Andrew Pavlin created TIKA-2854:
-----------------------------------
Summary: upgrade out-of-date dependencies with outstanding CVEs
Key: TIKA-2854
URL: https://issues.apache.org/jira/browse/TIKA-2854
Project: Tika
Issue Type: Bug
Components: languageidentifier, parser
Affects Versions: 1.20
Reporter: Andrew Pavlin
Besides the libraries reported in TIKA-2801 and TIKA-2835, the following 4th
party dependencies are out-of-date and should be upgraded to the latest
versions. The first three have outstanding CVEs which would be resolved by
using the newer versions of those dependencies.
jackson-databind (is 2.9.7, should be 2.9.8)
guava (is 17.0, should be 27.0)
sqlite-jdbc (is 3.25.2, should be 3.27.2.1)
No current CVEs but still out-of-date:
Apache commons-codec (is 1.11, should be 1.12)
Apache CXF (is 3.2.7, should be 3.3.1)
Apache httpcomponents (is 4.5.6, should be 4.5.8)
Apache james mime4j (is 0.8.2, should be 0.8.3)
Apache opennlp-tools (is 1.9.0, should be 1.9.1)
parso (is 2.0.10, should beĀ 2.0.11)
jackson-annotations
jackson-core
jackcess (is 2.1.12, should be 3.0.0)
jackcess-encrypt (is 2.1.4, should be 3.0.0)
org.osgi.compendium (is 4.0.0, should be 5.0.0)
org.osgi.core (is 4.0.0, should be 6.0.0)
junrar (is 2.0.0, should be 4.0.0)
java-libpst (is 0.8.1, should be 0.9.3)
jna (is 5.1.0, should be 5.2.0)
Bouncy Castle bcprov and bcmail (is 1.60, should be 1.61)
slf4j-log4j12 (is 1.7.25, should be 1.7.26)
UCAR cdm (is 4.5.5, should be 5.0.0)
UCAR grib (is 4.5.5, should be 8.0.0)
UCAR httpservices (is 4.5.5, should be 4.6.7)
UCAR netcdf4 (incorrectly labeled as 4.5.5, should be 4.3.22)
bndlib (is 1.50.0, should be 4.2.0)
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
