[
https://issues.apache.org/jira/browse/TIKA-2952?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17043639#comment-17043639
]
Tim Allison edited comment on TIKA-2952 at 2/24/20 4:28 PM:
------------------------------------------------------------
I've pushed a shaded version of adobe's library to maven central just now:
org.tallison.xmp:xmpcore-shaded:6.1.10
I've forked Drew Noakes' metadata extractor and have it rely on the
org.tallison.xmp:xmpcore-shaded:6.1.10 dependency. I've pushed that to maven
central as well.
Once those make it to maven central, I'll upgrade Tika.
was (Author: [email protected]):
I've pushed a shaded version of adobe's library to maven central just now:
org.tallison.xmp:xmpcore-shaded:6.1.10
I've forked Drew Noakes' metadata extractor and have it rely on the
org.tallison.xmp:xmpcore-shaded:6.1.10 dependency. I've pushed that to maven
central as well.
Once those hit the mirrors, I'll upgrade Tika.
> Vulnerable "metadata-extractor 2.11.0" is present in tika 1.22.
> ---------------------------------------------------------------
>
> Key: TIKA-2952
> URL: https://issues.apache.org/jira/browse/TIKA-2952
> Project: Tika
> Issue Type: Bug
> Reporter: Aman Mishra
> Priority: Major
> Attachments: TIKA-2952_draft.patch
>
>
> We can see that metadata-extractor with version 2.11.0 is present in
> tika-bundle 1.22 jar. We can see that even latest metadata-extractor with
> version 2.12.0 is also vulnerable.
>
> So please confirm your side that "Is this vulnerability [CVE-2019-14262] is
> impacting to tika or not ?"
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
