from various documents using existing parser
> libraries.
>
> Apache Tika 2.2.1 contains an upgrade to log4j2 2.17.0, a
> critical fix to an OOXML parser regression that was introduced
> in 2.2.0, and upgrades to other dependencies. Details can be found
> in the changes file:
> https://www.apache.org/dist/tika/2.2.1/CHANGES-2.2.1.txt
>
> Apache Tika is available on the download page:
> https://tika.apache.org/download.html
>
> Apache Tika is also available in binary form or for use using Maven 2
> from the Central Repository:
> https://repo1.maven.org/maven2/org/apache/tika/
>
> When downloading, please remember to verify the downloads using
> signatures found: https://www.apache.org/dist/tika/KEYS
>
> For more information on Apache Tika, visit the project home page:
> https://tika.apache.org/
>
> -- Tim Allison, on behalf of the Apache Tika community
>
>
Re: [ANNOUNCE] Apache Tika 2.2.1 released
Posted by Tim Allison <ta...@apache.org>.
I'm frankly, personally, not motivated to roll a new release for
log4j2 2.17.1 because the vulnerability, IMO, is not a real
vulnerability...if someone has access to your logging config file,
you've got far larger issues.
However, it does look like there are some new problems with iworks
detection and maybe processing. Once we fix those and/or figure out
what's fixable, then I think we should roll a Tika 2.2.2 with log4j
2.17.1 and those updates.
I'd be grateful for any help getting POI 5.x to work in our osgi
bundle so that we can upgrade to that asap.
Fellow devs, what do you think?
Best,
Tim
On Fri, Jan 7, 2022 at 11:17 AM Josh Burchard <bu...@pnp-hcl.com> wrote:
>
> I see that now https://logging.apache.org/log4j/2.x/security.html states that vulnerabilities exist in all versions up to Log4j 2.17.0, so the recommendation is to use 2.17.1. Is there a plan to spin another Tika release that uses 2.17.1?
>
>
>
>
> From: "Tim Allison" <ta...@apache.org>
> To: announce@apache.org, "<de...@tika.apache.org>" <de...@tika.apache.org>, user@tika.apache.org
> Date: 12/23/2021 03:27 PM
> Subject: [ANNOUNCE] Apache Tika 2.2.1 released
> ________________________________
>
>
>
> The Apache Tika project is pleased to announce the release of Apache
> Tika 2.2.1. The release contents have been pushed out to the main
> Apache release site and to the Maven Central sync.
>
> Apache Tika is a toolkit for detecting and extracting metadata and
> structured text content from various documents using existing parser
> libraries.
>
> Apache Tika 2.2.1 contains an upgrade to log4j2 2.17.0, a
> critical fix to an OOXML parser regression that was introduced
> in 2.2.0, and upgrades to other dependencies. Details can be found
> in the changes file:
> https://www.apache.org/dist/tika/2.2.1/CHANGES-2.2.1.txt
>
> Apache Tika is available on the download page:
> https://tika.apache.org/download.html
>
> Apache Tika is also available in binary form or for use using Maven 2
> from the Central Repository:
> https://repo1.maven.org/maven2/org/apache/tika/
>
> When downloading, please remember to verify the downloads using
> signatures found: https://www.apache.org/dist/tika/KEYS
>
> For more information on Apache Tika, visit the project home page:
> https://tika.apache.org/
>
> -- Tim Allison, on behalf of the Apache Tika community
>
>
Re: [ANNOUNCE] Apache Tika 2.2.1 released
Posted by Josh Burchard <bu...@pnp-hcl.com>.
I see that now https://logging.apache.org/log4j/2.x/security.html states
that vulnerabilities exist in all versions up to Log4j 2.17.0, so the
recommendation is to use 2.17.1. Is there a plan to spin another Tika
release that uses 2.17.1?
From: "Tim Allison" <ta...@apache.org>
To: announce@apache.org, "<de...@tika.apache.org>"
<de...@tika.apache.org>, user@tika.apache.org
Date: 12/23/2021 03:27 PM
Subject: [ANNOUNCE] Apache Tika 2.2.1 released
The Apache Tika project is pleased to announce the release of Apache
Tika 2.2.1. The release contents have been pushed out to the main
Apache release site and to the Maven Central sync.
Apache Tika is a toolkit for detecting and extracting metadata and
structured text content from various documents using existing parser
libraries.
Apache Tika 2.2.1 contains an upgrade to log4j2 2.17.0, a
critical fix to an OOXML parser regression that was introduced
in 2.2.0, and upgrades to other dependencies. Details can be found
in the changes file:
https://www.apache.org/dist/tika/2.2.1/CHANGES-2.2.1.txt
Apache Tika is available on the download page:
https://tika.apache.org/download.html
Apache Tika is also available in binary form or for use using Maven 2
from the Central Repository:
https://repo1.maven.org/maven2/org/apache/tika/
When downloading, please remember to verify the downloads using
signatures found: https://www.apache.org/dist/tika/KEYS
For more information on Apache Tika, visit the project home page:
https://tika.apache.org/
-- Tim Allison, on behalf of the Apache Tika community
Re: wiki editor access request
Posted by Nick Burch <ap...@gagravarr.org>.
On Fri, 7 Jan 2022, Josh Burchard wrote:
> I wrote to Tim about making a small update to
> https://cwiki.apache.org/confluence/display/TIKA/TikaServerEndpointsCompared
> and he suggested that I email this dev list to see if someone could grant
> me editor access. Is that a possibility?
Can you sign up for an account on the wiki, then let us know what username
you picked?
Thanks
Nick
wiki editor access request
Posted by Josh Burchard <bu...@pnp-hcl.com>.
Hi devs. I wrote to Tim about making a small update to
https://cwiki.apache.org/confluence/display/TIKA/TikaServerEndpointsCompared
and he suggested that I email this dev list to see if someone could grant
me editor access. Is that a possibility?
TIA!
Josh Burchard
Software Engineer - HCL Domino
HCL Technologies Ltd.