[jira] [Commented] (TIKA-2854) upgrade out-of-date dependencies with outstanding CVEs

[Tim Allison (JIRA)]

    [ 
https://issues.apache.org/jira/browse/TIKA-2854?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16822165#comment-16822165
 ] 

Tim Allison commented on TIKA-2854:
-----------------------------------

Thank you, [~oracle.apavlin]. I typically run {{mvn 
versions:display-dependency-updates}} before a release, but this is a helpful 
list.

We can't upgrade libpst because of a regression...I can look it up if 
necessary.  I don't know anything about ucar, but I can try to upgrade that and 
see if there are problems.  I just upgraded PDFBox, and I don't think we want 
to upgrade POI until 4.1.1. jackcess may take a bit of refactoring to clean up 
some code, but I'll give that a shot.

Thank you.  Will do.  Shortly...

> upgrade out-of-date dependencies with outstanding CVEs
> ------------------------------------------------------
>
>                 Key: TIKA-2854
>                 URL: https://issues.apache.org/jira/browse/TIKA-2854
>             Project: Tika
>          Issue Type: Bug
>          Components: languageidentifier, parser
>    Affects Versions: 1.20
>            Reporter: Andrew Pavlin
>            Priority: Major
>
> Besides the libraries reported in TIKA-2801 and TIKA-2835, the following 4th 
> party dependencies are out-of-date and should be upgraded to the latest 
> versions. The first three have outstanding CVEs which would be resolved by 
> using the newer versions of those dependencies.
> jackson-databind (is 2.9.7, should be 2.9.8)
> guava (is 17.0, should be 27.0)
> sqlite-jdbc (is 3.25.2, should be 3.27.2.1)
> No current CVEs but still out-of-date:
> Apache commons-codec (is 1.11, should be 1.12)
> Apache CXF (is 3.2.7, should be 3.3.1)
> Apache httpcomponents (is 4.5.6, should be 4.5.8)
> Apache james mime4j (is 0.8.2, should be 0.8.3)
> Apache opennlp-tools (is 1.9.0, should be 1.9.1)
> parso (is 2.0.10, should be  2.0.11)
> jackson-annotations
> jackson-core
> jackcess (is 2.1.12, should be 3.0.0)
> jackcess-encrypt (is 2.1.4, should be 3.0.0)
> org.osgi.compendium (is 4.0.0, should be 5.0.0)
> org.osgi.core (is 4.0.0, should be 6.0.0)
> junrar (is 2.0.0, should be 4.0.0)
> java-libpst (is 0.8.1, should be 0.9.3)
> jna (is 5.1.0, should be 5.2.0)
> Bouncy Castle bcprov and bcmail (is 1.60, should be 1.61)
> slf4j-log4j12 (is 1.7.25, should be 1.7.26)
> UCAR cdm (is 4.5.5, should be 5.0.0)
> UCAR grib (is 4.5.5, should be 8.0.0)
> UCAR httpservices (is 4.5.5, should be 4.6.7)
> UCAR netcdf4 (incorrectly labeled as 4.5.5, should be 4.3.22)
> bndlib (is 1.50.0, should be 4.2.0)



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)