You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tika.apache.org by "Stefan Seide (Jira)" <ji...@apache.org> on 2021/09/09 07:11:00 UTC

[jira] [Commented] (TIKA-3506) please fix multipile CVE in commons-compress for tika-parsers 1.x too

    [ https://issues.apache.org/jira/browse/TIKA-3506?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17412397#comment-17412397 ] 

Stefan Seide commented on TIKA-3506:
------------------------------------

tried to ping Rolf Lear for jdom2 via some others i know. Hope it gets released soon.

 

Another thing - can the following two libraries be updated too?
 * org.jsoup:jsoup to 1.14.2
 [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37714]
lots of fixes found by a fuzzer (https://jsoup.org/news/release-1.14.2)
 * org.apache.commons:commons-compress to 1.21
[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35516]
[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35517]
[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36090]
[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35515]

Thanks

> please fix multipile CVE in commons-compress for tika-parsers 1.x too
> ---------------------------------------------------------------------
>
>                 Key: TIKA-3506
>                 URL: https://issues.apache.org/jira/browse/TIKA-3506
>             Project: Tika
>          Issue Type: Bug
>          Components: parser
>    Affects Versions: 1.27
>            Reporter: Stefan Seide
>            Priority: Major
>              Labels: security
>
> tika-parsers uses org.apache.commons:commons-compress as a dependency.
> All versions up to 1.20 have multiple medium vulnerabilities incorrectly handling input data. These are fixed with current version 1.21.
> With tika-parsers 2.0 the new version is already used, therefore not a problem anymore.
> But older 1.x line uses the vulnerable commons-compress@1.20. Is it possible to create a new security release for the 1.x line with this update?
> An update to the newer 2.x version needs a lot more time due to the breaking changes mentioned at the release page (at least it reads so). A new 1.x release would held to faster fix this security problem for all.
>  * [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36090]
>  * [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35517]
>  * [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35516]
>  * [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35515]
> Thanks,
> Stefan Seide



--
This message was sent by Atlassian Jira
(v8.3.4#803005)