You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tika.apache.org by "Stefan Bodewig (JIRA)" <ji...@apache.org> on 2012/05/23 17:08:40 UTC

[jira] [Commented] (TIKA-932) Upgrade to Commons Compress 1.4.1

    [ https://issues.apache.org/jira/browse/TIKA-932?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13281650#comment-13281650 ] 

Stefan Bodewig commented on TIKA-932:
-------------------------------------

While I think Tika would benefit from upgrading anyway (POSIX tar support in 1.4) I don't think the security issue is relevant to you as it only occurs when writing bzip2 streams, not when reading them.
                
> Upgrade to Commons Compress 1.4.1
> ---------------------------------
>
>                 Key: TIKA-932
>                 URL: https://issues.apache.org/jira/browse/TIKA-932
>             Project: Tika
>          Issue Type: Improvement
>          Components: parser
>            Reporter: Jukka Zitting
>            Assignee: Jukka Zitting
>            Priority: Minor
>              Labels: security
>             Fix For: 1.2
>
>
> There's a denial of service vulnerability (CVE-2012-2098) in Commons Compress versions up to 1.4 (we currently use 1.3) that can be triggered with a specially crafted bzip2 document.
> Tika already has higher-level features (ForkParser, etc.) for dealing with problems like this, but it would in any case be good to upgrade our Commons Compress dependency to the new 1.4.1 release that fixes the vulnerability.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira