You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tika.apache.org by "Tim Allison (JIRA)" <ji...@apache.org> on 2019/08/12 18:01:00 UTC
[jira] [Comment Edited] (TIKA-2878) Update dependencies for 1.22
[ https://issues.apache.org/jira/browse/TIKA-2878?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16905432#comment-16905432 ]
Tim Allison edited comment on TIKA-2878 at 8/12/19 6:00 PM:
------------------------------------------------------------
Hi [~tmortagne], we receive quite a few reports about out of date and vulnerable dependencies, and we are constantly striving to keep everything up to date. We've had to upgrade ASM fairly recently to be compatible with modern versions of Java. I don't know enough about ASM to know if this beta version will break things -- outside of our unit and large scale regression tests. If this is causing a problem for you, we can revert that upgrade.
We run {{mvn versions:display-dependency-updates}} before our releases to make sure that everything is up to date. If we don't see any regressions or disastrous incompatibilities, we make the upgrades.
If you'd like to help us develop a policy for updates (e.g. don't include *-beta unless a non-beta doesn't exist, e.g. deeplearning4j) or if you'd like to open PRs to help us keep everything up to date, please do chip in!
was (Author: tallison@mitre.org):
Hi [~tmortagne], we receive quite a few reports about out of date and vulnerable dependencies, and we are constantly striving to keep everything up to date. We run {{mvn versions:display-dependency-updates}} before our releases to make sure that everything is up to date. If we don't see any regressions or disastrous incompatibilities, we make the upgrades.
If you'd like to help us develop a policy for updates (e.g. don't include *-beta unless a non-beta doesn't exist, e.g. deeplearning4j) or if you'd like to open PRs to help us keep everything up to date, please do chip in!
> Update dependencies for 1.22
> ----------------------------
>
> Key: TIKA-2878
> URL: https://issues.apache.org/jira/browse/TIKA-2878
> Project: Tika
> Issue Type: Task
> Reporter: Tim Allison
> Priority: Major
> Attachments: dependency-check-report.html, dependency_tree.txt, pom.xml
>
>
> And in the category of "stuff you can't make up"...while generating the javadocs for the 1.21 release:
> We're now getting this inĀ {{tika-parsers}}:
> {noformat}
> c3p0:c3p0:jar:0.9.1.1:compile; https://ossindex.sonatype.org/component/pkg:maven/c3p0/c3p0@0.9.1.1
> * [CVE-2019-5427] Resource Management Errors (7.5); https://ossindex.sonatype.org/vuln/d25f4c21-9e76-4fc2-9d73-3770aa3aec56
> {noformat}
> and in {{tika-server}}:
> {noformat}
> * [CVE-2019-10247] Information Exposure (5.3); https://ossindex.sonatype.org/vuln/47ad4d7e-b9c3-414f-9bfa-1dfaa92b0aba
> * [CVE-2019-10241] Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") (6.1); https://ossindex.sonatype.org/vuln/970aece8-4a1d-4a9e-ab97-0982b13dac4d
> org.eclipse.jetty:jetty-server:jar:9.4.14.v20181114:compile; https://ossindex.sonatype.org/component/pkg:maven/org.eclipse.jetty/jetty-server@9.4.14.v20181114
> * [CVE-2019-10247] Information Exposure (5.3); https://ossindex.sonatype.org/vuln/47ad4d7e-b9c3-414f-9bfa-1dfaa92b0aba
> * [CVE-2019-10241] Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") (6.1); https://ossindex.sonatype.org/vuln/970aece8-4a1d-4a9e-ab97-0982b13dac4d
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)