[
https://issues.apache.org/jira/browse/TIKA-2878?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16844250#comment-16844250
]
Tim Allison edited comment on TIKA-2878 at 5/20/19 8:49 PM:
------------------------------------------------------------
For the vorbis-parser...I'm not sure what to do...It has tika-core (1.13) as a
dependency, but we explicitly exclude it in our pom, and I don't think owasp is
taking that exclusion seriously...it feels like it is pulling in all of 1.13.
-For the sentiment-parser...similar thing, that parser is in another package
(admittedly completely vulnerable, but see: TIKA-2368)...how is it getting
pulled into tika-parsers?-
Sorry, crossed wires w SentimentParser and {{tika-nlp}} module.
was (Author: [email protected]):
For the vorbis-parser...I'm not sure what to do...It has tika-core (1.13) as a
dependency, but we explicitly exclude it in our pom, and I don't think owasp is
taking that exclusion seriously...it feels like it is pulling in all of 1.13.
For the sentiment-parser...similar thing, that parser is in another package
(admittedly completely vulnerable, but see: TIKA-2368)...how is it getting
pulled into tika-parsers?
> Update dependencies for 1.21.1 or 1.22
> --------------------------------------
>
> Key: TIKA-2878
> URL: https://issues.apache.org/jira/browse/TIKA-2878
> Project: Tika
> Issue Type: Task
> Reporter: Tim Allison
> Priority: Major
> Attachments: dependency-check-report.html, dependency_tree.txt,
> pom.xml
>
>
> And in the category of "stuff you can't make up"...while generating the
> javadocs for the 1.21 release:
> We're now getting this in {{tika-parsers}}:
> {noformat}
> c3p0:c3p0:jar:0.9.1.1:compile;
> https://ossindex.sonatype.org/component/pkg:maven/c3p0/[email protected]
> * [CVE-2019-5427] Resource Management Errors (7.5);
> https://ossindex.sonatype.org/vuln/d25f4c21-9e76-4fc2-9d73-3770aa3aec56
> {noformat}
> and in {{tika-server}}:
> {noformat}
> * [CVE-2019-10247] Information Exposure (5.3);
> https://ossindex.sonatype.org/vuln/47ad4d7e-b9c3-414f-9bfa-1dfaa92b0aba
> * [CVE-2019-10241] Improper Neutralization of Input During Web Page
> Generation ("Cross-site Scripting") (6.1);
> https://ossindex.sonatype.org/vuln/970aece8-4a1d-4a9e-ab97-0982b13dac4d
> org.eclipse.jetty:jetty-server:jar:9.4.14.v20181114:compile;
> https://ossindex.sonatype.org/component/pkg:maven/org.eclipse.jetty/[email protected]
> * [CVE-2019-10247] Information Exposure (5.3);
> https://ossindex.sonatype.org/vuln/47ad4d7e-b9c3-414f-9bfa-1dfaa92b0aba
> * [CVE-2019-10241] Improper Neutralization of Input During Web Page
> Generation ("Cross-site Scripting") (6.1);
> https://ossindex.sonatype.org/vuln/970aece8-4a1d-4a9e-ab97-0982b13dac4d
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
