[jira] [Commented] (TIKA-2854) upgrade out-of-date dependencies with outstanding CVEs

Tue, 23 Apr 2019 08:03:43 -0700 


    [ 
https://issues.apache.org/jira/browse/TIKA-2854?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16824212#comment-16824212
 ] 

Andrew Pavlin commented on TIKA-2854:
-------------------------------------

Regarding your question on the ucar versions, I got those version numbers from 
the ucar.edu website. Not sure why (at the time of my bug submittal) they 
listed different version numbers for the different software modules, but even 
their examples for POM files show using common version numbers for netcdf, cdm, 
grib. I may also have been reading an incorrect page, as they now say the 
current version is consistently 4.6.13 as of today.

> upgrade out-of-date dependencies with outstanding CVEs
> ------------------------------------------------------
>
>                 Key: TIKA-2854
>                 URL: https://issues.apache.org/jira/browse/TIKA-2854
>             Project: Tika
>          Issue Type: Bug
>          Components: languageidentifier, parser
>    Affects Versions: 1.20
>            Reporter: Andrew Pavlin
>            Priority: Major
>
> Besides the libraries reported in TIKA-2801 and TIKA-2835, the following 4th 
> party dependencies are out-of-date and should be upgraded to the latest 
> versions. The first three have outstanding CVEs which would be resolved by 
> using the newer versions of those dependencies.
> jackson-databind (is 2.9.7, should be 2.9.8)
> guava (is 17.0, should be 27.0)
> sqlite-jdbc (is 3.25.2, should be 3.27.2.1)
> No current CVEs but still out-of-date:
> Apache commons-codec (is 1.11, should be 1.12)
> Apache CXF (is 3.2.7, should be 3.3.1)
> Apache httpcomponents (is 4.5.6, should be 4.5.8)
> Apache james mime4j (is 0.8.2, should be 0.8.3)
> Apache opennlp-tools (is 1.9.0, should be 1.9.1)
> parso (is 2.0.10, should beĀ  2.0.11)
> jackson-annotations
> jackson-core
> jackcess (is 2.1.12, should be 3.0.0)
> jackcess-encrypt (is 2.1.4, should be 3.0.0)
> org.osgi.compendium (is 4.0.0, should be 5.0.0)
> org.osgi.core (is 4.0.0, should be 6.0.0)
> junrar (is 2.0.0, should be 4.0.0)
> java-libpst (is 0.8.1, should be 0.9.3)
> jna (is 5.1.0, should be 5.2.0)
> Bouncy Castle bcprov and bcmail (is 1.60, should be 1.61)
> slf4j-log4j12 (is 1.7.25, should be 1.7.26)
> UCAR cdm (is 4.5.5, should be 5.0.0)
> UCAR grib (is 4.5.5, should be 8.0.0)
> UCAR httpservices (is 4.5.5, should be 4.6.7)
> UCAR netcdf4 (incorrectly labeled as 4.5.5, should be 4.3.22)
> bndlib (is 1.50.0, should be 4.2.0)



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to