[jira] [Commented] (TIKA-2878) Update dependencies for 1.22

Wed, 14 Aug 2019 08:54:10 -0700 


    [ 
https://issues.apache.org/jira/browse/TIKA-2878?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16907378#comment-16907378
 ] 

Thomas Mortagne commented on TIKA-2878:
---------------------------------------

I'm not really proposing any specific rule or even suggesting that there is a 
known issue with ASM 7.2-beta. I'm just always very surprised that a beta 
version is used as dependency of something which is itself not beta and I'm 
wondering if it's like this because some issue was found in ASM 7.1 or just 
that "it's the current latest version and it seems to work OK".

> Update dependencies for 1.22
> ----------------------------
>
>                 Key: TIKA-2878
>                 URL: https://issues.apache.org/jira/browse/TIKA-2878
>             Project: Tika
>          Issue Type: Task
>            Reporter: Tim Allison
>            Priority: Major
>         Attachments: dependency-check-report.html, dependency_tree.txt, 
> pom.xml
>
>
> And in the category of "stuff you can't make up"...while generating the 
> javadocs for the 1.21 release:
> We're now getting this inĀ {{tika-parsers}}:
> {noformat}
>   c3p0:c3p0:jar:0.9.1.1:compile; 
> https://ossindex.sonatype.org/component/pkg:maven/c3p0/[email protected]
>     * [CVE-2019-5427]  Resource Management Errors (7.5); 
> https://ossindex.sonatype.org/vuln/d25f4c21-9e76-4fc2-9d73-3770aa3aec56
> {noformat}
> and in {{tika-server}}:
> {noformat}
>     * [CVE-2019-10247]  Information Exposure (5.3); 
> https://ossindex.sonatype.org/vuln/47ad4d7e-b9c3-414f-9bfa-1dfaa92b0aba
>     * [CVE-2019-10241]  Improper Neutralization of Input During Web Page 
> Generation ("Cross-site Scripting") (6.1); 
> https://ossindex.sonatype.org/vuln/970aece8-4a1d-4a9e-ab97-0982b13dac4d
>   org.eclipse.jetty:jetty-server:jar:9.4.14.v20181114:compile; 
> https://ossindex.sonatype.org/component/pkg:maven/org.eclipse.jetty/[email protected]
>     * [CVE-2019-10247]  Information Exposure (5.3); 
> https://ossindex.sonatype.org/vuln/47ad4d7e-b9c3-414f-9bfa-1dfaa92b0aba
>     * [CVE-2019-10241]  Improper Neutralization of Input During Web Page 
> Generation ("Cross-site Scripting") (6.1); 
> https://ossindex.sonatype.org/vuln/970aece8-4a1d-4a9e-ab97-0982b13dac4d
> {noformat}



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

Reply via email to