You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Jacques Le Roux (Jira)" <ji...@apache.org> on 2022/02/12 09:16:00 UTC
[jira] [Updated] (OFBIZ-12573) CLONE - [SECURITY] Upgrade Tika to 1.28.1
[ https://issues.apache.org/jira/browse/OFBIZ-12573?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jacques Le Roux updated OFBIZ-12573:
------------------------------------
Description:
Here the Tika announce:
{quote}
The Apache Tika project is pleased to announce the release of Apache
Tika 1.28.1. The release contents have been pushed out to the main
Apache release site and to the Maven Central sync.
Apache Tika is a toolkit for detecting and extracting metadata and
structured text content from various documents using existing parser
libraries.
Apache Tika 1.28.1 contains security-related and general
dependency upgrades. Details can be found in the changes file:
https://www.apache.org/dist/tika/1.28.1/CHANGES-1.28.1.txt
NOTE: The 1.x branch is now in security-fixes-only mode. The PMC
has decided the formal EoL for the 1.x branch is 30 September 2022:
https://lists.apache.org/thread/yq6n7o01kw544dvj1jsoqk29g6yqjkp3
Please upgrade to 2.3.0 at your earliest convenience. For guidance on this
upgrade:
https://cwiki.apache.org/confluence/display/TIKA/Migrating+to+Tika+2.0.0
{quote}
was:
Here the Tika announce:
{quote}
The Apache Tika project is pleased to announce the release of Apache
Tika 2.3.0. The release contents have been pushed out to the main
Apache release site and to the Maven Central sync.
Apache Tika is a toolkit for detecting and extracting metadata and
structured text content from various documents using existing parser
libraries.
Apache Tika 2.3.0 includes several security upgrades in dependencies,
including an upgrade to log4j2 (version 2.17.1). This release also
includes a non-trivial upgrade to Apache POI 5.2.0 (TIKA-3164); users
will observe significantly more logging from the POI parsers.
Details can be found in the changes file:
https://www.apache.org/dist/tika/2.3.0/CHANGES-2.3.0.txt
{quote}
We currently still use 1.28 version because since 2.1.0 Tika throws a lot of compile errors. I tried to use 2.3.0 and there is much work. Fortunately we don't rely too much on Tika.
* In security component, only to check *.svg files in SecuredUpload::getMimeTypeFromFileName() and there is another final check in this method.
* In content: DataResourceWorker.getMimeTypeWithByteBuffer::getMimeTypeWithByteBuffer
> CLONE - [SECURITY] Upgrade Tika to 1.28.1
> -----------------------------------------
>
> Key: OFBIZ-12573
> URL: https://issues.apache.org/jira/browse/OFBIZ-12573
> Project: OFBiz
> Issue Type: Bug
> Components: content, framework/security
> Affects Versions: 18.12.06, 22.01.01
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
>
> Here the Tika announce:
> {quote}
> The Apache Tika project is pleased to announce the release of Apache
> Tika 1.28.1. The release contents have been pushed out to the main
> Apache release site and to the Maven Central sync.
> Apache Tika is a toolkit for detecting and extracting metadata and
> structured text content from various documents using existing parser
> libraries.
> Apache Tika 1.28.1 contains security-related and general
> dependency upgrades. Details can be found in the changes file:
> https://www.apache.org/dist/tika/1.28.1/CHANGES-1.28.1.txt
> NOTE: The 1.x branch is now in security-fixes-only mode. The PMC
> has decided the formal EoL for the 1.x branch is 30 September 2022:
> https://lists.apache.org/thread/yq6n7o01kw544dvj1jsoqk29g6yqjkp3
> Please upgrade to 2.3.0 at your earliest convenience. For guidance on this
> upgrade:
> https://cwiki.apache.org/confluence/display/TIKA/Migrating+to+Tika+2.0.0
> {quote}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)