[jira] [Commented] (TIKA-2878) Update dependencies for 1.22

Mon, 12 Aug 2019 10:55:08 -0700 


    [ 
https://issues.apache.org/jira/browse/TIKA-2878?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16905432#comment-16905432
 ] 

Tim Allison commented on TIKA-2878:
-----------------------------------

Hi [~tmortagne], we receive quite a few reports about out of date and 
vulnerable dependencies, and we are constantly striving to keep everything up 
to date.  We run {{mvn versions:display-dependency-updates}} before our 
releases to make sure that everything is up to date.  If we don't see any 
regressions or disastrous incompatibilities, we make the upgrades.

If you'd like to help us develop a policy for updates (e.g. don't include 
*-beta unless a non-beta doesn't exist, e.g. deeplearning4j) or if you'd like 
to open PRs to help us keep everything up to date, please do chip in!

> Update dependencies for 1.22
> ----------------------------
>
>                 Key: TIKA-2878
>                 URL: https://issues.apache.org/jira/browse/TIKA-2878
>             Project: Tika
>          Issue Type: Task
>            Reporter: Tim Allison
>            Priority: Major
>         Attachments: dependency-check-report.html, dependency_tree.txt, 
> pom.xml
>
>
> And in the category of "stuff you can't make up"...while generating the 
> javadocs for the 1.21 release:
> We're now getting this inĀ {{tika-parsers}}:
> {noformat}
>   c3p0:c3p0:jar:0.9.1.1:compile; 
> https://ossindex.sonatype.org/component/pkg:maven/c3p0/[email protected]
>     * [CVE-2019-5427]  Resource Management Errors (7.5); 
> https://ossindex.sonatype.org/vuln/d25f4c21-9e76-4fc2-9d73-3770aa3aec56
> {noformat}
> and in {{tika-server}}:
> {noformat}
>     * [CVE-2019-10247]  Information Exposure (5.3); 
> https://ossindex.sonatype.org/vuln/47ad4d7e-b9c3-414f-9bfa-1dfaa92b0aba
>     * [CVE-2019-10241]  Improper Neutralization of Input During Web Page 
> Generation ("Cross-site Scripting") (6.1); 
> https://ossindex.sonatype.org/vuln/970aece8-4a1d-4a9e-ab97-0982b13dac4d
>   org.eclipse.jetty:jetty-server:jar:9.4.14.v20181114:compile; 
> https://ossindex.sonatype.org/component/pkg:maven/org.eclipse.jetty/[email protected]
>     * [CVE-2019-10247]  Information Exposure (5.3); 
> https://ossindex.sonatype.org/vuln/47ad4d7e-b9c3-414f-9bfa-1dfaa92b0aba
>     * [CVE-2019-10241]  Improper Neutralization of Input During Web Page 
> Generation ("Cross-site Scripting") (6.1); 
> https://ossindex.sonatype.org/vuln/970aece8-4a1d-4a9e-ab97-0982b13dac4d
> {noformat}



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

Reply via email to