You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tika.apache.org by Hugo Lefeuvre <hl...@owl.eu.com> on 2019/08/09 14:14:27 UTC
security fixes for CVE-2019-10088 and CVE-2019-1009{3,4}
Dear tika developers,
I'd like to backport the security fixes for CVE-2019-10088, CVE-2019-10093
and CVE-2019-10094 to older tika releases in Debian.
I had a look at the changelog, the corresponding commit seems to be
https://github.com/apache/tika/commit/426be73b9e7500fa3d441231fa4e473de34743f6
Can anybody confirm? Are there other fixes I should consider applying?
thanks!
regards,
Hugo Lefeuvre (Debian LTS team)
--
Hugo Lefeuvre (hle) | www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
Re: security fixes for CVE-2019-10088 and CVE-2019-1009{3,4}
Posted by Tim Allison <ta...@apache.org>.
IIUC, ASF policy is not to update the commit message in git. See #16:
https://www.apache.org/security/committers.html
On Tue, Aug 13, 2019 at 1:58 AM Hugo Lefeuvre <hl...@debian.org> wrote:
>
> Hi Tim,
>
> > Y. You got CVE-2019-10088:
> > https://github.com/apache/tika/commit/426be73b9e7500fa3d441231fa4e473de34743f6
> >
> > Two other commits you'll want are the following
> >
> > CVE-2019-10093:
> > https://github.com/apache/tika/commit/81c21ab0aac6b3e4102a1a8906c8c7eab6f96dae
> >
> > CVE-2019-10094:
> > https://github.com/apache/tika/commit/c4e63c9be8665cccea8b680c59a6f5cfbc03e0fc
>
> Thanks!
>
> I was wondering... is there any reason why tika developers don't include
> CVE information in commit messages? This would ease the work of security
> teams significantly.
>
> regards,
> Hugo
>
> [0] https://tika.apache.org/security.html
>
> --
> Hugo Lefeuvre (hle) | www.owl.eu.com
> RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
> ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
Re: security fixes for CVE-2019-10088 and CVE-2019-1009{3,4}
Posted by Hugo Lefeuvre <hl...@debian.org>.
Hi Tim,
> Y. You got CVE-2019-10088:
> https://github.com/apache/tika/commit/426be73b9e7500fa3d441231fa4e473de34743f6
>
> Two other commits you'll want are the following
>
> CVE-2019-10093:
> https://github.com/apache/tika/commit/81c21ab0aac6b3e4102a1a8906c8c7eab6f96dae
>
> CVE-2019-10094:
> https://github.com/apache/tika/commit/c4e63c9be8665cccea8b680c59a6f5cfbc03e0fc
Thanks!
I was wondering... is there any reason why tika developers don't include
CVE information in commit messages? This would ease the work of security
teams significantly.
regards,
Hugo
[0] https://tika.apache.org/security.html
--
Hugo Lefeuvre (hle) | www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C
Re: security fixes for CVE-2019-10088 and CVE-2019-1009{3,4}
Posted by Tim Allison <ta...@apache.org>.
Y. You got CVE-2019-10088:
https://github.com/apache/tika/commit/426be73b9e7500fa3d441231fa4e473de34743f6
Two other commits you'll want are the following
CVE-2019-10093:
https://github.com/apache/tika/commit/81c21ab0aac6b3e4102a1a8906c8c7eab6f96dae
CVE-2019-10094:
https://github.com/apache/tika/commit/c4e63c9be8665cccea8b680c59a6f5cfbc03e0fc
On Fri, Aug 9, 2019 at 10:14 AM Hugo Lefeuvre <hl...@owl.eu.com> wrote:
>
> Dear tika developers,
>
> I'd like to backport the security fixes for CVE-2019-10088, CVE-2019-10093
> and CVE-2019-10094 to older tika releases in Debian.
>
> I had a look at the changelog, the corresponding commit seems to be
> https://github.com/apache/tika/commit/426be73b9e7500fa3d441231fa4e473de34743f6
>
> Can anybody confirm? Are there other fixes I should consider applying?
>
> thanks!
>
> regards,
> Hugo Lefeuvre (Debian LTS team)
>
> --
> Hugo Lefeuvre (hle) | www.owl.eu.com
> RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
> ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C