[
https://issues.apache.org/jira/browse/TIKA-2952?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17021163#comment-17021163
]
Tim Allison commented on TIKA-2952:
-----------------------------------
Specifically, as [~tilman] found earlier (I think?), I can get the build to
work, but users will have to change the namespaces in some of the return values
in the tika-xmp module.
If we're not ok breaking the tika-xmp module, the only potential solution I see
is redistributing xmpcore with a shade/relocate _and_ a fork of
metadata-extractor that relies on this modified xmpcore.
Are there any other solutions?
[~jukkaz] ..would you be ok with this breaking change, or is there a better
option?
> Vulnerable "metadata-extractor 2.11.0" is present in tika 1.22.
> ---------------------------------------------------------------
>
> Key: TIKA-2952
> URL: https://issues.apache.org/jira/browse/TIKA-2952
> Project: Tika
> Issue Type: Bug
> Reporter: Aman Mishra
> Priority: Major
> Attachments: TIKA-2952_draft.patch
>
>
> We can see that metadata-extractor with version 2.11.0 is present in
> tika-bundle 1.22 jar. We can see that even latest metadata-extractor with
> version 2.12.0 is also vulnerable.
>
> So please confirm your side that "Is this vulnerability [CVE-2019-14262] is
> impacting to tika or not ?"
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
