[jira] [Commented] (TIKA-2854) upgrade out-of-date dependencies with outstanding CVEs

Mon, 22 Apr 2019 13:34:01 -0700 


    [ 
https://issues.apache.org/jira/browse/TIKA-2854?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16823441#comment-16823441
 ] 

Hudson commented on TIKA-2854:
------------------------------

SUCCESS: Integrated in Jenkins build Tika-trunk #1647 (See 
[https://builds.apache.org/job/Tika-trunk/1647/])
TIKA-2824/TIKA-2854 -- clean up guava, bump h2, add jackrabbit (tallison: 
[https://github.com/apache/tika/commit/b11141f1ed617127af8ad7d0b5b51a31509a9435])
* (edit) tika-parent/pom.xml
* (edit) tika-eval/pom.xml
* (edit) tika-parsers/pom.xml
* (edit) tika-example/pom.xml


> upgrade out-of-date dependencies with outstanding CVEs
> ------------------------------------------------------
>
>                 Key: TIKA-2854
>                 URL: https://issues.apache.org/jira/browse/TIKA-2854
>             Project: Tika
>          Issue Type: Bug
>          Components: languageidentifier, parser
>    Affects Versions: 1.20
>            Reporter: Andrew Pavlin
>            Priority: Major
>
> Besides the libraries reported in TIKA-2801 and TIKA-2835, the following 4th 
> party dependencies are out-of-date and should be upgraded to the latest 
> versions. The first three have outstanding CVEs which would be resolved by 
> using the newer versions of those dependencies.
> jackson-databind (is 2.9.7, should be 2.9.8)
> guava (is 17.0, should be 27.0)
> sqlite-jdbc (is 3.25.2, should be 3.27.2.1)
> No current CVEs but still out-of-date:
> Apache commons-codec (is 1.11, should be 1.12)
> Apache CXF (is 3.2.7, should be 3.3.1)
> Apache httpcomponents (is 4.5.6, should be 4.5.8)
> Apache james mime4j (is 0.8.2, should be 0.8.3)
> Apache opennlp-tools (is 1.9.0, should be 1.9.1)
> parso (is 2.0.10, should beĀ  2.0.11)
> jackson-annotations
> jackson-core
> jackcess (is 2.1.12, should be 3.0.0)
> jackcess-encrypt (is 2.1.4, should be 3.0.0)
> org.osgi.compendium (is 4.0.0, should be 5.0.0)
> org.osgi.core (is 4.0.0, should be 6.0.0)
> junrar (is 2.0.0, should be 4.0.0)
> java-libpst (is 0.8.1, should be 0.9.3)
> jna (is 5.1.0, should be 5.2.0)
> Bouncy Castle bcprov and bcmail (is 1.60, should be 1.61)
> slf4j-log4j12 (is 1.7.25, should be 1.7.26)
> UCAR cdm (is 4.5.5, should be 5.0.0)
> UCAR grib (is 4.5.5, should be 8.0.0)
> UCAR httpservices (is 4.5.5, should be 4.6.7)
> UCAR netcdf4 (incorrectly labeled as 4.5.5, should be 4.3.22)
> bndlib (is 1.50.0, should be 4.2.0)



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to