Hi Utkarsh, I will first your mail in full with the Git SHAs expanded to URIs of the diffs themselves:
> The general dependency updates including some with security > implications: https://github.com/apache/tika/commit/171f4343.diff > > The fixes for the security items identified in that CVE > https://github.com/apache/tika/commit/0f4d5de0.diff > https://github.com/apache/tika/commit/73b26ef0.diff > https://github.com/apache/tika/commit/e9b2c386.diff > https://github.com/apache/tika/commit/8e2eb052.diff > https://github.com/apache/tika/commit/57193f51.diff > https://github.com/apache/tika/commit/f9607f97.diff > https://github.com/apache/tika/commit/f7f1be6a.diff > https://github.com/apache/tika/commit/333d9906.diff I would definitely agree with your sentiment that this would be too invasive to backport as a patch. However, before going for no-dsa here, did you consider upgrading the entire package to a newer version? (Is it even compatible? Is this critical enough of a package? etc.) Regards, -- ,''`. : :' : Chris Lamb `. `'` [email protected] 🍥 chris-lamb.co.uk `-
